voboda
evacideDo not store your Bitlocker encryption keys on Microsoft's servers if your threat model includes governments or law enforcement. As this article points out, this is the result of a design choice Microsoft made. It didn't have to be this way.
Because of limited space, I am using "governments or law enforcement" as shorthand for anyone who can show up at Microsoft with a valid court order for your data. This is not a 1-to-1 mapping. I understand the difference and I don't feel like arguing about it.
Kluthulhu' XOR 1=1--@evacide To paraphrase Hank: "Government and government-accessories"
René Mayrhofer 
🇺🇦@evacide
Or, because this is Microsoft we are talking about, anyone who shows up virtually with a golden authentication ticket they got through an official API surface because Azure security is a mess...
Having encryption keys stored in plaintext on any cloud service is just a completely irresponsible and bonkers design.
Sveinn í Felli@evacide If you're limited by space, "governments or law enforcement" could be shorthanded into just "they", but then maybe it depends on each person's mental state what "they" would mean.
🤔
🤔
zivi
Kris Hardy@evacide I still wonder what happened at the end of TrueCrypt, especially since they recommended using Bitlocker when they shut the project down. I've always had the feeling that govt was involved.
Asta McCarthyVeraCrypt - Free Open source disk encryption with strong security for the Paranoid
VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files.
Jonathan@nonlinear They said they recommended BitLocker because they couldn't recommend their own product because they couldn't continue supporting it. I'm not sure it was anything more than "since we cannot support our product any longer, here is a product which at least is supported".
The project itself continued as VeraCrypt.
dxzdb@jmcrookston @nonlinear VeraCrypt is pretty interesting: It uses mouse movements for randomization. Windows, Mac & Linux available.
more reading here: https://en.wikipedia.org/wiki/VeraCrypt
DausDD@nonlinear @evacide The successor is Veracrypt, a fork from Truecrypt. https://veracrypt.io/en/Home.html
VeraCrypt - Free Open source disk encryption with strong security for the Paranoid
VeraCrypt is free open-source disk encryption software for Windows, Mac OS X and Linux. In case an attacker forces you to reveal the password, VeraCrypt provides plausible deniability. In contrast to file encryption, data encryption performed by VeraCrypt is real-time (on-the-fly), automatic, transparent, needs very little memory, and does not involve temporary unencrypted files.
@evacide Upgrade to Linux and use LUKS.
loStronzoRocco@AstaMcCarthy @evacide Fuck yeah. That’s been my setup since forever.
Todd Heberlein (social)@evacide The Trump era has shown “government or law enforcement” should *always* be in your threat model.
The US is not alone in this. Lots of governments have been pushing boundaries.
Tommaso Gagliardoni@evacide @shufflecake a bit of shameless self-promotion: it looks like we'll be able to launch a prototype for a fully hidden OS using #Shufflecake somewhere this year. And, no, we don't have an option for uploading encryption keys to "the Cloud" 😂 https://shufflecake.net/
Byrnensorg🇮🇪🇺🇦🇵🇸🇬🇱🇩🇰@evacide Not that the law is after me.... yet. I scrubbed bitlocker from my system and deleted the keys from my account, so good luck with that MS.
go@byrnensorg @evacide
Do you think your data is more secure now?
You should encrypt your data, but don't send the keys to Microsoft or any other company.
And if you don't trust Microsoft, then you shouldn't use Windows anymore.
@byrnensorg @evacide
Which operating system? - I don't want to answer that, because it's off-topic.
I recommend encrypting the data without sharing the key. There are several solutions for this. BitLocker or other software, which you can easily find on Wikipedia.
@byrnensorg @evacide
According to the Forbes article, Microsoft can only hand over the key to evil surveillance agencies or criminals if you, as a computer user, have chosen the option to store your secret, private key in the Microsoft Cloud.
So skip this extra step and decide not to save ANYTHING with Microsoft anymore.
