Comment by Aurornis

Yes, they push the MS account stuff very hard. I've found Windows so actively hostile to the user that I basically only use Linux now.

I used to be a windows user, it has really devolved to the point where it's easier for me to use Linux (though I'm technical). I really feel for the people who aren't technical and are forced to endure the crap that windows pushes on users now.

Do we have confirmation that it’s a must to upload the key if you use an MS account with Windows? Is it proven that it's not possible to configure Windows to have an MS account linked, maybe even to use OneDrive, while not uploading the BitLocker key?

Btw - my definition of “possible” would include anything possible in the UI - but if you have to edit the registry or do shenanigans in the filesystem to disable the upload from happening, I would admit that it’s basically mandatory.

>Nowadays you just need to assume that all data on Windows computers is available to Microsoft; even if you temporarily find a way to keep your data out of their hands, an update will certainly change that.

I get why the US would not, but I really wish the rest of the world looked at this like the security and sovereignty issue that it is.

Teams inside a VM it is, then.

doing things like that which is completely unrelated should be considered data theft, and microsoft should be punished so severely they wish they never had the idea to begin with

> logging into MS Teams

I mean, this is one application nobody should ever log into!

All "Global Reader" accounts have "microsoft.directory/bitlockerKeys/key/read" permission.

Whether you opt in, or not, if you connect your account to Microsoft, then they do have the ability fetch the bitlocker key, if the account is not local only. [0] Global Reader is builtin to everything +365.

[0] https://github.com/MicrosoftDocs/entra-docs/commit/2364d8da9...

> Note that password-based Bitlocker requires Windows Pro which is quite a bit more expensive.

Given that:

1. Retail licenses (instead of OEM ones) can be transferred to new machines

2. Microsoft seems to be making a pattern of allowing retail and OEM licenses to newer versions of Windows for free

A $60 difference in license cost, one-time, isn't such a big deal unless you're planning on selling your entire PC down the line and including the license with it. Hell, at this point, I haven't purchased a Windows license for my gaming PC since 2013 - I'm still using the same activation key from my retail copy of Windows 8 Pro.

I imagine you have to re-encrypt the drive after that, though, for it to have some real effect

Exactly. I question why the parent says you have to re-encrypt the drive.

Microsoft has the KEK or passphrase that can be used to derive the KEK. The KEK protects the DEK which is used to encrypt the data. Rotating the KEK (or KEKs if multiple slots are used) will overwrite the encrypted DEK, rendering the old KEK useless.

Or does BitLocker work differently than typical data at rest encryption?

Only because others you communicate with may not have ADP turned on, which is a flaw with any service that you cannot control what the other end does or does not do, not unique to Apple/iMessage outside of using something like Signal.

It requires the Pro edition of Windows too.

And you can be sure it didn’t add a ‘recovery’ key, how?

They just entirely ignore them instead.

If your security requirements are such that you need to worry about legally-issued search warrants, you should not connect your computer to the internet. Especially if it's running Windows.

and use ECC memory

> IBM estimated in 1996 that one error per month per 256 MiB of RAM was expected for a desktop computer.

From the wikipedia article on "Soft error", if anyone wants to extrapolate.

Given enough computers, anything will happen. Apparently enough bit flips happen in domains (or their DNS resolution) that registering domains one bit away from the most popular ones (e.g. something like gnogle.com for google.com) might be worth it for bad actors. There was a story a few years ago, but I can't find it right now; perhaps someone will link it.

At google "more than 8% of DIMM memory modules were affected by errors per year" [0]

More on the topic: Single-event upset[1]

[0] https://en.wikipedia.org/wiki/ECC_memory

[1] https://en.wikipedia.org/wiki/Single-event_upset

It's "HN-likely" which translates to "almost never" in reality.

Uploading your encryption keys is not just "any sort of feature".

What part of "We can't have nice things" do you not understand?

I can't believe it took this long.

We have mandatory identification for all kinds of things that are illegal to purchase or engage in under a certain age. Nobody wants to prosecute 12 year old kids for lying when the clicked the "I am at least 13 years old" checkbox when registering an account. The only alternative is to do what we do with R-rated movies, alcohol, tobacco, firearms, risky physical activities (i.e. bungee jumping liability waiver) etc... we put the onus of verifying identification on the suppliers.

I've always imagined this was inevitable.

