• Jeena@piefed.jeena.net
    link
    fedilink
    English
    arrow-up
    121
    arrow-down
    5
    ·
    2 months ago

    Perfect, this will finally lock out all the old people of their devices because they forget their bitlocker password :D

    • Lucy :3@feddit.org
      link
      fedilink
      English
      arrow-up
      68
      arrow-down
      3
      ·
      2 months ago

      I guess they’ll use TPM. I’m so excited to tell half of my “clients” (all seniors in the village) that they are fucked because their Laptop died.

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        25
        ·
        2 months ago

        You don’t need your hard drive if all your files have been secretly moved to OneDrive taps forehead.

      • curry@programming.dev
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        2 months ago

        Oh, I can just imagine. Customers getting angry that their tech support cannot “just simply” recover their files like they used to and accuse them of scamming. Fucking thanks, Microsoft.

      • dogslayeggs@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        2
        ·
        2 months ago

        Unless you don’t have an MS account or only set up a dummy account just to get the stupid OS to activate and have never used once since.

        • stephen01king@lemmy.zip
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          2
          ·
          2 months ago

          Wel then, either get a Microsoft account that you remember the password to or don’t use Windows since they are pushing hard for this type of security. Linux is completely free for people who don’t like the way Windows is heading towards.

  • Magister@lemmy.world
    link
    fedilink
    English
    arrow-up
    54
    arrow-down
    6
    ·
    2 months ago

    It’s good, for privacy and all of course, but I remember here a Dell BIOS upgrade that basically wiped the TPM2.0 and so windows was asking for the recovery bitlocker key at boot. I have them on a encrypted USB key and anyway I can access my MS account from another device to find the key and type it.

    But I’m sure a lot of people will basically say “well, fuck, I don’t have the key”, guaranteed.

    • lemmyvore@feddit.nl
      link
      fedilink
      English
      arrow-up
      21
      ·
      2 months ago

      Which brings me to the question, how is Microsoft doing this, where will people’s keys be located? Do they force everybody to put in an USB stick?

      • zaph@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        6
        ·
        2 months ago

        From what I can tell when a customer brings in a computer they can’t boot and give me a look of “what did you just say to me you little shit” when I ask them if they can log into their microsoft account, they don’t give you a key.

      • stupidcasey@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        25
        ·
        2 months ago

        Don’t know don’t care, anyone with half a brain saw windows was a sinking ship around the time they started putting ads in a $150 software but if that wasn’t enough forcing you to decline ads every 2 weeks or whatever is just psychopathic behavior so is the degraded search, I unironically would choose chrome Os or Ios over windows theses days especially since the world has moved to browsers and os doesn’t matter but any way you look at it the steam deck has proven windows has about as necessary as AOL these days, if you’re still using windows that’s a you problem, backwards compatibility be dammed you should not be relying on this company for anything crucial it can’t be trusted.

            • Blackmist@feddit.uk
              link
              fedilink
              English
              arrow-up
              2
              ·
              2 months ago

              The Linux boys on this site actually make me want to try it less.

              They’re the Rick and Morty fans all over again.

        • BearOfaTime@lemm.ee
          link
          fedilink
          English
          arrow-up
          5
          arrow-down
          2
          ·
          2 months ago

          Hahahahahaha, oh yes, another “I have no idea how the world works Windows sucks” commenters.

          Come back when you’ve managed a 10,000 computer enterprise.

          No, wait, come back after managing a 12 computer SMB.

          • stupidcasey@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            6
            ·
            2 months ago

            People who run 10,000 computers runs Linux its all but necessary for the low level access, user access control and maintenance, also you need far fewer people to deploy and manage.

            Also maybe not 10,000 but I manage a network of 50

    • csm10495@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 months ago

      I always worry the the backup USB drive would be dead.

      I guess I’m one minority but kind of like an ability to fetch the key from the web. Doing that securely of course can be tough.

      • BearOfaTime@lemm.ee
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        2 months ago

        Web. USB. Printout in a safe. On my phone. In Keypass. Etc, etc.

