Comment by thewebguyd
1 day ago
> Any power users who prefer their own key management should follow the steps to enable Bitlocker without uploading keys to a connected Microsoft account.
Except the steps to to that are disable bitlocker, create a local user account (assuming you initially signed in with a Microsoft account because Ms now forces it on you for home editions of windows), delete your existing keys from OneDrive, then re-encrypt using your local account and make sure not to sign into your Microsoft account or link it to Windows again.
A much more sensible default would be to give the user a choice right from the beginning much like how Apple does it. When you go through set up assistant on mac, it doesn't assume you are an idiot and literally asks you up front "Do you want to store your recovery key in iCloud or not?"
> make sure not to sign into your Microsoft account or link it to Windows again
That's not so easy. Microsoft tries really hard to get you to use a Microsoft account. For example, logging into MS Teams will automatically link your local account with the Microsoft account, thus starting the automatic upload of all kinds of stuff unrelated to MS Teams.
In the past I also had Edge importing Firefox data (including stored passwords) without me agreeing to do so, and then uploading those into the Cloud.
Nowadays you just need to assume that all data on Windows computers is available to Microsoft; even if you temporarily find a way to keep your data out of their hands, an update will certainly change that.
Yes, they push the MS account stuff very hard. I've found Windows so actively hostile to the user that I basically only use Linux now.
I used to be a windows user, it has really devolved to the point where it's easier for me to use Linux (though I'm technical). I really feel for the people who aren't technical and are forced to endure the crap that windows pushes on users now.
> actively hostile
That’s the real problem MS has. It’s becoming a meme how bad the relationship between the user and windows is. It’s going to cause generational damage to their company just so they can put ads in the start menu.
24 replies →
Linux is so much better than it used to be. You really don't need to be technical.
I have been recommending Kubuntu to Windows people. I find it's an easier bet than Linux Mint. You get the stability of Ubuntu, plus the guarantee of a Windows-like environment.
Yes, I know, Linux Mint supports Plasma, but I honestly think the "choose your desktop" part of the setup process is more confusing to a newbie than just recommending a distro with the most Windows-like UI and a straightforward installation.
7 replies →
Do we have confirmation that it’s a must to upload the key if you use an MS account with Windows? Is it proven that it's not possible to configure Windows to have an MS account linked, maybe even to use OneDrive, while not uploading the BitLocker key?
Btw - my definition of “possible” would include anything possible in the UI - but if you have to edit the registry or do shenanigans in the filesystem to disable the upload from happening, I would admit that it’s basically mandatory.
I just checked on my personal desktop, which has Windows 11 installed using a local user account and is signed into my MS account for OneDrive and my account is listed as having no recovery codes in the cloud. I don’t recall editing anything in the registry to accomplish this it was the default behavior for having a local user account. I copied my recovery codes when I built the machine and pasted them into an E2EE iPhone note which should allow me to recover my machine if disaster strikes (also everything is backed up to Backblaze using their client side encryption).
>Nowadays you just need to assume that all data on Windows computers is available to Microsoft; even if you temporarily find a way to keep your data out of their hands, an update will certainly change that.
I get why the US would not, but I really wish the rest of the world looked at this like the security and sovereignty issue that it is.
Teams inside a VM it is, then.
Or: Put all of Windows inside of a VM, within a host that uses disk encryption -- and let it run amok inside of its sandbox.
I did this myself for about 8 years, from 2016-2024. During that time my desktop system at home was running Linux with ZFS and libvirt, with Windows in a VM. That Windows VM was my usual day-to-day interface for the entire system. It was rocky at first, but things did get substantially better as time moved on. I'll do it again if I have a compelling reason to.
3 replies →
It's not just Teams. You need to be constantly vigilant not to make any change that would let them link your MS account to Windows. And they make it more and more difficult not only to install but also use Windows without a Microsoft account. I think they'll also enforce it on everybody eventually.
1 reply →
doing things like that which is completely unrelated should be considered data theft, and microsoft should be punished so severely they wish they never had the idea to begin with
> logging into MS Teams
I mean, this is one application nobody should ever log into!
Teams in the browser, on Linux. That is reasonably harmless.
That's nice.
I, however, like getting my paycheck, and so I have no choice.
12 replies →
Why would you need to create a local account? You can just not choose to store the keys in your Microsoft account during BitLocker setup: https://www.diskpart.com/screenshot/en/others/windows-11/win...
Admittedly, the risks of choosing this option are not clearly laid out, but the way you are framing it also isn't accurate
All "Global Reader" accounts have "microsoft.directory/bitlockerKeys/key/read" permission.
Whether you opt in, or not, if you connect your account to Microsoft, then they do have the ability fetch the bitlocker key, if the account is not local only. [0] Global Reader is builtin to everything +365.
[0] https://github.com/MicrosoftDocs/entra-docs/commit/2364d8da9...
They're Microsoft and it's Windows. They always have the ability to fetch the key.
The question is do they ever fetch and transmit it if you opt out?
The expected answer would be no. Has anyone shown otherwise? Because hypotheticals that they could are not useful.
3 replies →
What do Entra role permissions have to do with Microsoft's ability to turn over data in its possession to law enforcement in response to a court order?
This is for the _ActiveDirectory_. If your machine is joined into a domain, the keys will be stored in the AD.
This does not apply to standalone devices. MS doesn't have a magic way to reach into your laptop and pluck the keys.
9 replies →
They could also just push an update to change it anyways to grab it.
If you really don't trust Microsoft at all then don't use Windows.
Note that password-based Bitlocker requires Windows Pro which is quite a bit more expensive.
> sign into your Microsoft account or link it to Windows again.
