Back in January Microsoft encrypted all my hard drives without saying anything. I was playing around with a dual boot yesterday and somehow aggravated Secureboot. So my C: panicked and required a 40 character key to unlock.
Your key is backed up to the Microsoft account associated with your install. Which is considerate to the hackers. (and saved me from a re-install) But if you’ve got an unactivated copy, local account, or don’t know your M$ account credentials, your boned.
Control Panel > System Security > Bitlocker Encryption.
BTW, I was aware that M$ was doing this and even made fun of the effected users. Karma.
Not using Bitlocker is not the same as not encrypting your stuff.
I know, I just meant why would someone willingly disable Bitlocker?
I mean… the premise of the thread seems like a good enough reason, doesn’t it?
And even if it doesn’t, if one is already using a different encryption solution that doesn’t rely on TPM and secureboot silliness, what possible reason could there be not to disable Bitlocker?
Some of the things mentioned in the OP don’t actually happen in real life, though. Bitlocker is only automatically activated if you use a Microsoft account to log in, and why wouldn’t you know the account credentials if it’s what you use to log in?
TPM is optional (but recommended) for Bitlocker. Practically every computer released in the past 10 years has TPM support.
Secure boot is needed to ensure that the boot is secure and thus it’s okay to load the encryption key. Without it, a rootkit could be injected that steals the encryption key.
You generally want to use TPM and secure boot on Linux too, not just on Windows. You need secure boot to prevent an “evil maid attack”
Maybe I’m misunderstanding something here, but does this whole thing not mean that the moment you use your Microsoft account for logging in, you immediately tie the permanent accessibility of your local files to you retaining access to a cloud account?
You have different opinions on TPM and the prevalence of evil maids than me, fair. But please don’t disregard the central premise of my last comment: One is already using a different encryption solution. Say, Veracrypt is churning away in the background. Why would one leave Bitlocker activated?
The Microsoft account holds a backup of the recovery key, which you need to use to restore access in if you do something like significantly change the hardware or move the drive to a different system (which are effectively the same thing).
You don’t need it for day-to-day use of the system, and you can also just get the recovery key and print it out or write it down somewhere, which is usually how it’s handled on systems that don’t use a Microsoft account.
That’s a good point.
I work at a big tech company so have to be vigilant even with my personal systems :)