        I’m not relying on a single copy.

    • isles@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      Where’s your encrypted USB recovery key stored?! Is it encrypted USBs all the way down?

  • Vahenir@lemmy.world
    link
    fedilink
    English
    arrow-up
    20
    arrow-down
    1
    ·
    2 months ago

    This one is especially fun on windows 11 home. At least it was some time ago on some machine i worked on. Since home doesn’t have the bitlocker settings fully you cannot disable bitlocker encryption. It would also auto enable sometimes even if you don’t have a microsoft account, which means it doesn’t back the key up anywhere. Not sure it does that anymore, i hope not, but i expect a lot of people to lose their data to this crap in the future.

    In either case at least i find that full disk encryption on most machines is just overkill as it only really protects in the scenario the device is stolen and someone tries to pull data off of it that way. But in the vast majority of cases when people get their data stolen its done with malware, which disk encryption does /nothing/ to prevent.

    • MoonlightFox@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      2 months ago

      In the scenario in which your computer is forgotten or stolen, it would offer some comfort knowing that the data on the computer is not accessible.

      We have a “policy” in our household that everything that has personal data should be encrypted. That is just for cases in which we lose the device or it gets stolen. That makes it a purely financial loss, and not as invasive / uncomfortable.

      But on the other hand my household are not average users. So it might not work well for other people.

    • adarza@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      when it automatically enables on win11 home, it doesn’t actually “enable” until you do sign-in to windows with a microsoft account so it has a place to stash the recovery key.

      and, i have not had any difficulty turning the encryption off on win11 home systems.

  • Romkslrqusz@lemm.ee
    link
    fedilink
    English
    arrow-up
    20
    arrow-down
    4
    ·
    2 months ago

    […] device encryption will be enabled by default when you first sign in or set up a device with a Microsoft account or work / school account.

    For devices with a TPM, this has literally been the case since Windows 10 1803 back in 2018.

    • bandwidthcrisis@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      2 months ago

      But that’s not the case for Windows Home, is it? The FDE setting just takes me to a page to upgrade to Pro. My laptop does have TPM.

      • Romkslrqusz@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        2 months ago

        It is, Secure boot and the TPM must both be enabled.

        If you check Msinfo32 / “System Information” with admin rights, there is a “device encryption” listing that maybhave additional information.

        There are rare instances where a device won’t support automatic encryption due to “Un-allowed DMA capable bus/device(s) detected” which requires a registry tweak to work around

        • bandwidthcrisis@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          Un-allowed DMA capable bus/device(s)

          And there it is in msinfo!

          Thanks very much. I’ve been using veracrypt for years, it’s good to know that I have another option (especially to simplify things for family members).

  • Riskable@programming.dev
    link
    fedilink
    English
    arrow-up
    20
    arrow-down
    5
    ·
    2 months ago

    Tom’s Hardware tested this software version of BitLocker last year and found it could slow drives by up to 45 percent.

    WTF‽ In Linux full disk encryption overhead is minimal:

    While in pure I/O benchmarks like FIO there is an obvious impact to full disk encryption and other synthetic workloads, across the real-world benchmarks the performance impact of running under full disk encryption tended to be minimal

    https://www.phoronix.com/review/hp-devone-encrypt/5

    There’s like five million ways you can use disk encryption on Linux though and not all of them are very performant. So keep that in mind if you see other benchmarks showing awful performance (use the settings Phoronox used).

    I suspect Microsoft made some poor decisions in regards to disk encryption (probably because of bullshit/insecure-by-design FIPS compliance) and now they’re stuck with them.

  • MystikIncarnate@lemmy.ca
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    2
    ·
    2 months ago

    This has been happening for a lot longer than just Windows 11.

    Several people I’ve spoken to, who have purchased OEM computers from the likes of Dell, HP, Lenovo and others, did not know that bitlocker FDE was enabled, and they were not aware that they needed to back up their recovery key.

