• Papamousse@beehaw.org
    link
    fedilink
    arrow-up
    54
    arrow-down
    1
    ·
    7 months ago

    uhoh, and wait for the time when the user will update his BIOS, that resets TPM2, and at reboot bitlocker asks for the 48 digits key to decrypt hard drive, that the user never saved…

      • Papamousse@beehaw.org
        link
        fedilink
        arrow-up
        14
        ·
        7 months ago

        it should be in your MS online account as someone wrote, but in case of, I always save it on a USB key, hidden somewhere. You can also print it, or take a picture of it with your phone. Because there is no way to get it back.

          • lud@lemm.ee
            link
            fedilink
            arrow-up
            4
            ·
            7 months ago

            Sure, but for most people encryption is mostly supposed to protect against the thief that took your laptop on the metro and not the NSA or whatever.

              • lud@lemm.ee
                link
                fedilink
                arrow-up
                2
                arrow-down
                1
                ·
                edit-2
                7 months ago

                Yes that is possible, but should I repeat what I wrote earlier or can you just read it again?

    • Moonrise2473@feddit.it
      link
      fedilink
      arrow-up
      5
      ·
      7 months ago

      Wait? My Lenovo laptop did exactly this. It first encrypted the SSD without telling me, then it updated the bios via windows update (or via Lenovo assistant, but still it was unattended)

      Luckily I was using a Microsoft account (usually I don’t because fuck that) so the keys were automatically backupped

      • Romkslrqusz@lemm.ee
        link
        fedilink
        arrow-up
        11
        ·
        7 months ago

        The automatic encryption and subsequent backup both took place because you were using a Microsoft Account

    • qwerty@discuss.tchncs.de
      link
      fedilink
      arrow-up
      3
      ·
      7 months ago

      I updated my BIOS few days ago and on reboot got a warning about bitlocker and resetting fTPM, but I’m on linux. I dumped luks headers, and master priv keys before resetting just in case but everything worked as usual. Do you know if I just got lucky or if luks dosn’t use TPM? Should I hold on to the luks headers and master priv key backup?

    • taanegl@beehaw.org
      link
      fedilink
      arrow-up
      15
      ·
      edit-2
      7 months ago

      “But I have unplugged it… yes, several times… I’ll try again… oh, it works now… now to my real problem, Windows now asks me for a 64 character code…”

      • MrSoup@lemmy.zip
        link
        fedilink
        arrow-up
        4
        ·
        edit-2
        7 months ago

        Been there, done that. I don’t remember where I retrieved that code, but somehow I managed to do that. Maybe it was on Microsoft site loggin in with his credentials.

          • antler@feddit.rocks
            link
            fedilink
            arrow-up
            2
            ·
            7 months ago

            Still a positive in my eyes. Somebody gets their computer stolen, or sells a computer not knowing that files can be read/recovered from the hard drive, and they’re protected. Unless you’re thinking you’re gonna get raided by the government or something it fits most use cases while still letting people who forget their password recover it.

        • ReversalHatchery@beehaw.org
          link
          fedilink
          English
          arrow-up
          5
          ·
          7 months ago

          Hopefully it’s not news to them that they have some kind of Microsoft account, let alone know the credentials to it.

          • MrSoup@lemmy.zip
            link
            fedilink
            arrow-up
            3
            ·
            edit-2
            7 months ago

            Funny you say that, because that was the case. If I’m not wrong he logged into his work account, which used just once on his personal laptop and MS Windows decided to encrypt the drive and connect it to that account. Funny stuff.

