Microslop is openly anti consumer. Why would you hand them your encryption keys?
winds 11 home forces it apparently, when you have to use it.
Isn’t this against the fourth admement or something?
Everyone here (exceptions apply) being soo linux friendly and so tech literate that they don’t know jack shit about both sides and jump to assumptions.
Microshit has no access to your key unless you upload it.
Well DUH!
A microsoft accpunt is now mandatory for windows. Your bitlocker keys are automatically uploaded to your account
This is not correct. You can use Windows without a Microsoft account.
Objectively untrue
This is insane. I am using Windows without a Microsoft account regularly. It is 100% possible. I hate Microsoft too but it’s completely ridiculous to go around spreading obvious bullshit like this.
Setup process now officially requires using a Microsoft account
You do understand that official setup requirements is not the same thing? Whatever Microsoft tries to force during a setup process doesn’t change the fact that I am literally using Windows multiple times per week without any Microsoft account so claims it’s impossible are untrue.
Effectively speaking it doesn’t matter, if you cant set up a Windows PC without a Microsoft account that means for most people you cant use Windows without a Microsoft account, you’re being pedantic. Yes someone could type a million shell commands during install and then download a scetchy debloater script but at that point you might as well just install Linux if you’re that comfortable with the terminal.
Objectively true.
We just did it this week with Windows 11 25H2 with the regular OOBE setup.Not everywhere is a corporate hellscape like the US
And btw:
My PC right now with Win11 25H2 runs on a local account
No, it is not.
At least not in the EU where I live.That has to be version specific. I did run into the issue that the Apple devices app that Apple makes is only made available through the Microsoft Store though. So you can’t just run a standard install for it officially. Which sucks. Also their is no official Apple Devices app for Linux, so anyone who has an iPhone can’t “safely” manage their device without having both an Apple Account and a Microsoft account, or a Mac.
Couldnt you download the MSIX app bundle? That should be possible to install the app even without the account
Regular old ZIP with AES-256 should do the trick for anything truly important you want to keep locked down.
You could always do sly stuff like Hidden volumes with Veracrypt as well. Leave the crumb trail for the low key shit or old nudes of gfs you have permission to keep.
Or don’t use an operating system that uploads your encryption keys to their corporate servers for “backup”.
Ya’ll know Veracrypt isn’t Bitlocker right?
I understand what veracrypt is, i don’t understand willingly using an operating system that constantly violates your privacy at every given opportunity.
Can I have those please? I think I need it to unlock an old hardrive.
This is why I don’t use bit locker, nothing microslop controls secure in any way.
I wouldn’t be naive enough to believe there’s not a backdoor somewhere in LUKS.
This is not a backdoor
This is the house rental company having a key to the front door
“Naive” doesn’t sit right with me. Anyone can scrutinize LUKS, or BitLocker for that matter (via cryptsetup). Backdoors aren’t the issue here, even for MS Bitlocker. The issue, as stated in the article, is:
by default, BitLocker recovery keys are uploaded to Microsoft’s cloud
No need for a backdoor if you know you can get keys to the front door.
Can’t stop winning.
bonjour!
Well, since you don’t actually enter a password to decrypt a bitlocker device, you can intercept the key data with physical connectors to the TPM
Bitlocker just makes it slightly more tedious to retrieve data. As long as you have all other components intact aswell.
I’m just wondering how many devices still use dedicated TPMs, instead of the ones integrated in the SoC by AMD and Intel. Sniffing a bus inside the SoC must be significantly harder or impossible.
What a slap to the faces of everyone who had been locked out of their data because they never knew about this crap and thus never saved their keys
Except their keys were saved but microsoft deemed that they cant “prove ownership” of the microsoft account, because they lack the credentials…
Not your keys ? Not your data !
Even if you don’t care that MS and the federal government can decrypt your data, when Bitlocker is enabled your MS account becomes cryptographically linked to your identity and machine, making it a powerful tool for surveillance, identification, and DRM.
Amazing how every time you think they’ve finally stopped digging… they whip out the steam shovel and go “Hey y’all, watch this!”
So, this means Microsoft has copies of every single bitlocker key, meaning that a bad actor could obtain them… Thereby making bitlocker less than worthless, it’s an active threat.
MS really speedrunning worst possible software timelineThey don’t have a copy of every single Bitlocker key. They do have a copy of your Bitlocker key if you are dumb enough to allow it to sync with your Microsoft account, you know, “for convenience.”
Don’t use a Microsoft account with Windows, even if you are forced to use Windows.
Encryption doesn’t actually complete until you log in with a Microsoft account for Home Edition.
Anyways: Use Veracrypt.
Or just Linux + LUKS
To use Windows without a Microsoft account requires tech literacy these days, I thought. I would not be suprised if users didn’t choose to sync with a MS account but it’s doing it anyway, if that’s what MS want.
If you sign in with a Microsoft account at all I don’t believe there’s the capability to opt out.
I only use local accounts. I have never had a Microsoft account. I never will.