    On at least one occasion, this caused someone to lose the contents of their laptop when Windows failed to finish booting into the OS. The drive was fine as far as I could tell, but the content on the drive would not complete the boot up sequence and would bsod/boot loop the system, so data retrieval was not possible without the recovery key, which they did not have. That was a Windows 10 Dell system from 2020 or so.

    My opinion is that FDE is a good thing.

    My advice is if you have FDE enabled, backup your recovery keys. It’s easy, but it won’t directly save to a file on the filesystem that’s locked by the key to which the recovery key applies. The easiest workaround is to “print” it, then use the built in Microsoft print to PDF, then dump it wherever you want. Afterwards, put it somewhere safe. Doesn’t matter where, but anywhere that isn’t the encrypted drive. Maybe Google drive, maybe a USB flash drive, maybe email it to yourself. I dunno, just somewhere you can retrieve if that system isn’t working.

    When you’re done doing that, go check the same on your parents computers, friends, brothers and sisters… If they’re someone you care about, and they have a windows computer, check. Get those recovery keys backed up somewhere.

  • robber@lemmy.ml
    link
    fedilink
    English
    arrow-up
    14
    arrow-down
    2
    ·
    2 months ago

    I think this is a step in the right direction. Everyone can lose a portable device or it can get stolen, so protecting the potentially sensitive data is important.

    I think what people are complaining about is not full-disk encryption itself, but the fact that people are not used to being responsible for their cryptographic keys.

    I think we should educate people regarding this responsibility. We did it with regular keys we use to unlock our homes.

  • zecg@lemmy.world
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    2
    ·
    edit-2
    2 months ago

    This will make people angry in waves as updates break bitlocker and cohorts don’t have their key, a new one each time

    • BearOfaTime@lemm.ee
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      3
      ·
      2 months ago

      If you’re getting tickets, I assume you mean at work? What’s a business doing running Home and no Domain? This isn’t an issue on machines joined to a domain.

      • LaunchesKayaks@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        ·
        2 months ago

        I work at an MSP, so we have clients who refuse to pay money to have good tech. Plenty of them have no domain, use Home, and just cheap out and then get mad when they have constant issues. We try to tell them to buy better shit, but they don’t wanna hear it. 🤷‍♀️

      • azuth@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        6
        ·
        2 months ago

        Rofl.

        The vast majority of small business do run on Home have no clue wtf a domain is. Probably share files via google drive rather than a file server.

  • barsquid@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    arrow-down
    1
    ·
    2 months ago

    This is good but they need better guidance to nontechnical users how to backup their keys. Cloud backup now that they are trying to make local accounts illegal I suppose.

    • catloaf@lemm.ee
      link
      fedilink
      English
      arrow-up
      10
      ·
      2 months ago

      AES-NI has been standard for over a decade. There shouldn’t be a significant hit to processing speed.

        • catloaf@lemm.ee
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          3
          ·
          2 months ago

          You’ve benchmarked this? Using what encryption algorithm, what processors, what benchmark?

          • schizo@forum.uncomfortable.business
            link
            fedilink
            English
            arrow-up
            6
            ·
            2 months ago

            More to the point, I think, is are there even any systems that will run Windows 11 that don’t have AES-NI?

            Performance without it is kinda irrelevant because there’s no situation where you’d have Windows 11 and bitlocker and NOT AES-NI.

    • LunchMoneyThief@links.hackliberty.org
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      1
      ·
      2 months ago

      the days of popping out a hard drive, and grabbing whatever the hell’s on there with a usb connection are over

      Independent repair shops are going to suffer big time from this.

        • LunchMoneyThief@links.hackliberty.org
          link
          fedilink
          English
          arrow-up
          16
          arrow-down
          1
          ·
          2 months ago

          I’ve supported bitlocker in corporate deployments. I have also spent some time in independent repair shops. I have little confidence in users to supply a bitlocker key, let alone even know what one is. I anticipate a lot of “what? I already gave you my password.”

      • AceBonobo@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        edit-2
        2 months ago

        Obviously, Microsoft will happily sell you one drive cloud backup to solve the problem they are creating.