  • ShortN0te@lemmy.ml
    link
    fedilink
    arrow-up
    32
    arrow-down
    3
    ·
    7 months ago

    Took them long enough. Most Linux distros have a simple toggle for Disk encryption for years. And as far as i am aware Apple has it too. And basically every mobile OS is encrypted by default as well. iOS and Android

    • dvdnet62@feddit.nlOP
      link
      fedilink
      English
      arrow-up
      58
      arrow-down
      4
      ·
      edit-2
      7 months ago

      the thing is: it means that your hard drive gets encrypted. However, when that gets encrypted, besides creating a key to decrypt it, everything works perfectly. You then use that computer for 5 years and again, works great. But then the fan on the CPU gets clogged with dust and the CPU overheats and dies. No big deal, you just grab the hard drive and move it into your new computer, or you hook it up with USB to copy everything over to the new one. And that is the moment you find out it was encrypted 5 years ago. You didn’t store the key anywhere but on that disk. You can only read it with that original computer hardware because the key was made to lock that drive to that exact computer that died. And you slowly figure out that every photo, every document, everything critical to you is now protected from you and you can’t get it back.

      Just as fun is making configuration changes just to upgrade your PC. Because Bitlocker uses the hardware in your computer to generate that key, some hardware changes will trigger it to need that key. Same situation where you need to revert the change to get your data.

      Finally, now we need to actually bring home the issue. Drop that change into the lap of someone you know that uses a computer, but doesn’t understand the inner working of them. Maybe that’s your grandma, parent, or siblings. All of a sudden they upgrade and now have a Windows 11 time-bomb that could randomly lock them out of every file on their computer… that’s the real issue here.

      Also a headache for the repair industry. If during repair the bios gets reset or the motherboard swapped, you’ll need the key to be able to boot in to windows again. And your customer is probably NOT aware.

      Bitlocker is important for companies. They can have hundreds or thousands of laptops that contain files with intellectual property that could really damage the company. Laptops get stolen all the time and should be protected at the highest levels. But for normal people’s computers, the higher risk for losing data will be Bitlocker. That’s what makes this such a bad idea.

      • Romkslrqusz@lemm.ee
        link
        fedilink
        arrow-up
        20
        ·
        7 months ago

        Hi, repair shop owner here.

        Automatic Bitlocker encryption has been a thing since TPM 2.0 devices hit the market in 2018.

        If a device is UEFI, Secure Boot is enabled, TPM 2.0 is present, and the user signs in with a Microsoft Account , then the disk is encrypted and the recovery key is saved to that Microsoft Account.

        If those conditions aren’t met, automatic encryption doesn’t happen.

        As long as they know their Microsoft Account Identifier, users can easily get to that key through the first search engine result for “bitlocker recovery key”: https://support.microsoft.com/en-us/windows/finding-your-bitlocker-recovery-key-in-windows-6b71ad27-0b89-ea08-f143-056f5ab347d6

        We don’t really have a hard time with it - if a user provides their login PIN, a short terminal command will let us grab a copy of their key before BIOS updates or battery disconnects.

        I have had very few cases where folks suffered data loss because of Bitlocker. Most of them were HP Laptops that used Intel Optane accelerated SSDs - encrypting what is effectively a software RAID0 is a recipe for disaster.

        The other few had an unhealthy paranoia where they were reluctant to share anything about themselves with Microsoft, yet still decided to use a Microsoft operating system. While setting up the computer, they created a new Outlook.com email (instead of using their primary email), made up a random birthday, and did not fill in any recovery options like a phone number or secondary email. With the password (and sometimes even email) forgotten, they created a situation where they could not prove the online account was theirs and therefore could not get to the recovery key that had been backed up.

        I do think that Microsoft should have this as an opt-in feature during the out of box experience, which is how Apple has it set up for Filevault and how most Linux distributions are set up. Ultimately, most users will still mash “next’ through the process and later blame the computer.

        I have had quite a few clients have their laptops stolen after car breakins. Their biggest stressor was the possibility of thieves having access to the data on those machines, and the fact that we knew their systems were encrypted with Bitlocker brought them a lot of relief.

