Computer Software > Windows 11

How Windows uses the Trusted Platform Module

<< < (2/3) > >>

Alex Atkin UK:

--- Quote from: Weaver on November 09, 2021, 07:52:23 PM ---IMPORTANT: If using bitlocker, you should make sure the BIOS settings are such that you can’t boot from any removable drive, and the BIOS UI has a strong password so evildoers can’t get in and modify the settings. But then anyone should always do that! And make sure to record the password on another machine somewhere where you won’t forget it’s location.

--- End quote ---

How so?  As surely booting into another OS can't get at the files, they're encrypted?

I don't actually use Bitlocker personally as Linux so I use LUKS, although currently its still backed up to an unencrypted drive on my NAS as the idea of encrypting my data is not something I've been thinking about much until recently so wanted to check for an issues before potentially rolling it out wider.  Plus it makes more sense for say my laptop which is far more likely to get stolen than my NAS.

I'm still wary of the potential for not being able to recover from a failing drive because I can't unlock the encrypted partition, vs traditional filesystems where you often CAN recover at least some of the data.  Although that may be moot now with SSDs that often fail suddenly, completely and without warning.  Plus of course I DO keep backups.

Weaver:
No, the point about booting other code is that it could destroy your main volume. But then an evildoer could use a tool called a hammer anyway.

Alex Atkin UK:

--- Quote from: Weaver on November 09, 2021, 09:09:42 PM ---No, the point about booting other code is that it could destroy your main volume. But then an evildoer could use a tool called a hammer anyway.

--- End quote ---

That's what puzzled me as once someone has physical access, all bets are off there anyway.  My biggest worry in that case it like you said, physical damage or someone using a USB killer for the LOLs.

Weaver:
The other point about setting a BIOS password is that if you don’t, then an evildoer can, and can lock you out of your own machine. Some machines have a BIOS reset link on the board to reset the password and put everything back to factory defaults presumably. Or something.

Anyway, I’ve never left a BIOS UI unprotected by a password.

Alex Atkin UK:
That's a good point actually as I hear modern BIOS actually store the password in the chip so it CAN'T be easily reset.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version