The defenders of Microsoft are right?

How?

There is no point locking your laptop with a passphrase if that passphrase is thrown around.

Sure, maybe some thief can't get access, but they probably can if they can convince Microsoft to hand over the key.

Microsoft should not have the key, thats part of the whole point of FDE; nobody can access your drive except you.

The cost of this is that if you lose your key: you also lose the data.

We have trained users about this for a decade, there have been countless dialogues explaining this, even if we were dumber than we were (we're not, despite what we're being told: users just have fatigue from over stimulation due to shitty UX everywhere); then it's still a bad default.

This happens everywhere. There is a reason there are memes about people defending multi-billion dollar corporations.

It only became off by default after those "daily rage sessions" created sufficient public pressure to turn them off.

Microsoft also happens to own LinkedIn which conveniently "forgets" all of my privacy settings every time I decide to review them (about once a year) and discover that they had been toggled back to the privacy-invasive value without my knowledge. This has happened several times over the years.

Daily rage is exactly what technology affine people need to direct at Microslop, while helping their loved ones and ideally businesses transition away from the vendor lockin onto free software.

Stored locally.. until it's uploaded by OneDrive or Windows Backup?

1) for now

2) according to Microsoft

So, trust is not zero. It's deeply negative.

Uploading your encryption keys up to someone else's machine is not a sensible default

This is ridiculous.

There are a lot of people here criticising MSFT for implementing a perfectly reasonable encryption scheme.

This isn’t some secret backdoor, but a huge security improvement for end-users. This mechanism is what allows FDE to be on by default, just like (unencrypted) iCloud backups do for Apple users.

Calling bs on people trying to paint this as something it’s not is not “whiteknighting”.

Is that last part even still true? When I played around with it they asked me to store a recovery pass phrase off device in case windows hello breaks

Nah, Apple doesn't do this.

If the user's MacOS FileVault disk encryption key is "stored in iCloud" it resides in the users iCloud Keychain which is end-to-end encrypted. This creates a situation similar to the iPhone, where Apple does not have the ability to access the user's data and therefore cannot comply with a warrant for access (which really annoys organizations like the FBI and Interpol)

It doesn't matter how it's stored. So long as it isn't E2EE, they (and anyone who can ask for it) will be able to access the drives

The title of the article: "Microsoft gave FBI set of BitLocker encryption keys to unlock suspects' laptops"

Bazzite. It's KDE, it's easy, it's immutable so you can update and it's unlikely to break shit. It comes with Steam already. Keyboard shortcuts very similar to Windows. Dolphin (File Explorer equivalent) responds as quickly as one would expect File Explorer to respond if it were developed by sane people. You also get an Android-style permission system with Flatseal, so you can disable permissions for various applications.

One warning: keep in mind that if your desktop PC motherboard has a mediatek wifi+bluetooth chip, that chip will probably not work on any version Linux (AFAIK). I don't use wifi on my desktop but I do use bluetooth game controllers. You can replace the chip (which is what I did, with https://www.amazon.com/dp/B08MJLPZPL), get a bluetooth dongle (my friend recommends https://www.amazon.com/Bluetooth-Wireless-External-Receiver-...), or get a PCIe one.

There are so many distros that it really depends on your use-case and it's hard to make a generic suggestion. Ubuntu is a common recommendation for first timers, mainly because as the most popular distro you'll easily be able to Google when you need help with something, and it also uses the most popular package format (.deb). There's also Linux Mint which is basically Ubuntu but with some of the latter's more questionable choices removed (e.g. snaps) and minus the big corp owner. By using one of these you'll also be learning skills relevant to Debian (which Ubuntu is derived from) which is a solid choice for servers.

Regardless of which distro you choose, your "desktop experience" will be mostly based on what desktop environment you pick, and you are free to switch between them regardless of distro. Ubuntu for example provides various installers that come with different DEs installed by default (they call them "flavours": https://ubuntu.com/desktop/flavors), but you can also just switch them after installation. I say "mostly" because some distros will also customise the DE a bit, so you might find some differences.

"Nicest desktop experience" is also too generic to really give a proper suggestion. There are DEs which aim to be modern and slick (e.g. GNOME, KDE Plasma, Cinnamon), lightweight (LXQt), or somewhere in between (Xfce). For power users there's a multitude of tiling window managers (where you control windows with a keyboard). Popular choices there are i3/sway or, lately, Niri. All of these are just examples, there are plenty more DEs / WMs to pick from.