        • dvdnet62@feddit.nlOP
          link
          fedilink
          English
          arrow-up
          5
          arrow-down
          6
          ·
          edit-2
          7 months ago

          well, the thing is not everyone want to have their PC connected to MS account for privacy reason

          • Romkslrqusz@lemm.ee
            link
            fedilink
            arrow-up
            4
            ·
            edit-2
            7 months ago

            Then don’t?

            If you still want to use Windows and use their encryption solution, manually enable Bitlocker and store the recovery key yourself.

            There are also third party encryption options.

            • ReversalHatchery@beehaw.org
              link
              fedilink
              English
              arrow-up
              5
              ·
              edit-2
              7 months ago

              Or if you don’t trust Microsoft to begin with, just use Veracrypt, it won’t upload your recovery key anywhere, but will help to make a recovery usb stick.

              Additionally, the problem above was not some kind of “unhealthy paranoia”, but disliking Microsoft and then still creating an account for some reason, one that they deemed to be a throwaway account. Question is why did they do that (oh, because Microsoft made it hard* to skip registering an account? That can’t be! Microsoft is trustworthy and anyone thinking else is just unhealthily paranoid, right?), but also how should have the user known that this was a dangerous thing to do? Don’t tell me they should have read the dozens of pages of dry legal text.

              *Yes, it’s hard if it’s not an option in the installer. How the fuck you look it up when you don’t have your computer?

              • Romkslrqusz@lemm.ee
                link
                fedilink
                arrow-up
                1
                arrow-down
                1
                ·
                edit-2
                7 months ago

                If you’re at that point of not trusting a company, the best practice would be to avoid using their devices or connecting them to your network.

                There are plenty of other ways to track and identify users, a company could conceivably bake whatever the hell they want into the operating system and doesn’t need to rely on you creating an account with them to achieve that objective.

                I used the term “unhealthy paranoia” due to the logical fallacy that is at play.

                • ReversalHatchery@beehaw.org
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  7 months ago

                  If you’re at that point of not trusting a company, the best practice would be to avoid using their devices or connecting them to your network.

                  Yes, that would be the best practice. However there are a lot of best practices that cannot be followed for one reason or another.

      • ShortN0te@lemmy.ml
        link
        fedilink
        arrow-up
        14
        arrow-down
        1
        ·
        7 months ago

        You didn’t store the key anywhere but on that disk.

        Windows does not let you store the recovery key on an encrypted drive.

        The rest only means, we need to deal better with our data. All the above basically also applies when you HDD or SSD dies, which can happen any time.

        Backups is what you need, not an unencrypted drive.

        • dvdnet62@feddit.nlOP
          link
          fedilink
          English
          arrow-up
          15
          arrow-down
          5
          ·
          7 months ago

          not everyone is tech-savvy like folks on Lemmy. you can tell that to your grandma or your parents to do that to do regular backup. That is why it could cause a headache for repair business

            • cm0002@lemmy.world
              link
              fedilink
              arrow-up
              6
              arrow-down
              3
              ·
              7 months ago

              No, but when their computer dies they’ll take it to someone who does (Paid or not) to “Get their precious grandbaby photos back”

              That person will inevitably ask for the key and Grandma is gonna go “What key?!?” And then when she’s told all those photos are lost she’s going to get pissed at the wrong person guaranteed.

              These are also the same people that never change defaults soo yea this is stupid, just leave it as an easily accessible toggle for anyone who wants or needs it, but the default should be off.

              • refalo@programming.dev
                link
                fedilink
                arrow-up
                2
                arrow-down
                4
                ·
                7 months ago

                They could add some kind of message that warns about this, but I think it’s a better idea to encrypt by default (warning or not) rather than not… at least for privacy reasons.

                • cm0002@lemmy.world
                  link
                  fedilink
                  arrow-up
                  5
                  arrow-down
                  2
                  ·
                  7 months ago

                  It really doesn’t matter what message they show during setup, you haven’t worked tech support or computer repair have you?

