← Back to context

Comment by Anthony-G

1 day ago

> https://xkcd.com/538/

I’m a big fan of XKCD but, in reality, what most people (and employers) worry about is unauthorised third-party access to private data in the event a laptop is lost or stolen (most often by opportunist theft). Bitlocker — and other Full Disk Encryption technology — provide an effective mitigation for this situation.

2 comments

Anthony-G

Reply
lproven  13 hours ago

Well, yes, we know that. I mean, that is the reason for doing it.

But what is much more rarely discussed are the costs. There are multiple penalties.

It hurts performance.

It impedes dual-boot.

It impedes setup in general; you lose most of the nice friendly GUI tools, replaced by clunky harder CLI tools.

It makes data recovery vastly harder, which is one of those things people discount until they need it and then realise how critical it is.

It makes troubleshooting OS problems vastly harder. Many it simply prevents: the answer becomes, reinstall your OS and restore from backup. If you have no backups, tough.

It's inconvenient, unless you use modern TPM-backed systems, in which case it dramatically reduces the security benefits, while also severely reducing OS compatibility.

It adds a new vital credential people don't know they have and don't know they need to keep secure backups of.

It generally makes everything worse, to fix a threat that most people simply do not have.

The 2 employers I personally had who insisted on it published all the company info on my machines to Github anyway, making it not even security theatre. More like security pantomime: an act of pretending to pretend to do something.

The answer to all this is, in my experience as tech support type: don't do it. Conduct a proper analysis of who has what secrets and what they need to keep, and use other better-targeted tools just for them.

Because without that, it causes problems for no good reason. It's treated as a panacea but it isn't -- it fixes nothing for 99% of users -- and the very real problems and issues it causes are ignored.

This _may_ be worth it for some companies and organisations but it's not for anyone else. I can see its worth for governments and military forces but few others.

  • Anthony-G  8 hours ago

    Fair points. Thankfully, I haven't had any of those issues.

    I run GNU/Linux on all my personal computers but the Windows 10 laptop from work came with Bitlocker installed and other than entering the PIN on start-up, it stays out of my way. Granted, I'm not dual-booting, saving important documents or running any backup tools; I mostly use it for browsing, Teams calls and SSHing into my Fedora workstation and other servers after connecting via VPN.

    Also, in my case, performance was only noticeably affected when the IT contractors installed Symantec anti-virus which resulted in the laptop becoming a noisy heater every so often.

    For what it's worth, I bought my wife a laptop for her birthday when she needed a new one and I never considered enabling Bitlocker on it. She wouldn't have any sensitive data on it so I figured there's no need.