Technology

It still uses the TPM by default, instead of requireing a passphrase to be typed in on boot to unlock the keys. This still makes it an insecure mess.

https://yewtu.be/watch?v=wTl4vEednkQ

https://github.com/stacksmashing/pico-tpmsniffer

https://github.com/stacksmashing/LPCClocklessAnalyzer

Microsoft NEVER cares about your security. They just do the absolute bare minimum for compliance with stupid standards, and then advertise it as some crazy security improvement. Corporations lie to you all the time. If you want some actual security, you need to start using FOSS software. Most importantly a FOSS, Linux-based OS, and set it up with LUKS passphrase-based encryption.

This one is especially fun on windows 11 home. At least it was some time ago on some machine i worked on. Since home doesn't have the bitlocker settings fully you cannot disable bitlocker encryption. It would also auto enable sometimes even if you don't have a microsoft account, which means it doesn't back the key up anywhere. Not sure it does that anymore, i hope not, but i expect a lot of people to lose their data to this crap in the future.

In either case at least i find that full disk encryption on most machines is just overkill as it only really protects in the scenario the device is stolen and someone tries to pull data off of it that way. But in the vast majority of cases when people get their data stolen its done with malware, which disk encryption does /nothing/ to prevent.

This is good but they need better guidance to nontechnical users how to backup their keys. Cloud backup now that they are trying to make local accounts illegal I suppose.

This has been happening for a lot longer than just Windows 11.

Several people I've spoken to, who have purchased OEM computers from the likes of Dell, HP, Lenovo and others, did not know that bitlocker FDE was enabled, and they were not aware that they needed to back up their recovery key.

On at least one occasion, this caused someone to lose the contents of their laptop when Windows failed to finish booting into the OS. The drive was fine as far as I could tell, but the content on the drive would not complete the boot up sequence and would bsod/boot loop the system, so data retrieval was not possible without the recovery key, which they did not have. That was a Windows 10 Dell system from 2020 or so.

My opinion is that FDE is a good thing.

My advice is if you have FDE enabled, backup your recovery keys. It's easy, but it won't directly save to a file on the filesystem that's locked by the key to which the recovery key applies. The easiest workaround is to "print" it, then use the built in Microsoft print to PDF, then dump it wherever you want. Afterwards, put it somewhere safe. Doesn't matter where, but anywhere that isn't the encrypted drive. Maybe Google drive, maybe a USB flash drive, maybe email it to yourself. I dunno, just somewhere you can retrieve if that system isn't working.

When you're done doing that, go check the same on your parents computers, friends, brothers and sisters..... If they're someone you care about, and they have a windows computer, check. Get those recovery keys backed up somewhere.

I think this is a step in the right direction. Everyone can lose a portable device or it can get stolen, so protecting the potentially sensitive data is important.

I think what people are complaining about is not full-disk encryption itself, but the fact that people are not used to being responsible for their cryptographic keys.

I think we should educate people regarding this responsibility. We did it with regular keys we use to unlock our homes.

Do the average Windows user really need BitLocker device encryption? They don't. The only users who need BitLocker are business' and government workers.

Also 99% of Windows users are going to get locked out of their computers.

Can't wait to get a million tickets about this. -_-