Kitz Forum
Computer Software => Windows 11 => Topic started by: Alex Atkin UK on November 06, 2021, 07:48:07 AM
-
Stumbled onto this:
https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm
One thing of interest which basically confirms my original theory of why they wanted TPM:
Device Encryption
Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. How it works is if a customer logs on with a Microsoft account and the system meets Modern Standby hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows. The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. The Modern Standby hardware requirements inform Windows that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. In addition, Modern Standby hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key.
For software measurements, Device Encryption relies on measurements of the authority providing software components (based on code signing from manufacturers such as OEMs or Microsoft) instead of the precise hashes of the software components themselves. This permits servicing of components without changing the resulting measurement values. For configuration measurements, the values used are based on the boot security policy instead of the numerous other configuration settings recorded during startup. These values also change less frequently. The result is that Device Encryption is enabled on appropriate hardware in a user-friendly way while also protecting data.
However unless I'm missing something, that does rather suggest law enforcement could demand the key from your Microsoft Account.
Its also curious that this does not specifically mention Windows 11, so was this unique to OEM devices on Windows 10 and how does it work when upgrading to 11 on a device that did not have TPM enabled during the original install?
-
I'm not sure if this question is answered in your post. I was struggling to take in the information.
What happens if your motherboard faults or you upgrade it. Would you still be able to access the hard drive, or would it be locked by encryption?
I know it said that the code is logged in your account. Does that mean Windows itself won't be locked on an encrypted drive to allow you to login to release the code?
I'm very skeptical about this focus some folks have with encryption at home user level. What happens if some odd ball gets caught with illegal files, can he now lock the encryption on the drive and refuse to hand over his account details?
-
To me its about if I need to RMA my SSD/HDD or they are stolen. I want to be reasonably sure my data is unreadable.
-
I did read that if you've used drive encryption won't stop you getting a ransomware attack.. then you have double encryption of your data :'(
https://news.ycombinator.com/item?id=27655219
-
I also used bitlocker on my laptops and on customers’. Same as Alex, it’s about machines being stolen.
Unfortunately I probably now can’t get into a ten year old Lenovo top-end laptop because I’ve probably forgotten the admin password.
@parkdale - Indeed that’s absolutely true, bitlocker won’t protect you; it’s totally irrelevant. Ransomware will need to be run by an admin to encrypt the whole drive, otherwise it will just encrypt the files the current user has access to, which will typically be a lot so disastrous. It doesn’t matter in the slightest whether or not you have bitlocker turned on as it’s just a normal application modifying files through normal o/s API routines that ordinary users have access to.
Mind you, if you tried to boot ransomware from another removable drive then I’d have to think about that. I suspect bitlocker would protect you, but the ransomware could just burn your file system perhaps, not sure, would have to think about that.
IMPORTANT: If using bitlocker, you should make sure the BIOS settings are such that you can’t boot from any removable drive, and the BIOS UI has a strong password so evildoers can’t get in and modify the settings. But then anyone should always do that! And make sure to record the password on another machine somewhere where you won’t forget it’s location.
-
IMPORTANT: If using bitlocker, you should make sure the BIOS settings are such that you can’t boot from any removable drive, and the BIOS UI has a strong password so evildoers can’t get in and modify the settings. But then anyone should always do that! And make sure to record the password on another machine somewhere where you won’t forget it’s location.
How so? As surely booting into another OS can't get at the files, they're encrypted?
I don't actually use Bitlocker personally as Linux so I use LUKS, although currently its still backed up to an unencrypted drive on my NAS as the idea of encrypting my data is not something I've been thinking about much until recently so wanted to check for an issues before potentially rolling it out wider. Plus it makes more sense for say my laptop which is far more likely to get stolen than my NAS.
I'm still wary of the potential for not being able to recover from a failing drive because I can't unlock the encrypted partition, vs traditional filesystems where you often CAN recover at least some of the data. Although that may be moot now with SSDs that often fail suddenly, completely and without warning. Plus of course I DO keep backups.
-
No, the point about booting other code is that it could destroy your main volume. But then an evildoer could use a tool called a hammer anyway.
-
No, the point about booting other code is that it could destroy your main volume. But then an evildoer could use a tool called a hammer anyway.
That's what puzzled me as once someone has physical access, all bets are off there anyway. My biggest worry in that case it like you said, physical damage or someone using a USB killer for the LOLs.
-
The other point about setting a BIOS password is that if you don’t, then an evildoer can, and can lock you out of your own machine. Some machines have a BIOS reset link on the board to reset the password and put everything back to factory defaults presumably. Or something.
Anyway, I’ve never left a BIOS UI unprotected by a password.
-
That's a good point actually as I hear modern BIOS actually store the password in the chip so it CAN'T be easily reset.
-
I was being thick though; I forgot about my original primary, and routinely considered, reason, that of setting the BIOS password so no-one else can do it before you do.