Windows is encrypting disks automatically! :X

Discussion in 'Windows OS and Software' started by Spartan@HIDevolution, Aug 12, 2021.

  1. Papusan

    Papusan Jokebook's Sucks! Dont waste your $$$ on Filthy

    Reputations:
    40,704
    Messages:
    29,300
    Likes Received:
    57,668
    Trophy Points:
    931
    All too many people give Microsoft full access to everything when they sign into that disgusting M$ account. And many more will have to use it when Win 11 Home Disaster recuire you to sign into Microsoft account. A huge disaster for Privacy. Home Edition (Horror edition) is and will be more of a cancer than ever.
     
    Last edited: Aug 30, 2021
    etern4l and Spartan@HIDevolution like this.
  2. Tech Junky

    Tech Junky Notebook Deity

    Reputations:
    251
    Messages:
    1,095
    Likes Received:
    398
    Trophy Points:
    101
    The obvious issue is that it's getting enabled w/o explicitly wanting it to be enabled.

    Recovering files should be easy unless you opt in for encryption. Other OS' have the option of encrypted files systems that are less resource intensive on disks. If you're worried about security though then Windows is the worst option for...well....yeah.


    BTW, Linux just released kernel 5.14 and threw me into a crashed situation. Seems something isn't quite right with it vs my HW. There was another RC version that didn't work either but worked fine in the subsequent release. *shrug* I had not see this type of crash before though with kernel updates which makes it somewhat interesting. Recovery was fairly easy though w/ a USB drive / live cd / kernel files. Testing though is time consuming waiting for it to time out takes a few minutes before hitting the desktop. It's a weekly gamble of updating that things will work post reboot to stay secure.

    The only thing that stick out in the crash is "atlantic" which ties to the Aquantia 5GE 4 port card I have in the server / router / etc. Seems there's just something missing causing the boot panic to happen which will probably be resolved in 5.14.1 like everything else in the past kernel updates.
     
    Last edited: Aug 30, 2021
    mariussx likes this.
  3. mariussx

    mariussx Notebook Evangelist

    Reputations:
    172
    Messages:
    601
    Likes Received:
    186
    Trophy Points:
    56
    Your files on ext HDD should be fine. The only time people realise they have a problem with encrypted files if when their OS stops booting for any reason. Or the computer is just running slow and they need data rescue. This is the time they realise the ssd/HDD was encrypted with bitlocker and bitlocker recovery key is required before any data rescue takes place. I am talking about the general population, not people posting on this forum.
    Exactly, it’s should be opt in, not opt out like it’s currently the case.
     
    Spartan@HIDevolution likes this.
  4. Tech Junky

    Tech Junky Notebook Deity

    Reputations:
    251
    Messages:
    1,095
    Likes Received:
    398
    Trophy Points:
    101
    baby sitter settings ;)
     
  5. krabman

    krabman Notebook Deity

    Reputations:
    328
    Messages:
    1,181
    Likes Received:
    703
    Trophy Points:
    131
    The laptop I recently purchased from Eluktronics had bitlocker enabled and the disk was encrypted. When I first got it I was trying to back up the stock install to an archive before I correctly re-installed windows but couldn't get it to go and it took me a bit to figure out the drive was encrypted. You can log into your microsoft account to to decrypt it: I know you all like doing that! ;) Also recently ran into it on a friends laptop, he wanted to install a larger drive and I couldn't clone the stock drive until I disabled encryption; he had never enabled it, it came that way. That was maybe 3ish weeks ago.
     
  6. Dennismungai

    Dennismungai Notebook Deity

    Reputations:
    780
    Messages:
    932
    Likes Received:
    861
    Trophy Points:
    106
    This is Microsoft preparing (new) users on what to expect with current Windows 10+ builds and the up-and-coming builds of Windows 11: If your hardware meets the requirements for device encryption (A ,modern TPM 2.0 implementation with support for Modern standby (and that's enabled in firmware), UEFI Boot (with CSM disabled) and a trusted boot path, ie no third party boot-loaders present when Windows is loaded, then that feature is turned on automatically.

    A very anti-consumer option considering that its' marked as a prerequisite for an OS that's in development (Windows 11) and this option is toggled on without user consent.

    Moving forward, expect arbitrary requirements like these to be made mandatory without an option to opt out. This is Microsoft trying to be Apple. And it will backfire on them.
     
    Spartan@HIDevolution and Papusan like this.
  7. Tech Junky

    Tech Junky Notebook Deity

    Reputations:
    251
    Messages:
    1,095
    Likes Received:
    398
    Trophy Points:
    101
    Quick way to check.

    upload_2021-9-9_15-24-38.png

    If you want to check your TPM status just hit windows and type in TPM and hit enter...
    upload_2021-9-9_15-40-50.png


    I think there's probably some unmentioned tasks that have occurred for some that have suddenly noticed this enabled.

    I imaged my laptop with W10 Enterprise / local login and never had BL enabled manually or automagically.

    Some reference here / elsewhere that login gin w/ a MS account upon first login will trigger it.

    I still think in some cases a tech enabled it in the imaging system for new PC's and forgot to turn it off thus pushing it on new systems. For some cases though something else may trigger it at a later time if not paying attention to updates.

