Mastodawn

Do not store your Bitlocker encryption keys on Microsoft's servers if your threat model includes governments or law enforcement. As this article points out, this is the result of a design choice Microsoft made. It didn't have to be this way.

https://www.forbes.com/sites/thomasbrewster/2026/01/22/microsoft-gave-fbi-keys-to-unlock-bitlocker-encrypted-data/

Microsoft Gave FBI BitLocker Encryption Keys, Exposing Privacy Flaw

The tech giant said providing encryption keys was a standard response to a court order. But companies like Apple and Meta set up their systems so such a privacy violation isn’t possible.

Forbes

Show thread

*sigh*Ber nard

@evacide
(If your threat model includes governments, law enforcement or any half-competent attacker)
... you must also add a PIN to your Bitlocker config. Extracting the bitlocker encryption key at boot can be achieved with a 300$ logic analyzer.

https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/configure?tabs=os#require-additional-authentication-at-startup

Configure BitLocker

Learn about the available options to configure BitLocker and how to configure them via Configuration Service Providers (CSP) or group policy (GPO).

Show thread

Robin Bradshaw Jan 24

@brnrd @evacide I have been lazy and haven't tested it yet but I have bought a £70 Sipeed SLogic16U3 which i believe is fast enough to sniff the TPM so the cost is even lower now https://wiki.sipeed.com/hardware/en/logic_analyzer/slogic16u3/Introduction.html

Microsoft Gave FBI BitLocker Encryption Keys, Exposing Privacy Flaw

Configure BitLocker

Introduction - Sipeed Wiki