Overall my suggestion would be to start with something straightforward (Mint would probably be my first choice here), try all the most popular DEs and pick the one you like, then eventually (months or years later) switch to a more advanced distro once you know more what your goals are and how you want to use the system. For example I'm in the middle of migrating to NixOS because I want a fully declarative system which gives the freedom to experiment without breaking your system because you can switch between different temporary environments or just rollback to previous generations. But I definitely wouldn't have been ready for that at the outset as it's way more complex than a more traditional distro.

Something with KDE. Never used KDE extensively because I hate non-tiling WMs, but something like Kubuntu would give you a more windows-esque experience by default. Here's the download link:

https://kubuntu.org/download/

Bon appetit!

That's literally like asking "What car has the best driving experience?". There is no one answer.

If you want something that "just works," Linux Mint[1] is a great starting point. That gets you into Linux without any headache. Then, later when bored, you can branch out into the thousands[2] of Linux distributions that fill every possible niche

[1] https://linuxmint.com/

[2] https://distrowatch.com/dwres.php?resource=major

If you want maximum commodity and as many things to "just work" as possible out of the box, go for good old plain Ubuntu.

If you care a little more about your privacy and is willing to sacrifice some commodity, go for Fedora. It's community run and fairly robust. You may have issues with media codecs, nvidia drivers and few other wrinkles though. The "workstation" flavor is the most mature, but you may want to give the KDE version a try.

If you want an adventure, try everything else people are recommending here :)

If you're a developer, try NixOS. The code based configuration can be daunting but LLMs are very good at writing it.

For gaming I suggest a Steam Deck. I love mine, it's an awesome Linux device. Not locked down either.

Last time I needed to install Windows 11, avoiding making a Microsoft account required (1) opening a command line to run `oobe/bypassnro`, and (2) skipping past the wifi config screen. While these are quick steps, neither of those are at all "easy", since they require a user to first know that it is an option in the first place.

And newer builds of Windows 11 are removing these methods, to force use of a Microsoft account. [0]

[0] https://www.windowslatest.com/2025/10/07/microsoft-confirms-...

> it was really easy to set up without a Microsoft account.

By "really easy" do you mean you had a checkbox? Or "really easy" in that there's a secret sequence of key presses at one point during setup? Or was it the domain join method?

Googling around, I'm not sure any of the methods could be described as "really easy" since it takes a lot of knowledge to do it.

And how do you know the keys are never uploaded if you don't have an account?

I’m not sure if you misunderstand how macOS accounts work or how FileVault works.

There are two ways to log into macOS: a local user account or an LDAP (e.g. OpenDirectory, Active Directory) account. Either of these types of accounts may be associated with an iCloud account. macOS doesn’t work like Windows where your Microsoft account is your login credential for the local machine.

FileVault key escrow is something you can enable when enabling FileVault, usually during initial machine setup. You must be logged into iCloud (which happens in a previous step of the Setup Assistant) and have iCloud Keychain enabled. The key that wraps the FileVault volume encryption key will be stored in your iCloud Keychain, which is end-to-end encrypted with a key that Apple does not have access to.

If you are locked out of your FileVault-encrypted laptop (e.g. your local user account has been deleted or its password has been changed, and therefore you cannot provide the key to decrypt the volume encryption key), you can instead provide your iCloud credentials, which will use the wrapping key stored in escrow to decrypt the volume encryption key. This will get you access to the drive so you can copy data off or restore your local account credentials.

I think you are confused.

The issue is about getting locked out of your own data, which can easily happen in a number of cases.

And you don't necessarily need to actually have your account banned.

Let's just say you signed up for a Microsoft account when setting up for a new PC (well, because you have to). You don't use that account anywhere else, and you forgot the password, even though you can log in via PIN or something else. Now you install Linux or just boot to a different system once. When you need to boot to Windows again, good luck.

And that's just one of the cases.

A real disaster happened to someone, although on a different platform, and the context is a bit different: https://hey.paris/posts/appleid/

Some people will hurt themselves if given dangerous tools, but if you take all the dangerous items out of the tool shop, there won't be any tools left.