    This wouldn't be such a touchy issue if all drives had HW encryption chips on them and you didn't see the hit for processing the encryption. Encryption though in the industry isn't/wasn't true encryption anyway in that you could simply boot a livecd of linux and read the drive info /w/o anything special to capture an image or simply open files at will. With some of the Linux based FS's though you can add protection to the files using different FS options / PW protect the volume / etc.

    In most cases it's just to add some difficulty to accessing the info on the drive if someone gets ahold of it. In reality where there's a will, there's a way to circumvent obstacles it's just a matter of how much effort / time you want to put into it. Run of the mill users though aren't going to know better unless it's pointed out at some point.

    Similarly , using AV to protect your files just consumes resources and most of the time will miss the heuristic anyway. Picking up on new variants requires the MFG to add them to the update file before you get infected as it doesn't help much after. It's all smoke / mirrors for making $ off things you don't actually need if you just use a little common sense.
     
    Dennismungai likes this.
  8. Dennismungai

    Dennismungai Notebook Deity

    Reputations:
    780
    Messages:
    932
    Likes Received:
    861
    Trophy Points:
    106
    To my understanding, Bitlocker can take advantage of hardware-based encryption on SSDs that support (and are provisioned for) TCG OPAL's capabilities.
    On Windows, the encryption type can be toggled via the flags below, passed to manage-bde command:

    manage-bde -on c: -fet hardware

    Where "fet": "ForceEncryptionType" can toggle the encryption type in use.

    You may want to test with that and from there evaluate the performance impact on the same.
    A Group Policy Object (GPO) for the same is available on Windows 10 (Pro, etc), and it needs to be activated before the command above can take effect.

    The performance degradation observed with device encryption is likely because its' in software, running on the CPU. And even where AES acceleration instructions are available, the performance overhead of software-based encryption isn't trivial.
     
  9. Tech Junky

    Tech Junky Notebook Deity

    Reputations:
    251
    Messages:
    1,095
    Likes Received:
    398
    Trophy Points:
    101
    HW vs SW comes into play with other things such as Transcoding video files Before Plex enabled some features it would slowly process commercial removal. Something they changed allowed the even most basic UHD video processing built into Intel CPU's to perform more like a GPU in speed. To actually use a GPU for processing in Plex though required running Windows for the App to utilize the GPU function for transcoding. Even with playback since the change live transcoding sped up significantly and didn't require the buffer delay to be set to queue up say 30 seconds of processed video information before beginning playback.

    Being able to toggle HW encryption with BL would be useful if it was setup to detect the functionality w/o user intervention. Even manually should be a welcomed option that most don't know about. I still don't see the value of encrypting a Drive / Partition as sensitive data shouldn't be store on a HDD/SSD and should be on removable media which is more manageable for performance.

    The things we need encrypted contain sensitive information not a game, program, or system files. Most of the content that needs encryption is a document of some sort containing personal info such as SSN/DOB/DL/etc. Thinks to lax security at these online companies though most of this info is out in the wild already anyway to be pieced together by someone wanting to assume an ID. For other sensitive info like DOD having disk encryption can be helpful if they decide to disable removable media to contain it internally. for ease of management.

    But as before there are plenty of ways to circumvent security protocols to protect information if you set your mind to it. The bigger issue of leaking information is that everything is connected to each other over the internet which requires TLS/SSL to cloak packets as they transit the IP world. These functions at least keep prying eyes from easily seeing what they contain and each packet doesn't contain enough information alone to pose a significant risk. How you pass info to the internet though makes more of an impact of the security of the packets. Obviously an open SSID isn't the greatest idea for keeping people from being able to "tap" your connection and mirror traffic for later decoding.

    Tapping traffic in an enterprise environment is useful for multiple things from diagnosing an issue to providing statistics on what's passing through a given network segment. There are Linux based app's though in use to provide this ability for different groups from internal use to LEO subpoena requirements. There are "rules" placed on the network components for example from your phone into the "core" network preventing phone to phone IP traffic w/o being processed by a intermediary device to protect users from each other.

    To summarize things a bit... If you properly block outside access to your network / PC then disk encryption is not needed. "firewall" rules setup correctly prevent a lot of issues only allowing outbound traffic that originates from within the network and blocking any inbound traffic that doesn't have an established bit stream that originated from inside. Inspecting the traffic to ensure it meets this requirement prevents issues like data leaks / ransom ware (so long as someone doesn't click something to activate the data stream).. There are other techniques for "protection" but, they're more of a surveillance option / network AV setup. If it's important, them keep it somewhere other than your PC.
     
  10. Dennismungai

    Dennismungai Notebook Deity

    Reputations:
    780
    Messages:
    932
    Likes Received:
    861
    Trophy Points:
    106
    And one more thing: For these who dual boot, will Windows 11's system requirement check(s) apply with a boot loader such as grub, not signed with Microsoft's "Windows Production PCA" certificates?
    In such a case, Bitlocker would not be able to bind to the PCR7 register, and thus fail to initialize. Knowing Microsoft, and the collective experience in the Insider program, they may use this to invalidate potentially qualified PCs from loading up Windows 11.
     
    Papusan likes this.
Loading...

Share This Page