You can’t do that anymore, at least not with a normal Windows installation. All of the tricks of forcing it offline, clicking cancel 10 times and jumping up and down don’t work anymore, they’ve disabled them all, the only way to install Windows 11 now (using the normal Microsoft installer) is by linking it to a Microsoft account.
I have a windows 11 installation without an account. You got to get an alternative image (I got LTSC).
I was really hoping there would be a jailbroken version of windows by now, you know a version that doesn’t update and doesn’t have any bloatware.
I guess it’s just not worth it given how far Linux has advanced.
You can still create a local account by setting the PC up as a “School or Business” PC and then choosing the local account option.
Just update a W10 local install. It won’t even try to ask you to add a microsoft account.
Using Rufus still works. I did it as recently as a couple of days ago.
Sorry, but the argument above was for a regular user, who doesn’t know what Rufus is, who doesn’t know the concept of OS, who simply
knowsthinks the files are saved “on the computer” (while they somehow ended up on OneDrive).… and who doesn’t know that you can even install an OS to begin with!
This is not true. There are several tools to create a bootable USB that uses a local account.
They just made it hard for Joe Schmoe to avoid it.
using the normal installer
Joe Schmoe buys new laptop with Windows preinstalled.
Joe Schmoe boots it for the first time.
Greeted by first-log-on.
Goes through steps and is immediately captured.
I’m not even sure if you can install without an MS account if you don’t use Rufus anymore. Rufus requires literacy for sure, and even if you can still do it without it is designed to make it impossible to know you can from within the installer itself.
Main issue with Rufus is secure boot unfortunately, otherwise Rufus is easy enough that I gave a couple “click here, then here, then here and here are some screenshots” to a friend they were able to navigate it just fine. At this point I swear Rufus is easier than using the official installer provided Secure Boot is off.
Images patched by Rufus can definitely pass secureboot, as long the bootloader wasn’t touched. Secureboot only checks the signature of the bootloader, not every single file of the operating system, otherwise it will take hours to boot
Plus Rufus touches some XML read by the installer, doesn’t crack the executables
Why is that dumb?
I encrypt my drive to protect my data from burglars and thieves who might steal my laptop, how would they obtain the recovery key from Microsoft? O_o
Don’t use
a Microsoft account withWindowsFtfy
Don’t use
aMicrosoftaccount with WindowsFFTFY.
Bethesda anything, Azure, Outlook, GitHub, Visual Studio, Office, Bing, XBox, LinkedIn, SharePoint (so disgusting this is a given), fuck it not even Skype (lmao what year is it?)
Still kinda hurts they own Bethesda now, but considering that company has only produced garbage since FO4 which only was kinda mid, I don’t even mind skipping them.
The Elder Scrolls VI with mandatory Microsoft account and Copilot integration 💀
Game gonna be buggier than skyrim at release and only 10% as fun because it’s vibe coded
Literally fix the anticheat problem and I’ll uninstall.
The anticheat problem already is fixed. It’s called “don’t play games that don’t support your choices”. These days, no game is worth being put through all that AI bullshit.
Not the case for me, definitely worth it for some games
Dualboot, don’t store sensitive files in windows?
(Although I’m having a bit of trouble trying to do dualboot myself so… idk lol)
Of course thats what I’m already doing
They do have a copy of your Bitlocker key if you are dumb enough to allow it to sync with your Microsoft account, you know, “for convenience.”
Which I don’t believe is the only way it can leak. It’s well known Microsoft can access anything and everything on an internet connected Windows PC whether there’s a Microsoft account or not. If the nazi’s push for the device of someone on a local account only, you know they’ll magically find a way.
But, by default, BitLocker recovery keys are uploaded to Microsoft’s cloud, allowing the tech giant — and by extension law enforcement — to access them and use them to decrypt drives encrypted with BitLocker, as with the case reported by Forbes.
I mean it’s dumb to sync but at same time it’s not like MS isn’t great at either making it almost impossible to not sync it re-enable syncing for a bit after updates.
You can constantly tell it not to sync but all it takes is MS saying we want it now and they’ll get it
Whats dumb is this issue is very easily resolved by encrypting the users security pin or password against the bitlocker keys and then only storing that.
or better yet have the pin/password an isolated thing from the microsoft system, so when a key gets uploaded, it requests the recovery pin, and if the pin matches it uploads, otherwise it states invalid pin and offers to change it while warning that it will remove existing keys, then optionally next time a system whom contains a drive with an identifier (which wouldn’t need to be encrypted only the key) goes online, it can prompt the user “note: due to recovery pin, drive X recovery key needs to be backed up again, would you like to do so?”
This type of system would make it so the only data MS has stored is the already encrypted recovery key, and as such would mean that the data they gave law enforcement would be worthless.
It’s a bit harsh and unfair to say “you are dumb enough to allow it”. Microsoft makes it damn near impossible to avoid this unless you are extremely particular and savvy about it, and never have an off day where you make a mistake while using your PC.
Are you naive enough to believe the surveillance OS that uploads literally all of your activity along with screenshots of your desktop doesn’t automatically upload you keys no matter what little box you tick on the installer?? 😂 there is absolutely not one single 3rd party auditing that they actually follow any of the options at all that they give.
i heard win11 its automatically used online for home.