Microsoft seems to feel constant pressure to dumb Windows down, but if you look at the reasons people state when switching to Linux, control is a frequent theme. People want the dangerous power tools.

Apple gives users the choice during set up assistant, no reason Microsoft can't.

I bet he learned a valuable lesson

Then you don't want encrypt by default and anyone who goes out of their way knows what they're doing

Please omit internet tropes on HN.

https://news.ycombinator.com/newsguidelines.html

The fact that none of this is new undermines your point. Microsoft knew that law enforcement would ask for keys, based on their prior experience and the sack of meat sitting between their ears.

They, knowing that, chose to design a system that trivially allows this. That is a choice. In that sense, they did give up the keys. They certainly did not have to design it that way, nor was it done in ignorance.

In fairness, the link is specifically for "Advanced Dat Protection for iCloud". This has nothing to do with local whole-disk encryption like FileVault or BitLocker.

In Apple's case, even when the user enables iCloud FileVault key backup, that key is still end-to-end encrypted and Apple cannot access it. As a matter of fact, while Apple regularly receives legal warrants for access, they are ineffective because Apple has no way to fulfill that request/requirement.

Microsoft has chosen to store the BitLocker key backups in a manner that maintains their (Microsoft's) access. But, this is a choice Microsoft has made its not an intrinsic requirement of a key escrow system. And in the end, it enables law enforcement to compel them to turn over these keys when a judge issues a warrant.

> who had no idea their drive was encrypted

I think you just identified the problem clearly.

> Now the police don't even have to ask!

Security is not a switch you can turn on and forget about. Plus the police have extraordinary real world powers to compel you to disclose the necessary information anyways. Unless you're holding state secrets, which, c'mon, you're almost certainly going to give in and cooperate at some point. It wouldn't make for a great Hollywood movie but it would accurately reflect day to day reality.

> unreadable to everyone except you, Microsoft, and the police.

That's two too many. It should either be unreadable to everyone but me or readable by anyone with physical access. Does it not occur to people that you can still rely on physical security even in computing?

> Apple does the same thing

The two corporate computing giants do the same thing? I am not surprised but I also don't see it as a worthwhile data point.

"Apple does the same thing with FileVault when you set up with your iCloud account where, again, previously your disk was just left unencrypted"

Nah, the FileVault key is stored in your iCloud Keychain when you choose to backup the key to iCloud. And the keychain is end-to-end encrypted. Only the user has access.

Indeed. Third Party Doctrine has undermined 4th/5th Amendment protections due to the hair brained power grab that was "if you share info with a third party as art of the only way of doing business, you waive 4th Amendment protections. I ironically, Boomers basically knee-capped Constitutional protections for the very data most critically in need of protection in a network state.

Only fix is apparently waiting until enough for to cram through an Amendment/set a precedent to fix it.

RIPA 2000 part III section 49

yeah but it's the UK ...prison is a joke there

Good PINs are ones you're not allowed to brute force. You can easily configure an iPhone to wipe itself after too many wrong guesses. There's a single checkbox labeled "Erase Data", saying "Erase all data on this iPhone after 10 failed passcode attempts."

You bet I have that enabled.

They can also hold you in a jail cell until the end of time until you give it up, in many places.

From the linked Apple page...

"For additional privacy and security, 15 data categories — including Health and passwords in iCloud Keychain — are end-to-end encrypted. Apple doesn't have the encryption keys for these categories, and we can't help you recover this data if you lose access to your account. The table below includes a list of data categories that are always protected by end-to-end encryption."

The FileVault keys are stored in the iCloud Keychain and Apple does not have access to them, full stop :-)

It does it without asking! Not opt in! It is put in your password keychain automatically.

"enemy of the state" depends a lot on the current state of the state.

Eg in England you're already an enemy of the state when you protest against Israel's actions in Gaza. In America if you don't like civilians being executed by ICE.

This is really a bad time to throw "enemy of the state" around as if this only applies to the worst people.

Current developments are the ideal time to show that these powers can be abused.

That is a strange viewpoint. Are we calling everyone who wants some control over their computers enemies of the state?

Maybe he's just trying to avoid Candy Crush Saga

https://news.ycombinator.com/item?id=46700219

Criticizing the current administration? That sounds like something an enemy of the state would do!

Prepare yourself for the 3am FBI raid, evildoer! You're an enemy of the state, after all, that means you deserve it! /s