Mastodawn

@GossiTheDog You can save Key as a file.

@niknukem Which doesn't help if the key is additionally and automatically synced to MS. You have a MS account to login, don't you? So it's easy to connect...

And afaik the sync can only be deactivated using GPOs - but perhaps even this is no longer a possibility...

@jesterchen So is there peoof they sync the key even if you select sace as file? Yeah no MS account in windows. But guess most do use intune, than key is cloud based. Welcome back veracrypt. Xd

Dirty AnCom Jan 23

@niknukem @jesterchen you cannot use bitlocker with a local Windows account, you have to have a linked account. BitLocker automatically uploads your encryption keys to you MS account, whether or not you choose to save it as a file. It is possible to log in and remove your keys from your MS account, but it's not very simple and I don't know if that will prompt Windows to take it upon itself to decrypt your drives.

Edit: apparently this only applies to Windows Home edition, not professional.

@DirtyAnCom @niknukem @jesterchen

Paul Kingtiger Jan 23

You can use Pi-Hole to block the MS servers so the key isn't uploaded.

Source: When I have tried to upload the key to MS I have had to disable Pi-Hole to do so. I'm not sure what address you need to block but it shouldn't be too hard to work out.

@DirtyAnCom @niknukem @jesterchen

@PaulKingtiger Good to know, thanks.

And what about the time when you leave your home network that does not block M$ networks?

@selea @PaulKingtiger @DirtyAnCom @jesterchen Than we are completly lost. Xd

Dirty AnCom Jan 23

@selea @PaulKingtiger @niknukem @jesterchen that is a prudent question. I wonder if one could make an outbound rule to block it in Windows firewall, itself, lol.

@selea @DirtyAnCom @niknukem @jesterchen

Paul Kingtiger Jan 24

That's a good point. We'd need to check if MS tries to upload the key when you select a different option and if it keeps trying until it is successful.

Sam Stephens Jan 23

@DirtyAnCom @niknukem @jesterchen that's not true, I have Windows installs with local accounts and Bitlocker. I think you may have to have Windows Professional to do this.

Dirty AnCom Jan 23

@chopsstephens
That's a good point. I hadn't considered that. Gonna have to upgrade my windows install.
@niknukem @jesterchen

JustEnoughDucks Jan 23

@niknukem @jesterchen when it comes to security, you should always think of the worse cade scenario.

It is already proven that they upload the keys to their servers, so it should be assumed until proven otherwise that selecting a different option in their own tool doesn't change that, especially with Microsoft's history of sending literally everything to their servers.

@justenoughducks @jesterchen But this was the question, if you save your key local, will it be uploaded? No Account, No Intune. So worst case yes, but it should be in a realistic scenario. Or more a proper evaluation. But besides that, who needs encryption if the user activate the 10282 copilot features on windows.

Cassandrich Jan 23

@jesterchen @niknukem People have MS accounts to login??? 🤦🤦🤦

@dalias And most of them don't even realize... 🤷‍♀️

Json Doh Jan 23

@jesterchen @dalias and they vote

Cassandrich Jan 23

@jdoe @jesterchen I'm confused what reasonable thing one might be trying to imply by pointing out that people without technical expertise to bypass Microsoft's nags to let them backdoor your Windows with a microsoft account are able to vote.

Riku Voipio Jan 23

@niknukem @GossiTheDog Which most average users will not. Or if they do, they lose the file before need arises. I mean I hate Microsoft and all the forced cloud stuff, but recovery is a hard problem to solve user-friendly.

Riku Voipio Jan 23

@niknukem @GossiTheDog To put it other way around, having recovery keys automatically stored in Microsoft cloud has probably made A LOT of people happy they could recover their data. A much smaller group is unhappy that Microsoft shared their keys with the spooks.

@suihkulokki @GossiTheDog But this group of people knows how to save their key just on a usb drive and not in the cloud.

@GossiTheDog I remember TrueCrypt and all of the discussions regarding the beginnings of VeraCrypt.