                  The non-savvy users rarely pay attention to shit, a message during setup will be nothing but a blip at best in their memory by the time something happens to the computer 2-4 years later.

                  We’ve been telling non-savvy users to make sure they backup their shit for literally decades now, they still don’t. Not even macOS encrypts the user data partition by default, this is gonna be a shit show and hell desks and computer repair shops everywhere are on the front line.

            • ReversalHatchery@beehaw.org
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              1
              ·
              7 months ago

              I don’t see what that has to do with the drive dying. Every drive dies at some point, even if left in it’s place

            • Bartsbigbugbag@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              7 months ago

              No but they’re taking it to repair shops who then find that they can’t recover their customers data because it’s encrypted and then they lose al their photos and data they never backed up, because they’re not tech-savvy.

        • VeganCheesecake@lemmy.blahaj.zone
          link
          fedilink
          arrow-up
          4
          arrow-down
          1
          ·
          7 months ago

          Well, it kinda does. If you choose to print your keys, you can use print to file and safe them to the encrypted drive, if you really want to for some reason.

          • ShortN0te@lemmy.ml
            link
            fedilink
            arrow-up
            2
            arrow-down
            2
            ·
            7 months ago

            Yep but at this point it is obvious to the user that this is not the way it is supposed to be. When you want to shoot yourself in the foot…

      • refalo@programming.dev
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        7 months ago

        I wouldn’t fault a casual user for not backing up their encryption key because they wouldn’t be swapping hard drives in the first place. And the tech savvy people already know to backup keys.

      • ReversalHatchery@beehaw.org
        link
        fedilink
        English
        arrow-up
        2
        ·
        7 months ago

        And you slowly figure out that every photo, every document, everything critical to you is now protected from you and you can’t get it back.

        How fortunate that onedrive auto uploads those to Microsoft. That is, until you run out of your quota…

      • superfes@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        Microsoft lets you look up your bitlocker key, this is not the catastrophic problem you’ve laid it out to be.

      • ShortN0te@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        edit-2
        7 months ago

        You can not find that Option via the default Settings menu, you have to search for it or use the outdated control panel.

        Also Windows Home edition does not have this option.

        Edit: you can find it actually under Windows security.

        Still, it never pops up during installation.

  • GolfNovemberUniform@lemmy.ml
    link
    fedilink
    arrow-up
    29
    ·
    7 months ago

    It’s not a completely bad thing but ehh there are serious disadvantages, especially for gamers. I’m just glad I use Linux and will keep the change in mind in case I need to reinstall Windows on my gaming rig.

    Btw TL;DR of the article is:

    Windows 11 will automatically enable BitLocker on clean installs and re-installs.

    OEMs will be able to enable it even on Windows 11 Home with a special UEFI flag (whatever that means).

    BitLocker is a full-disk encryption technology by Microsoft. It provides better security since the data on the drive cannot be read without decrypting it (especially useful if someone steals the device) but the data cannot be recovered in case of forgetting the password or system malfunctions. Also it greatly decreases performance of the drive (by up to 45% on SSDs). This makes it unsuitable for many computer users.

    The feature cannot be disabled by native means. If you want to disable it, use Rufus and select the appropriate flag when creating the bootable USB.

    • dvdnet62@feddit.nlOP
      link
      fedilink
      English
      arrow-up
      17
      arrow-down
      2
      ·
      7 months ago

      The question is will this encrypt other partition that have other OS such as Linux automatically especially for dual boot users?

