It’s good, for privacy and all of course, but I remember here a Dell BIOS upgrade that basically wiped the TPM2.0 and so windows was asking for the recovery bitlocker key at boot. I have them on a encrypted USB key and anyway I can access my MS account from another device to find the key and type it.
But I’m sure a lot of people will basically say “well, fuck, I don’t have the key”, guaranteed.
Where’s your encrypted USB recovery key stored?! Is it encrypted USBs all the way down?
volume encrypted with veracrypt, it asks for a password to be mounted
This one is especially fun on windows 11 home. At least it was some time ago on some machine i worked on. Since home doesn’t have the bitlocker settings fully you cannot disable bitlocker encryption. It would also auto enable sometimes even if you don’t have a microsoft account, which means it doesn’t back the key up anywhere. Not sure it does that anymore, i hope not, but i expect a lot of people to lose their data to this crap in the future.
In either case at least i find that full disk encryption on most machines is just overkill as it only really protects in the scenario the device is stolen and someone tries to pull data off of it that way. But in the vast majority of cases when people get their data stolen its done with malware, which disk encryption does /nothing/ to prevent.
In the scenario in which your computer is forgotten or stolen, it would offer some comfort knowing that the data on the computer is not accessible.
We have a “policy” in our household that everything that has personal data should be encrypted. That is just for cases in which we lose the device or it gets stolen. That makes it a purely financial loss, and not as invasive / uncomfortable.
But on the other hand my household are not average users. So it might not work well for other people.
when it automatically enables on win11 home, it doesn’t actually “enable” until you do sign-in to windows with a microsoft account so it has a place to stash the recovery key.
and, i have not had any difficulty turning the encryption off on win11 home systems.
Tom’s Hardware tested this software version of BitLocker last year and found it could slow drives by up to 45 percent.
WTF‽ In Linux full disk encryption overhead is minimal:
While in pure I/O benchmarks like FIO there is an obvious impact to full disk encryption and other synthetic workloads, across the real-world benchmarks the performance impact of running under full disk encryption tended to be minimal
https://www.phoronix.com/review/hp-devone-encrypt/5
There’s like five million ways you can use disk encryption on Linux though and not all of them are very performant. So keep that in mind if you see other benchmarks showing awful performance (use the settings Phoronox used).
I suspect Microsoft made some poor decisions in regards to disk encryption (probably because of bullshit/insecure-by-design FIPS compliance) and now they’re stuck with them.
This will make people angry in waves as updates break bitlocker and cohorts don’t have their key, a new one each time
This has been happening for a lot longer than just Windows 11.
Several people I’ve spoken to, who have purchased OEM computers from the likes of Dell, HP, Lenovo and others, did not know that bitlocker FDE was enabled, and they were not aware that they needed to back up their recovery key.
On at least one occasion, this caused someone to lose the contents of their laptop when Windows failed to finish booting into the OS. The drive was fine as far as I could tell, but the content on the drive would not complete the boot up sequence and would bsod/boot loop the system, so data retrieval was not possible without the recovery key, which they did not have. That was a Windows 10 Dell system from 2020 or so.
My opinion is that FDE is a good thing.
My advice is if you have FDE enabled, backup your recovery keys. It’s easy, but it won’t directly save to a file on the filesystem that’s locked by the key to which the recovery key applies. The easiest workaround is to “print” it, then use the built in Microsoft print to PDF, then dump it wherever you want. Afterwards, put it somewhere safe. Doesn’t matter where, but anywhere that isn’t the encrypted drive. Maybe Google drive, maybe a USB flash drive, maybe email it to yourself. I dunno, just somewhere you can retrieve if that system isn’t working.
When you’re done doing that, go check the same on your parents computers, friends, brothers and sisters… If they’re someone you care about, and they have a windows computer, check. Get those recovery keys backed up somewhere.
I think this is a step in the right direction. Everyone can lose a portable device or it can get stolen, so protecting the potentially sensitive data is important.
I think what people are complaining about is not full-disk encryption itself, but the fact that people are not used to being responsible for their cryptographic keys.
I think we should educate people regarding this responsibility. We did it with regular keys we use to unlock our homes.