Is VeraCrypt now finally decided to be a legal fork? Yeah, I know, nobody cares, but before I trust MS in this....

Kai Bojens 🇪🇺🖖Jan 23

@jesterchen @GossiTheDog Try Cryptomator.

@kaibojens Won't help. Cryptomator is file based and for cloud storage, this won't encrypt your whole OS (including drafts, logs, possibly passwords, etc pp).

https://www.rohde-schwarz.com/us/products/cybersecurity/endpoint-security/rs-trusted-disk_63493-543620.html

�Jan 23

@jesterchen @kaibojens

R&S®Trusted Disk

R&S®Trusted Disk full disk encryption for protecting classified data

jesterchen42 Jan 24

@utf_7 @kaibojens Thanks. Did not know that one. Have to poke a bit at our companies information risk management, let's see, if I can get them to buy me a trial. 😇

gwire Jan 23

@GossiTheDog is it not the case that the only way to avoid this is to use Windows Professional, or have they changed that with Windows 11 as well?

Chip Jan 23

@gwire @GossiTheDog I believe you only get the GUI on Professional, but you can set up bitlocker manually with local protectors on Home using the command-line. At least in Windows 10.

https://www.youtube.com/watch?v=iX3a-goiE2c

Brokar Jan 23

@GossiTheDog

Rob Braxman has been bitching about this for quite some time.

Windows 11 Bitlocker isnt there to Protect YOU

YouTube

xz Jan 23

@Brokar @GossiTheDog Brax is a grifter selling insecure hardware and software https://grapheneos.social/@GrapheneOS/114825638504244405

GrapheneOS (@[email protected])

Useful information on Braxman's products and services from a security researcher (founder of DivestOS): https://forum.f-droid.org/t/brax2-alternatives/22469/6 Highly insecure, ancient hardware running a closed source fork of the end-of-life Android 10 which did NOT receive basic security patches and updates.

GrapheneOS Mastodon

Brokar Jan 24

@xz @GossiTheDog

But what he says about the TPM and Bitlocker in his videos is not wrong.

I don't care about his shop, Didn't even know he had one.

VessOnSecurity Jan 23

@GossiTheDog Yep. Which is why I don't have a Microsoft account, don't back up recovery keys to the cloud, or use BitLocker in the first place.

Olivier Langella Jan 23

@bontchev @GossiTheDog which is why I don't have a Microsoft operating system ;)

TrimTab 🇺🇦Jan 23

@GossiTheDog
Bitlocker is only to guarantee that Microsoft's beak gets wet every time your data is stolen. To who is this news? Its been clear for years, great job "Forbes". Where news goes to get lobotomized...

One must be an utter buffoon with what we know today, to think Microsoft in any way has aligned interests with users. They don't.

MS has already betrayed you. They are not your friend.

Killertomato Jan 23

@GossiTheDog bitlocker in all enterprise implementations I have seen always felt more like security theatre than actual security. Sure it was gonna keep a thief of opportunity out of your files, but anyone with more resources could get around it

Benjamin Jan 23

@Killertomato @GossiTheDog when reading about privacy violation enforcement actions by the FTC there were a lot that would have been resolved by this. Laptops full of patient data stolen from a car, etc.

Honestly it probably mitigates most crimes where an encrypted hard drive avoids the risk. Not all. And not all the non-crime related reasons people care about privacy

caneToad

Jan 23

@GossiTheDog Several concerns added up to make me leave M$ last year. Good decision.

Happy and free, this is no concern of mine, and I will just enjoy the afternoon sun. Microsoft is history.

katzen Jan 23

@GossiTheDog don't keep your password on some server. always use a notebook if you can

Gabriel Pires Jan 23

@GossiTheDog I don’t understand putting your trust in black box proprietary encryption software when TrueCrypt/VeraCrypt exist and are older than BitLocker by 3 years, stupid doesn’t even begin to describe it.

mossman Jan 23

@gsprs @GossiTheDog last time I set up a Win11 machine a year and a half ago, it was obligatory to use an account (they had blocked all the workarounds at the time) - and BitLocker was automatically activated. Not sure it's even easy to deactivate that and use VeraCrypt instead, now.

