this post was submitted on 11 Sep 2023
324 points (95.5% liked)

AssholeDesign

7604 readers
2 users here now

This is a community for designs specifically crafted to make the experience worse for the user. This can be due to greed, apathy, laziness or just downright scumbaggery.

founded 1 year ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 17 points 1 year ago (1 children)

it happened to me, the computer had a firmware (BIOS) update and it reset the TPM holding the decryption key was wiped.

But anyway you had a backup of the decryption key, right? Right?

(The reason microsoft insists so much on having everyone login with microsoft accounts is that bitlocker encryption keys are uploaded in the cloud so you if you follow the link on the boot error message, you can unlock your drive)

(a "side effect" of this automatic encryption key upload on the cloud is that your drive is not encrypted for law enforcement)

[–] [email protected] 4 points 1 year ago (3 children)

Is there a way to sign in with Microsoft account and not upload your key to the cloud?

This also makes me wonder if Android does the same thing with its device encryption, since you must login with a Google account.

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

Yeah I think so, like it ask you where you can to store the key and if you want to upload a copy or something like that it has been a while since I did setup the encryption.

That said OMG there should be a nicer way to introduce the damn key on boot... with a USB or something I had to type it so many times when I was fixing a booting issue.

[–] [email protected] 3 points 1 year ago (1 children)

On Windows 11 when you sign in with a Microsoft account and the device fully supports bitlocker, it starts encrypting the drive without any user consent or acknowledgement. It did so on my laptop

Only with a local account you're prompted to save a backup somewhere else, and it's picky, doesn't let you save it on the drive that's going to be encrypted

[–] [email protected] 1 points 1 year ago (1 children)

Idk man... maybe is a recent change or something but on my three devices I installed Win 11, I activated Bitlocker after a while, it was not activated on my install/login. So my experience is completely different it didn't start encrypting without consent. And to be clear I have used Microsoft accounts on all of them.

[–] [email protected] 2 points 1 year ago (1 children)

On my Lenovo laptop my drive was encrypted without my consent, I was very pissed (due to a bug that wiped the tpm during a firmware update, I had 20 minutes of panic because I had no idea what was the bitlocker decryption key)

[–] Raxiel 2 points 1 year ago

It seems to be a behaviour particular to portable devices. I'd argue encryption by default is a good thing on a device that's more likely to be stolen (and the identity theft implications that brings) but clearly it needs to be better communicated to the end user.
I reinstalled windows 11 recently and had to manually re-encrypt the boot drive, which also prompted me to save a copy of the key. I had the option of backing up to my MS account, saving a txt file (which it refuses to let you place on any encrypted drive, even if it's a different one to the one you're encrypting at the time), or print it (which can be to a PDF you can save anywhere). It's possible to access the backup options at any time after that as well. I usually take the last option, save the pdf to the same drive then copy paste the key into my password manager then delete the file.

[–] Raxiel 2 points 1 year ago

Yes, you have to opt in.
I use a Microsoft account for my user profile, and recently reinstalled windows. I didn't choose the account backup and so despite signing back into the same account, the encrypted partitions on my non-boot drives could only be unlocked by pasting the key in directly, there wasn't an option to restore it.

[–] [email protected] 1 points 1 year ago

I'm pretty sure Android doesn't do this. The encryption is purely local, so you cannot somehow recover the device if you have the Google account.