For reference, I did accidentally login into my Microsoft account once on my local account (registered in the online accounts panel). While Edge automatically enabled synchronization without any form of consent from my part, it does not look like that my Bitlocker recovery key is listed on https://account.microsoft.com/devices/recoverykey. But since I unlinked my account, it could be that it was removed automatically (but possible still cached somewhere).
> Note that password-based Bitlocker requires Windows Pro which is quite a bit more expensive.
Given that:
1. Retail licenses (instead of OEM ones) can be transferred to new machines
2. Microsoft seems to be making a pattern of allowing retail and OEM licenses to newer versions of Windows for free
A $60 difference in license cost, one-time, isn't such a big deal unless you're planning on selling your entire PC down the line and including the license with it. Hell, at this point, I haven't purchased a Windows license for my gaming PC since 2013 - I'm still using the same activation key from my retail copy of Windows 8 Pro.
> A $60 difference
Oh, the difference in dollar is less than I expected. And you're right, after checking, the difference in price in the USA is $60 ($139 Home and $199 Pro). In France, Windows 11 Home is 145€ compared to 259€ for Windows 11 Pro: https://www.microsoft.com/fr-fr/d/windows-11-famille/dg7gmgf... - https://www.microsoft.com/fr-fr/d/windows-11-professionnel/d... (USB key is selected by default but the download edition is the same price).
This amounts to a difference of 114€ or 135$ at the current exchange rate which is significantly more. Also surprised that Windows Pro is 189% of the price of the Home edition in France but 143% in the USA.
I initially bought the Home edition but could not upgrade to pro without buying a full license so I had to bear the full cost of the French Pro license, which lead to an upgrade cost of 259€ instead of just $60. (basically I had to buy the pro version to get password unlock with Bitlocker since TPM unlock was broken with dual boot, needed to enter the recovery key after every boot to Fedora). If it was possible to only pay for the difference they did not make it obvious.
And in general paying this much for an OS that still pushes dark pattern and ads onto me leaves quite a bad taste in my mouth; I wouldn't mind paying a subscription if I could get an OS that does what I want and gets fully out of my way. (but I guess subscription would come with mandatory online accounts which is part of the problem at hand here).
You can turn it off without resorting to a local account, although it's non-obvious.
GPEdit -> Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives → “Choose how BitLocker-protected operating system drives can be recovered”
Repeat for other drives.
I imagine you have to re-encrypt the drive after that, though, for it to have some real effect
No, the actual data encryption key doesn't need to change unless you're very paranoid. The backup key and your normal key is just to decrypt the data encryption key.
> delete your existing keys from OneDrive
This seems to go against principles of key management. If your key escrow peer has defected, the correct response is to rotate your keys.
Exactly. I question why the parent says you have to re-encrypt the drive.
Microsoft has the KEK or passphrase that can be used to derive the KEK. The KEK protects the DEK which is used to encrypt the data. Rotating the KEK (or KEKs if multiple slots are used) will overwrite the encrypted DEK, rendering the old KEK useless.
Or does BitLocker work differently than typical data at rest encryption?
They don't do that for iMessage though... https://james.darpinian.com/blog/apple-imessage-encryption
Only because others you communicate with may not have ADP turned on, which is a flaw with any service that you cannot control what the other end does or does not do, not unique to Apple/iMessage outside of using something like Signal.
Most other E2EE messaging services do not break their own E2EE by intentionally uploading messages or encryption keys to servers owned by the same company in a form that they can read. For example, Google's Messages app does not do this for E2EE conversations. This isn't something that only Signal cares about.
Does using the "manage-bde -protectors -add" command to add a device key encrypted by a local recovery key, followed by the "manage-bde -protectors -delete" command to delete the device key encrypted by the uploaded key not work?
They could have taken a more defence-in-depth approach to key storage and encrypted the cloud copy of the Bitlocker key with a random master key itself protected by a user password-derived key arrangement, with any crypto action occuring on the device to avoid knowledge of the plaintext key. That way the Bitlocker key stored in the cloud is opaque to Microsoft, and only by knowing the user's current cleartext password could they access the raw Bitlocker key.
The current approach is weak, and strikes me as a design unlikely to be taken unless all the people involved were unfamiliar with secure design (unlikely IMO), or they intentionally left the door open to this type of access.
If I wanted privacy that couldn’t be broken by Microsoft I wouldn’t be using OneDrive.
I would be using an operating system that wasn’t geared up to be cloud backed up and closed source.
>Except the steps to to that are disable bitlocker, create a local user account (assuming you initially signed in with a Microsoft account because Ms now forces it on you for home editions of windows), delete your existing keys from OneDrive, then re-encrypt using your local account and make sure not to sign into your Microsoft account or link it to Windows again.
1. Is there any indication it forcibly uploads your recovery keys to microsoft if you're signed into a microsoft account? Looking at random screenshots, it looks like it presents you an option https://helpdeskgeek.com/wp-content/pictures/2022/12/how-to-...
2. I'm pretty sure you don't have to decrypt and rencrypt the entire drive. The actual key used for encrypting data is never revealed, even if you print or save a recovery key. Instead, it generates a "protectors", which encrypts the actual key using the recovery key, then stores the encrypted version on the drive. If you remove a recovery method (ie. protector), the associated recovery key becomes immediately useless. Therefore if your recovery keys were backed up to microsoft and you want to opt out, all you have to do is remove the protector.
With Bitlocker it is still possible to have single password-based key. But enabling that requires to enter a few commands on the command line.
It requires the Pro edition of Windows too.
And you can be sure it didn’t add a ‘recovery’ key, how?
Using the same CLI, which shows all the alternative "protectors".
1 reply →
You can encrypt a Bitlocker volume without syncing your keys even if you do log in with a Microsoft account, at least last time I was configuring Bitlocker.