On my previous Win11 machine, I was able to bypass using an account and BitLocker was not provided. In that case I found I could put a firmware lock on the drive - good enough for my purposes.

groxx Jan 23

@gsprs @GossiTheDog they also work on ALL hardware, not just ones that Microsoft feels like supporting / have specific TPM features.

Catherine is not complacent Jan 23

@GossiTheDog am I a Luddite if I mention that paper can get tossed into a fireplace or shredded?

fedops 💙💛Jan 23

@GossiTheDog there's no secure in slop. Never has been.

A.B. Murrow Jan 23

@GossiTheDog That's not encryption, that's just a password with extra steps.

troi Jan 23

@GossiTheDog I was already in the process of getting everything Microsoft dragged up to its cloud out. Dropbox is finally killed off, and as much of Google as I can, but they don't make it easy.

Rairii

Jan 23

@GossiTheDog "so bitlocker is super secure, right?"

yeah, that's what i thought too, until a few years ago, when most of windows boot environment bugs i found came with bitlocker key dumping or derivation as a side effect

there's more default settings than just that that leads to a less secure configuration

tony 🏳️‍⚧️ 🏴 🚴🧗🏻Jan 23

@GossiTheDog jfc

> Federal investigators in Guam believed the devices held evidence that would help prove individuals handling the island’s Covid unemployment assistance program were part of a plot to steal funds.

Lokalmatator Jan 23

@GossiTheDog
So, wo auch das Thema dann mal durch ist.

Gut das wir im Bereich der kritischen Infrastruktur auf unabhängige #Software setzen.

Mitex Leo Jan 23

@GossiTheDog I'm happy with my LUKS encryption

Al & Val's Modern Homesteading Jan 23

@GossiTheDog PIRACY flaw.

Linuxine Jan 23

@GossiTheDog for me, Bitlocker is basically Microsoft saying "for your safety, we will encrypt your device, don't you worry, I keep the key". Personally, I prefer to choose and keep the key myself when I want something locked 😅 And now it is even better to learn that the key is not given to the user by default, but provided to the FBI 😅

Utarg of Utarg 🔬🇪🇺🇸🇪🇬🇧🇺🇦Jan 23

@GossiTheDog Bloody Nora!

Dr. Christopher Kunz Jan 23

@GossiTheDog uploading the BitLocker recovery keys to the MS cloud is not default behavior, is it? Even the Forbes article states that you can opt-out of it (or do you even have to opt-in?).

Jan CT B. Dipl.-Ing.Jan 23

@GossiTheDog yep thzx. Just wanna add: in order to get the key from MS, it leaves ztraces in the Ermittliungsakte/ papers...just checking on the HDD drive won't (as 2 same amounts)...the info is important!

Katharta Jan 23

@GossiTheDog IT admins everywhere should have started exploring viable alternatives the second Candy Crush showed up in Windows Enterprise.

If the FBI can obtain someone's Bitlocker keys, that means malicious actors can, too.

There is no such things as a backdoor for only the good guys.

Ben Todd Jan 23

@GossiTheDog

It's not a flaw. It's a feature. For authority and Microslop.

Tanquist Jan 23

@GossiTheDog
Maybe that's why our IT department didn't bother to require bitlocker encryption on storage devices I plug into my new PC (actually, I think it was just an oversight).
Anyway it makes my job easier because I occasionally need to exchange data with really old applications on an unconnected XP laptop which can't run bitlocker.

Ronny Lam Jan 23

@GossiTheDog You know those video's with "Wait for it!"? This is the one. I know this not an option for everyone but I love the combination of Linux and LUKS file-systems. Oh and if you don't hit bootselect at power-on, my machines boot into a small and clean Windows. Good luck with that.