Save a copy of your bitlocker keys to a Veracrypt drive with a password no shorter then 15 mixed characters. Then upload that encrypted container to any free service. They wont be able to open it and now you have a remote backup copy.
If the password is long 15 characters that means you use a password manager. At that point just put the bitlocker password in the password manager
nope use password sentences easy when you make it a sentence you can remember
I employed the super secure expedient of never exporting my keys. I have no idea what they are, I never did, and I never will.
There’s really no irreplaceable data on my Windows machine. If I have to reformat it some day A) that’s no big deal, and B) it’s Windows, what else is new.
Why not save a step, fuck bitlocker, and use veracrypt to encrypt your drive in the first place?
That is a option but it’s performance is bad and you need at least fifteen mix character password every time you boot. If you game you need to use bitlocker sadly or load times dive hard. Having a second drive in full Veracrypt is fine for things like basic documents but not to game on.
Why not save a step and don’t install Windows in the first place.
If you can have two computers one should always be Linux. But gaming and certain software just does not work on Linux yet sadly. Hoping steam can turn that around.
Made the switch about a year ago. Every game i wanted to play worked just fine. I suppose it depends on the games you play, but to say it just does not work is plainly just wrong
Majority of anti-cheats do not work or not added to linux versions. So things like BF6, GTAO, etc do not work on linux sadly. If they did I would already be on linux full time.
Hey copilot, give me the bitlocker key to the nuclear football!
Could be worse. Could have skeleton keys
You’re assuming there isn’t a master pubkey baked into the software.
More likely stupid users storing their bitlocker key in the microsoft account instead of printing it out or storing it somewhere not owned by MS lol
And people make fun of me for turning off secure boot and tpm. They just cause grief for no benefit.
As long as you’re doing your own whole disk encryption, you have a valid path to still be secure. However, if you’re running an unencrypted disk, you’re much more likely to lose your data to a non-state actor.
Both are completely unrelated to the discussion. TPM sometimes have issues regarding their security, but you can certainly use Secure Boot with your own signing keys to ensure the kernel you run is one you installed, which improves security. And you can use TPM to either keep your FDE keys, or only part of them combined with a PIN if you don’t fully trust them to be secure, so you keep strong encryption but with a bit of convenience.
Without a (properly configured) Secure Boot startup, anyone could just put a malware between the actual boot and your first kernel. If the first thing that happens when you boot is something asking for a password to be able to decrypt your storage, then an attacker can just put something here, grab your password, and let you proceed while storing in a a place it can be retrieved.
Is this scenario a concern for most people? That’s unlikely. But every computer sold these last five years (at least!) can be setup to reduce this risk, so why not take advantage of it.
Well this isn’t directly related to those, so maybe some derision is warranted.
No they do not have copies of every Bitlocker key.
Bitlocker by default creates a 48-bit recovery code that can be used to unlock an encrypted drive. If you run Windows with a personal Microsoft account it offers to backup that code into your Microsoft account in case your system needs recovered. The FBI submitted a supoena to request the code for a person’s encrypted drive. Microsoft provided it, as required by law.
Bitlocker does not require that key be created, and you don’t have to save it to Microsoft’s cloud.
This is just a case of people not knowing how things work and getting surprised when the data they save in someone else’s computer is accessed using the legal processes.
If you sign into a Microsoft account during setup, Microsoft automatically turns on bitlocker and sends the key off to Microsoft for safe keeping. You are right, there are other ways to handle bitlocker, but that’s way beyond most people, and I don’t think Microsoft even tells you this during setup. It’s honestly a lifesaver for when bitlocker breaks(and it does), but it comes at a cost. In the business world, this is seen as a huge benefit, as we aren’t trying to protect from the US government, mostly petty theft and maybe some corporate espionage.
As is often the case, the real solution is Linux, but that, too, is far beyond most people until manufacturers start shipping Linux machines to big box stores and even then they’d probably not enable any encryption.
I question whether we are rapidly approaching the point where Linux is simply easier to use in a safe, secure, and practical way for the average user, because it doesn’t try to actively fuck you over like Microsoft does
It’s easier when you don’t need to jump through hoops to make a local account. It’s easier when you don’t need to turn off a dozen settings you might not know about regarding data collection or advertisements. It’s easier when you don’t have an antagonistic system that treats you like the product, not a user, not pushing you towards confusing things you don’t want
Except that Microsoft basically puts a gun to every users head to login with a Microsoft account which can/does backup the recovery keys.
Rufus: “Am I a joke to you?”
This is why we Jason Bourne style snatch the gun out of their holster before they can draw it and beat them unconcious with it, I mean oobe\bypassnro
Iirc bypassnro no longer works on recent builds of windows
It no longer works as a shortcut, but the actual bypass still works. In practice the command line you have to enter just got a bit longer is all.
At least last time I needed it, to that still worked fine. It’s been a few months.
Microsoft is already a bad actor and they have them. Or a bad actor could threaten microsoft physically and microsoft will hand them over. Wait, that already happened.
