Comment by bri3d

https://blog.scrt.ch/2024/10/28/privilege-escalation-through...

https://post-cyberlabs.github.io/Offensive-security-publicat...

Yes, the PIN is entangled with the key material. The admin PIN recovery techniques all involve enrolling additional unlocking methods.

Besides this, I completely agree with this post, especially:

> I think the best you can do right now is to layer a password with a hardware device. I don't think saying that the hardware devices are flawed means they are not useful as PART OF the security setup. It would certainly be nice if the software did this automatically/easily and it's unclear to me why it does not.

I've always found it silly that Microsoft's default BitLocker implementation doesn't make it easy to do the obvious thing that FileVault does and use the user's password as an additional wrapper to encrypt the KEK. Yes, then there's trouble when the user forgets their password and password-change rotation is a little annoying, but if you're in an enterprise scenario you need backup keys anyway, and your users are still as likely to get BitLocker'd by PCRs changing (ie due to EFI updates) than forgetting a password anyway.