’m no expert computerologist, but I think that any system that requires anybody but you to have your key is insecure.
Computerologist here. You are 100% correct. If anyone says otherwise, they are selling you something.
Comment on Microsoft Gave FBI Keys to Unlock Encrypted Data, Exposing Major Privacy Flaw
FauxLiving@lemmy.world 1 day ago
Oh no, who could have possibly seen this coming when Microsoft decided to back up your full-disk encryption key automatically to OneDrive.
Smart of them to deploy automatic full disk encryption just as open source projects like Trucrypt and Veracrypt were starting to become mainstream and wouldn’t you know, they also include many glaring backdoors that completely defeats the encryption that they offer.
In addition to being vulnerable to law enforcement through subpoenas on the stored key. Anytime you run a Windows update and the system has to reboot, it writes a ‘clear key’ to the hard drive which can be easily retrieved if the disk is stolen and also they bypass TPM Validation.
You know, the thing that is so important to have that you were forced to buy an entirely new computer… it is not active during a system update and anybody who has your hard drive.
Well, you would think that this isn’t very useful, after all they would have to have pretty good timing to catch you updating your computer to remove the hard drive, right?
Nope, if they steal your whole computer and plug it into power and a network connection, the next time a Windows update hits the system will automatically apply the update (absent a very specific Group Policy) and write the full-disk encryption key to the hard drive before shutting down.
I’m no expert computerologist, but I think that any system that requires anybody but you to have your key is insecure. If this is the kind of poor design choices that they make in regards to disk encryption then I would personally have no confidence that their proprietary code is not equally porous.
massacre@lemmy.world 1 day ago
FauxLiving@lemmy.world 1 day ago
My pa always told me that if someone says something on the Internet you can take them at their word, so I trust these credentials.
otacon239@lemmy.world 1 day ago
TrueCrypt, my beloved. Such an amazing set of features and super easy to use. I so wish there was a modern open-source equivalent with the same ease-of-use.
FauxLiving@lemmy.world 1 day ago
How about a modern fork of Truecrypt that looks and works exactly like it?
Eezyville@sh.itjust.works 1 day ago
Have you looked at Veracrypt?
otacon239@lemmy.world 1 day ago
Well shoot. It’s my lucky day. And cross platform even! Thanks!
adespoton@lemmy.ca 1 day ago
This is configurable; you can set BitLocker to always require a password on boot. If you do that, the clearkey doesn’t get placed (yet). If you set this mode, the key also doesn’t get uploaded to OneDrive. Of course, there’s a big warning when you set it up, and it recommends you print off and save the one time recovery key list.
Easier just to use an OS that doesn’t require you to jump through hoops to secure it though.
FauxLiving@lemmy.world 1 day ago
You can also disable it with a Group Policy too and delete any keys that were uploaded to Microsoft with manage-bde while adding your own keys, but for the average person Bitlocker is going to be how it comes by default.
Pre-builts are even worse because that’s another party who has had access to your keys and there are not laws that they would violate by keeping copies (for your convenience, of course)