This makes it more complicated for you personally, because you have to take care of a different, secure storage method for your keys and data.
Drahflow
H.Lunke & Socke@evacide do not use M$ Software if your threat model includes governments or law enforcement
Jamie :3 🏳️⚧️@evacide “While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide... how to manage their keys” If you pay for Windows Pro which is 100$ more compared to Windows Home.
BoloMKXXVIII@evacide Simply put, do not use any Microsoft products if real security is your goal. Anything stored outside of your own hardware is not secure. Use strong (and long) passwords and never use biometrics.
0mega
Jona Joachim
Cassandrich
Ameise
Orca 🌻 | 🎀 | 🪁 | 🏴🏳️⚧️@evacide
If you (everyone who's reading this) have already uploaded the recovery key, use
Bitlocker would work with no recovery key set, but if you do want to generate a new recovery key, see Microsoft documentation below:
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde
If you (everyone who's reading this) have already uploaded the recovery key, use
manage-bde -protectors -get D: to find the ID of "Numerical Password" (recovery key) and delete it with manage-bde -protectors -delete -id ID D: .Bitlocker would work with no recovery key set, but if you do want to generate a new recovery key, see Microsoft documentation below:
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde
gunstick
dragonfrog@evacide In principle that would also include anyone who knows my email address and can set up a phishing website, right?
Government agencies need whatever a valid warrant is in their jurisdiction, but a user just has to log in to their account and click through the "I forget my Bitlocker password" workflow.
So someone who knows me, or stole my laptop bag with my business cards in it, knows who to phish to get into an account likely to have my recovery key, right?
fuzzyfuzzyfungus@evacide The person at Forbes who described this as a 'flaw' seems like they are deliberately underselling it. At least with tech 'flaw' almost entirely implies 'error' rather than 'decision'. It's a little harsher than some of the euphemisms that vendors prefer for product defects, in order to try to normalize how many they ship; but it's absolutely exonerative of one's intentions; which is wholly undeserved.
mikeTesteLinuxQlub@evacide Simply deactivate Bitlocker. Bad by design and a gate wide open to lock YOU OUT.
Just use Veracrypt or something like that on a second drive ou usb stick to protect the very sensible data......and at least, deactivate Bitlocker, that force windows recall or whatever is name to deactivate too.
Paco Hope@evacide “#Microsoft says it will provide encryption keys for Windows PC data protected by BitLocker where it has access to them and it's received a valid warrant.”
The word “valid” sure is doing a lot of work there. This is the most corrupt DoJ and FBI in generations. One that ignores court rulings that it disagrees with. So what way is the warrant “valid”? Syntactically? Grammatically? Because if we get any deeper, like morally or ethically, the argument gets harder to make.
CVE-security&privacy@evacide Personally I consider the use of microsoft for any threat model out side of not having one and not caring a bad option unless its your only option say for a service that noone else has that is to high enough standards. Just a personal opinion maybe im wrong.
reindeerphoto
*sigh*Ber nard@evacide
(If your threat model includes governments, law enforcement or any half-competent attacker)
... you must also add a PIN to your Bitlocker config. Extracting the bitlocker encryption key at boot can be achieved with a 300$ logic analyzer.
Robin Bradshaw@brnrd @evacide I have been lazy and haven't tested it yet but I have bought a £70 Sipeed SLogic16U3 which i believe is fast enough to sniff the TPM so the cost is even lower now https://wiki.sipeed.com/hardware/en/logic_analyzer/slogic16u3/Introduction.html
Yan
Oliver 
Paolo Redaelli@evacide
Proprietary Software can't be trusted. It's that simple
Proprietary Software can't be trusted. It's that simple
Alexandre Olivadon't keep them on your microsoft-controlled, universally-backdoored computer either. microsoft, and thus the government, can get at them from your computer too. why wouldn't it?
DFX4509B (Joshua Mason)@evacide At this point get rid of Windows if you're not running anything that's DRM-locked to that OS.