undefined | Better HN

0 pointsAnthonyMouse1y ago0 comments

> Basically the TPM provides a set of features that are really useful for corporate Windows deployments. No more forgotten passwords, because the self-unlocking disk encryption sends the user straight to the Windows login screen, and helpdesk can reset forgotten Windows passwords remotely.

Unclear why this requires a TPM. Boot the system from a static unencrypted partition containing no sensitive data, display the login screen, when the user authenticates the system uses their credentials to get the FDE decryption key from the directory server. Bonus: Now the FDE keys are stored in the directory server and if the system board fails in the laptop you can remove the drive and recover the data.

An attacker with physical access could modify the unencrypted partition to compromise the user's password the next time the user logs in, but they could do the same thing with a hardware keylogger.

> And for casual home Windows users, it lets them log in with a 4-digit PIN or with biometrics, so it's got usability benefits for them too.

This could be implemented the same way using Microsoft's servers, given that they seem to insist you create a Microsoft account these days anyway.

It's not clear that unsophisticated users actually benefit from default-FDE though. They're more likely to lose their data to it than have it protect them from theft, and losing your family photos is generally more of a harm than some third party getting access to your family photos.

0 comments

vel0city1y ago

What happens when I try and login offline or unable to reach a directory server?

FWIW, Bitlocker already can store recovery keys in AD. It has been a feature for a long time.

AnthonyMouseOP1y ago

If the machine is already on but asleep, the keys are in memory, they only have to be downloaded from the server on first login. If the machine has been off and you have no network connection then you need the long password to unlock it instead of the short one, but for most users that is already irrelevant because everything else requires a network connection too.

vel0city1y ago

Ah ok, so I'll need to memorize the super long password whenever I'm out and about and want to just check something real quick. I guess I'll just put that on the sticky note on the bottom of the computer.

AnthonyMouseOP1y ago

You want to check something real quick on what... the internet? Then you have internet access. You also have access to the local data on the machine as long as it was asleep rather than off, which will be the case the vast majority of the time.

Keeping the key stored on the machine, TPM or no, is also less secure than keeping it somewhere else. If someone steals your laptop, you deny all access to the key on the server and they can't get it even if they could guess the pin (or the user wrote that on the bottom of the computer), and there is no way to use an offline method to extract the key from the TPM because it isn't there.

1 more reply

j / k navigate · click thread line to collapse

0 comments

vel0city1y ago

What happens when I try and login offline or unable to reach a directory server?

FWIW, Bitlocker already can store recovery keys in AD. It has been a feature for a long time.

AnthonyMouseOP1y ago

vel0city1y ago

AnthonyMouseOP1y ago

1 more reply

j / k navigate · click thread line to collapse