      • GolfNovemberUniform@lemmy.ml
        link
        fedilink
        arrow-up
        20
        arrow-down
        3
        ·
        7 months ago

        Knowing Microsoft’s behavior for many years, it might. If I had a dual-boot, I’d make sure I have a backup of all the important data on a separate device

      • 9point6@lemmy.world
        link
        fedilink
        arrow-up
        9
        ·
        7 months ago

        Bitlocker is a feature that relies on NTFS

        Unless you’ve somehow been working with cthulhu and installed Linux on an NTFS partition, you’re probably golden

        • dvdnet62@feddit.nlOP
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          7 months ago

          I mean for instance. I dual-boot Linux and W11 atm. For some reason my Windows 11 needs to be formatted back because of the virus or etc or SSD replacement with fresh installation of Windows11 and of course bitlocker will be activated automatically after WIndows have been reinstalled it back from the scratch. Will this affect my other ext4 or Btrfs OS partition? or do I need to back up of my Linux important files on that partition before W11 mess up my Linux?

    • Dexx1s@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      7 months ago

      by up to 45% on SSDs

      Excuse me, what!?!

      I wonder where the average is for the performance reduction. Probably something I’ll look into but I’d be pissed if I bought a drive and instantly lost even 20%.

      Luckily, I’m not on Windows so I have nothing to really worry about but damn.

    • Hubi@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      7 months ago

      Since most people sign into Windows with their Microsoft account, does that mean that MS holds the decryption keys for your local hard drive?

      • 9point6@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        7 months ago

        If you configure it to backup your keys to your account, yes.

        This (at least used to be) an opt in configuration option

      • GolfNovemberUniform@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        Idk. I just made a TL;DR. I’m not a Windows expert by any means. There’s no point for me in studying it cuz I only use it for gaming and don’t even consider it as my main OS

  • SimonSaysStuff@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    21
    arrow-down
    4
    ·
    7 months ago

    I can vouch for the performance hit - I used to have a Surfacebook 2 and with Bitlocker enabled the machine was unusable. I’d say the performance hit was significantly higher than 45%. Turning it off at least allowed me to have a functioning laptop.

    The same hardware then ran Linux with full disk encryption enabled and performance was night and day.

    • VeganCheesecake@lemmy.blahaj.zone
      link
      fedilink
      arrow-up
      3
      ·
      7 months ago

      It has been many years since I’ve used an OS without full disk encryption, so I can’t really compare, but I have a Windows Partition for some proprietary software that doesn’t like Wine on my PC, and it is really smooth. Might be because it’s on a NVME SSD, though.

  • rtxn@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    1
    ·
    edit-2
    7 months ago

    Unfriendly reminder that Bitlocker can encrypt your entire system drive and leave it in an unrecoverable state even if you have the correct recovery key. https://www.youtube.com/watch?v=pIRNpDvGF4w&t=528s The solution? Wipe. Your files? Fucked. Hotel? I’m too enraged to even make that joke.

    Friends don’t let friends fall victim to Microsoft’s ineptitude.

    • Romkslrqusz@lemm.ee
      link
      fedilink
      arrow-up
      2
      arrow-down
      3
      ·
      7 months ago

      There are dozens of more probable scenarios that could have the same outcome. Mitigation is as simple as keeping at least one backup, a recommendation as old as home computing.

      Ironically, the problem you describe most commonly applies to systems with Intel Optane storage technology, so it’s hardly even a Microsoft Issue.

  • dinckel@lemmy.world
    link
    fedilink
    arrow-up
    9
    ·
    7 months ago

    They do not get to make that decision for my system. I’m already one game away from wiping my secondary drive, but they are making that decision even more easy for me.

    To clarify, encryption is great. Options to enable it are great. Their encryption is both broken, worthless, and now enforced too, apparently

  • Nora@lemmy.ml
    link
    fedilink
    arrow-up
    4
    ·
    7 months ago

    What about for users who only have local accounts? How would they provide the bit locker code? Its normally linked to your Microsoft account no? Maybe there is a local place to find it and its up to you to back it up just in case.

    Me personally I have my 2TB ssd split into two partitions with windows on one and all my steam and bnet games on the other. If I ever lose my bit-locker code or it locks up I guess I can just reinstall.

    I use my laptop with Linux on it for any personal data, my desktop is exclusively for gaming.