    • dual_sport_dork 🐧🗡️@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      arrow-down
      2
      ·
      2 months ago

      You can still mount it to another machine if you have the key. It’s an extra layer of pain in the ass, though.

      I don’t use an M$ account so if your key is backed up to the cloud (aside: can’t wait to read the headline about when that gets breached) I don’t personally know offhand how difficult it is to extricate your BitLocker keys from Microsoft.

    • 9point6@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      2
      ·
      2 months ago

      If you read that article it’s only slow on systems that don’t have hardware acceleration, which basically isn’t any system from the past half a decade at least (and definitely not anything that would have a compatible TPM)

      • IHawkMike@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        2
        ·
        2 months ago

        I’m rocking a 12-year-old 3930k with BitLocker on all drives and it’s perfectly fine.

      • db2@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        2 months ago

        Clearly you didn’t do any machine recovery during that fiasco or you wouldn’t ask. When the machines crashed the only fix was to get in and delete the offending file, but as Windows wouldn’t load up you had to unlock the drive to get in with a working OS.

        • stephen01king@lemmy.zip
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          Ok, but what lesson was Microsoft supposed to learn from the Crowdstrike fiasco that have to do with the implementation of Bitlocker in personal devices?

          Are you suggesting that OS drive encryption should never be implemented due to the fact that computers might sometimes need to be accessed without the OS booting up? That doesn’t really make sense. That’s what Bitlocker keys are for, to unlock the drive if needed.

          • db2@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            2
            ·
            2 months ago

            OK buddy, you can be right if it’s that important to you.

            • stephen01king@lemmy.zip
              link
              fedilink
              English
              arrow-up
              1
              ·
              2 months ago

              I don’t know everything about what happened during the Crowdstrike fiasco since it didn’t directly affect my company, so I’m asking questions. I don’t really care about being right. If you were talking about something I don’t know, I’m glad to learn new things about that incident. Why get defensive on something like this instead of just clarifying your point?

              • db2@lemmy.world
                link
                fedilink
                English
                arrow-up
                2
                ·
                2 months ago

                OK, I may have misread the intent. Sorry.

                Basically for any machine with bitlocker on it we had to unlock the drive before getting the ability to load an external OS to go on to that drive and remove the problem file. The built in Windows was completely borked. For a home user that’s generally quick and easy to do, in any corporate environment it will take hours if not days to get that unlock code and meanwhile nothing can get done meaning business grinds to a halt and waits.

                As for what happened in the first place, Crowdstrike updated a file for their nanny app which has kernel (lowest OS level) access so when their app choked on the bad update it crashed the kernel which meant Windows couldn’t even load much less run.

                The two aren’t directly related but one made the other significantly harder to fix with any speed.

  • Hal-5700X@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    12
    ·
    2 months ago

    Do the average Windows user really need BitLocker device encryption? They don’t. The only users who need BitLocker are business’ and government workers.

    Also 99% of Windows users are going to get locked out of their computers.

    • BearOfaTime@lemm.ee
      link
      fedilink
      English
      arrow-up
      15
      arrow-down
      3
      ·
      2 months ago

      Everyone needs drive encryption.

      And no, 99% of Windows users aren’t going to get locked out.

      99% of Windows boxes are business boxes, which already are encrypted (and if they aren’t, that’s some bad IT).

      This really only affects Home users, who don’t enable encryption because they don’t know any better. I have no doubt we’ll see quite a few people have issues because they lose their key and can’t recover their data. This is why MS should provide clear directions during setup about storing the key. Instead they’re going to keep it in people’s OneDrive/365 account. Such a bad idea. Now I’ve gotta write documentation for friends and family about what NOT to do during setup.

      • Hal-5700X@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        2
        ·
        2 months ago

        This is why MS should provide clear directions during setup about storing the key.

        Now I’ve gotta write documentation for friends and family about what NOT to do during setup.

        Okay. You need to write documentation for your friends and family, but Microsoft have clear directions.