Comment by IngoBlechschmid

6 hours ago

Oh, which one is it?

(You don't mean BitLocker, right?)

It absolutely is and they have most the enterprise market.

  • Okay, yes, sure. It definitely is the most-used encryption software for Windows.

    But I would never trust it a second, being proprietary and known for issues. You likely know that, but for the benefit of others:

    38C3 - Windows BitLocker: Screwed without a Screwdriver https://media.ccc.de/v/38c3-windows-bitlocker-screwed-withou... https://www.youtube.com/watch?v=5eNtT2p12cM

    • If you’re at all serious about security and not user convenience, you deploy BitLocker with a PIN instead of TPM only. And then a whole class of vulnerabilities goes away.

      15 replies →

    • The issues you linked with BitLocker are obvious properties of BitLocker-with-SecureBoot-only architecture. If you configure Linux that way, you get similar issues (for example, it's pretty easy to mis-configure TPM sealed disk encryption on Linux to still allow a recovery shell, which will run with the disk unsealed).

      BitLocker with a password (the equivalent of the LUKS configuration in question) does not share these issues.

      3 replies →

    • veracrypt lost their drivers license so afaik you should avoid it since it cannot update its drivers any longer. didnt see any news about them reacquiring that license

      1 reply →

    • If you think for one single second that businesses and governments who rely on a lost disk being secure don’t trust bitlocker, I have oceanfront property in Missouri to sell you.

      Bitlocker + PIN is as secure as anything.

      A vulnerability can’t leak your key if the TPM doesn’t know the entire key and relies on the user to supply the missing parts of the key in the form of a PIN.

      1 reply →

  • Reminder that by using Bitlocker, you're using a closed source encryption for which Microsoft will happily hand out your recovery key on request.

    https://www.forbes.com/sites/thomasbrewster/2026/01/22/micro...

    • Only if you store your key with Microsoft, which is not required or the default if you're using a local account which I assume most privacy sensitive people are.

      5 replies →

    • Bitlocker can use keys that are local only, but the default for home editions of Windows was to use the online account to back it up.

      'Happily' is also a stretch, as they really don't have a choice if served a valid court order.

      If you want encryption that is safe from the US government, keys need to be stored in your head. Anything physical is subject to court orders.

    • Tangentially: Microsoft telemetry collects the serial# of your devices and reports it (with your IP and MS account) back to the mothership, and some printers embed their serial# in printed pages.

      So take countermeasures if you print something out criticizing any groups that abuse political or law-enforcement powers.