Comment by michaelt
5 hours ago
For a long time, if you used full disk encryption, the encryption key never left your machine. If you forgot your password, the data was gone - tough luck, should have made a backup. That's still how it works on Linux.
Pretty surprising they'd back up the disk encryption secrets to the cloud at all, IMHO, let alone that they'd back it up in plaintext.
That's why full disk encryption was always a no-go for approximately all computer users, and recommending it to someone not highly versed in technology was borderline malicious.
"Tough luck, should have made a backup" is higher responsibility than securing anything in meatspace, including your passport or government ID. In the real world, there is always a recovery path. Security aficionados pushing non-recoverable traps on people are plain disconnected from reality.
Microsoft has the right approach here with Bitlocker defaults. It's not merely about UX - it's about not setting up traps and footguns that could easily cause harm to people.
Google Authenticator used to be disconnected from reality like this. Users were asking how to copy the codes to another phone, and they said "you can't, WAI, should add the other phone as a second auth method on every site." Like how people say you shouldn't copy SSH privkeys. I figured out an undocumented way to do it on iPhone by taking an encrypted iTunes backup though.
Eventually they yielded on this, but their later updates had other usability traps. Because Google Auth was the household name for TOTP apps, this maybe ruined TOTP's reputation early-on.
I had hoped the average person would have a baseline understanding of how computers work by now. Baseline includes things like the difference between a web browser and a search engine, "the cloud" is someone else's computer, and encrypted means gone if you lose the password/key.
I am sad that this now appears unlikely. I suspect it may even be lower for people in their 20s today than a decade ago.
> Security aficionados pushing non-recoverable traps on people are plain disconnected from reality.
To be fair, if you inadvertently get locked out of your Google account "tough luck, should have used a different provider" and Gmail is a household name so ...
Less snarky, I think that there's absolutely nothing wrong with key escrow (either as a recovery avenue or otherwise) so long as it's opt in and the tradeoffs are made abundantly clear up front. Unfortunately that doesn't seem to be the route MS went.
Google has a pretty robust recovery process. Of course if you've given them absolutely nothing about them then forgotten your password, it's tough.
2 replies →
"Disconnected from reality" ... tell that to the people who have had a lost or stolen device without encryotion. You'd need a backup and then some!
Apple manages a recovery path for users without storing the key in plain text. Must have something to do with those "security aficionados."
Well, for a consumer notebook or mobile device, the threat model typically envisions a thief grabbing it from a coffeehouse or hotel room. So your key needs to be safeguarded from the opportunist who possesses your hardware illegally.
Linux can be fairly well-secured against state-level threat actors, but honestly, if your adversary is your own nation-state, then no amount of security is going to protect you!
For Microsoft and the other consumer-OS vendors, it is typically a bad user-experience for any user, particularly a paying subscriber, to lose access to their account and their cloud apps. There are many ways to try and cajole the naïve user into storing their recovery key somewhere safe, but the best way is to just do it for them.
A recovery key stored in the user's own cloud account is going to be secure from the typical threats that consumers will face. I, for one, am thankful that there is peace of mind both from the on-device encryption, as well as the straightforward disaster recovery methods.
The problem is mass-surveillance and dragnets. Obviously if the state wants to go after you no laws will protect you. As we've seen they can even illegally collect evidence and then do a parallel construction to "launder" the evidence.
But One-drive is essentially a mass-surveillance tool. It's a way to load the contents of every single person's computer into Palentir or similar tools and, say, for instance, "give me a list of everyone who harbors anti-ICE sentiments."
By the way my windows computer nags me incessantly about "setting up backups" with no obvious way to turn off the nags, only a "remind me later" button. I assume at some point the option to not have backups will go away.
I agree that "cloud storage" paradigms are a sea change from the status quo of the old days. My father has a file cabinet at home and keys on his keychain, wherein he stores all his important paperwork. There is no way anyone's getting in there except by entering his home and physically intruding on those drawers. Dad would at least notice the search and seizure, right?
What is just as crazy as cloud storage, is how you "go paperless" with all your service providers. Such as health care, utility bills, banks, etc. They don't print a paper statement and send it to your snail mail box anymore. They produce a PDF and store it in their cloud storage and then you need to go get it when you want/need it.
The typical consumer may never go get their paperwork from the provider's cloud. It is as if they said "Hey this document's in our warehouse! You need to drive across town, prove your identity, and look at it while you're here! ...You may not be permitted to take it with you, either!"
So I've been rather diligent and proactive about going to get my "paperless documents" from the various providers, and storing them in my own cloud storage, because, well, at least it's somewhere I can access it. I care a lot more about paying my medical bills, and accounting for my annual taxes, than someone noticing that I harbor anti-jew sentiment. I mean, I think they already figured that part out.
> But One-drive is essentially a mass-surveillance tool.
There are plenty of people that post clear positions on multiple social networks. I personally doubt that One-drive files will provide much more information for most of the people compared to what's already out there (including mobile phone location, credit card transactions, streaming services logs, etc.).
What I think the danger is for individual abuse. Someone "in power" wants one guy to have issues, they could check his One-drive for something.
Best is to make people aware of how it works and let them figure it out. There are so many options (local only, encrypted cloud storage, etc.) I doubt there is an ideal solution for everything.
> Well, for a consumer notebook or mobile device, the threat model typically envisions a thief grabbing it from a coffeehouse or hotel room.
...in which case having a cloud backup of the full disk encryption key is pointless, because you don't have access to the disk any more.
> pointless
Full-disk encryption is the opposite of pointless, my dude! The notebook-thief cannot access my data! That is the entire point!
No, I cannot recover the data from an HDD or SSD that I don't possess. But neither can the thief. The thief cannot access the keys in my cloud. Isn't that the point?
If a thief steals a notebook that isn't encrypted at all, then they can go into the storage, even forensically, and extract all my data! Nobody needs a "key" or credentials to do that! That was the status quo for decades in personal computing--and even enterprise computing. I've had "friends" give me "decommissioned" computers that still had data on their HDD from some corporation. And it would've been readable if I had tried.
The thief may have stolen a valuable piece of kit, but now all she has is hardware. Not my data. Not to mention, if your key was in a cloud backup, isn't most of your important data in the cloud, as well? Hopefully the only thing you lost with your device are the OS system files, and your documents are safely synced??