This is good but they need better guidance to nontechnical users how to backup their keys. Cloud backup now that they are trying to make local accounts illegal I suppose.
Can’t wait to get a million tickets about this. -_-
Clownstrike taught them nothing…
deleted by creator
The anti-MS here is annoying. They set up online accounts by default to improve usability and its complaints about privacy. They set up full disk encryption at rest by default to improve privacy and its complaints about usability.
These are valid complaints tho.
From powerusers yes, and taking away their options is nonsense. But for the general populace it is arguably a good thing.
How?
Most users have no clue, lose passwords, security is not something they think about at all. So arguably for these people setting up with an account, having them pay for 365, all their files are encrypted at least and backed up to OneDrive automatically, no user setup required. The whole ordeal is actually pretty sleek for people that just want to use their computer to sync their photos, browse the web and watch some videos. The Microsoft authenticator can store passwords, edge syncs everything… they even have a solution for syncing the co plete config of your windows to a second device… you log in and it’s exactly like my other PC.
I helped plenty of people migrate to their new laptop like this. I go through checking the setup on their old PC… everything is synced and done. Advise them on the new laptop they buy, and the new one is setup in under 15 minutes… no hassle at all.
Agreed. The immature iamsosmart user base is making me strongly consider leaving Lemmy for good. There just aren’t enough actual professionals here for any serious discussion in a technical community. It’s just a bunch of 20-year-olds who think they have the world figured out. And they all downvote based on emotion rather than facts (which I am quite prepared for).
Microsoft accounts, OneDrive, and BitLocker are absolutely great features for the average user providing SSO, cloud storage with ransomware-proof backups, and seamless full-disk encryption.
I love Linux too, but there seems to be no room for nuance on Lemmy. These children are insufferable.
I lost all of my data on a tablet that had Bitlocker installed without my knowledge. Not one time was I ever told that my drive was encrypted or that there was even something called Bitlocker or that I should write down some password or code. Bitlocker activated because of an OS update, and I had no way to unlock it so I had to wipe the drive. I don’t have an MS account, because I have no need to give MS all of my data, so I couldn’t unlock it that way either. And no, I’m not a 20 year old; I’m someone who has used computers since before the internet and have no interest in setting up a corporate account for every watch, shoe, phone, video game, car, etc. I have no interest in giving MS all of my pictures, documents, emails, and browsing history.
Bitlocker activated because of an OS update
This did not happen. You did something to enable it.
I don’t have an MS account, because I have no need to give MS all of my data
If you had one, all of your data would have been safe in OneDrive and easily recoverable. But I’m sure the irony is completely lost on all the anti-MS people here. Nah, it must be Microsoft’s fault you didn’t have backups when you broke your tablet.
Bitlocker activates when you enter an incorrect OS password too many times. I had my tablet set to unlock without a password or pass code, so I never used whatever pass code I set up a year and a half earlier. After one of the OS updates it forced me to log in with a pass code. I tried some pass codes I thought I might have used, thinking that worst case I would have to do a time delay before trying again… because again, MS never told me Bitlocker was installed and never told me it had a password and never told me I should write down whatever password Bitlocker set for itself and never told me that Bitlocker would lock my entire harddrive if I entered an incorrect password too many times.
But go ahead and keep telling me it’s my fault MS added something so intrusive without telling me.
Bitlocker activates when you enter an incorrect OS password too many times.
This is completely false. Please stop spreading misinformation. You clearly have no idea how BitLocker works, nor Secure Boot, BCD, TPM, or PCRs. Or anything really.
Maybe you should stick to an iPad. I’m done replying to this blithering nonsense.
Where is /c/confidentlyincorrect when you need it?
Very first goddamn bullet: “Entering the wrong PIN too many times”
That’s the BitLocker PIN, not the OS PIN. Go away.
Cool, let all the dumb fuck time vampires suffer. I won’t be helping anyone with shit. “Shoulda bought a Mac”
Well, you probably can’t anyway. Your (l)users are not going to have their BitLocker keys, and it’s virtually guaranteed they won’t even know what that is. So it’s a total wipe and reinstall for you, my friend.
Exactly, it’s wonderful news!
