undefined | Better HN

0 points2Gkashmiri3y ago0 comments

the thief can just use a live cd and copy stuff, i mean that is what i do when i bork the windows install. i don't use bitlocker and i suspect many many people don't so this is merely an inconvenience

0 comments

MayeulC3y ago

I think windows encrypts more and more by default.

TPMs are not unlocked if they can't validate the boot chain (live cd), so you'd need the disk password (and full user password).

Nextgrid3y ago

Did a Windows 10 Pro install just a couple days ago and BitLocker still wasn't on by default.

vladvasiliu3y ago

I think it's only turned on when you connect it to an online account.

It's still possible to only use a local one, but it's in an unexpected place, so I expect most people to go the online route.

themoonisachees3y ago

indeed, only when using a microsoft account, which by the way is now required in the latest isos. you can still bypass it but it requires being offline for the install. that being said, there are still many laptops with older windows version preinstalled that do not have the requirement; however users that don't care about this will just click the MS account option because the button was kind of hidden.

their reason for this is that you need to save the bitlocker recovery key somewhere, and they don't trust the users to do it properly (not even mentionning the UI for this would be horrendous) so it saves it to OneDrive.

1 more reply

2GkashmiriOP3y ago

dont you disable secure boot and go to legacy mode ? i do when i install linux or windows both as a habit

MayeulC3y ago

I haven't performed a single windows install since 2013ish (was it 8.0 beta?), but I'm saying this based on how often I see it enabled. Companies do it, and probably manufacturers too. I'm less sure about the install media, true.

Regarding secureboot, I went through the pain of configuring it under Linux (creating and importing my own keys), before realizing it was of little use without a TPM. Turns out both Windows and Linux can't "own" the TPM at the same time, IIRC (work laptop has a windows partition). I ended up learning my randomly generated >15 char disk decryption password by heart.

vladvasiliu3y ago

On my work laptop, on which I dual boot Arch and Windows, I've just signed MS's keys with my own key and disabled booting from anything else than the internal drive.

I'm not sure what you mean by "legacy mode", but I'd expect that to mean "BIOS compatibility mode", and that's not really related (apart from presumably disabling secure boot). I actually prefer UEFI, this allows me to avoid wasting time with a classic bootloader.

j / k navigate · click thread line to collapse

0 comments

MayeulC3y ago

I think windows encrypts more and more by default.

TPMs are not unlocked if they can't validate the boot chain (live cd), so you'd need the disk password (and full user password).

Nextgrid3y ago

Did a Windows 10 Pro install just a couple days ago and BitLocker still wasn't on by default.

vladvasiliu3y ago

I think it's only turned on when you connect it to an online account.

It's still possible to only use a local one, but it's in an unexpected place, so I expect most people to go the online route.

themoonisachees3y ago

1 more reply

2GkashmiriOP3y ago

dont you disable secure boot and go to legacy mode ? i do when i install linux or windows both as a habit

MayeulC3y ago

vladvasiliu3y ago

On my work laptop, on which I dual boot Arch and Windows, I've just signed MS's keys with my own key and disabled booting from anything else than the internal drive.

j / k navigate · click thread line to collapse