update: Bitlocker cmdline workaround no longer works in Home #3170
Conversation
dngray
force-pushed
the
pr-bitlocker-unavailable-home-edition
branch
from
eaba155 to
fa6077d
Compare
dngray
force-pushed
the
pr-bitlocker-unavailable-home-edition
branch
from
fa6077d to
424c59f
Compare
|
This pull request has been mentioned on Privacy Guides Community. There might be relevant details there: https://discuss.privacyguides.net/t/enabling-bitlocker-on-the-windows-11-home-edition/13303/27 |
dngray
added
the
c:software
✅ Your preview is ready!
|
dngray
force-pushed
the
pr-bitlocker-unavailable-home-edition
branch
from
424c59f to
93cfb5c
Compare
dngray
force-pushed
the
pr-bitlocker-unavailable-home-edition
branch
from
93cfb5c to
d540dad
Compare
dngray
force-pushed
the
pr-bitlocker-unavailable-home-edition
branch
from
d540dad to
ca23ca0
Compare
docs/encryption.md
Outdated
| { align=right } | ||
|
|
||
| **BitLocker** is the full volume encryption solution bundled with Microsoft Windows that uses the Trusted Platform Module ([TPM](https://learn.microsoft.com/windows/security/information-protection/tpm/how-windows-uses-the-tpm)) for hardware-based security. | ||
| **BitLocker** is the full volume encryption solution bundled with Microsoft Windows that uses the Trusted Platform Module ([TPM](https://learn.microsoft.com/windows/security/information-protection/tpm/how-windows-uses-the-tpm)) for hardware-based security. We recommend that you use Bitlocker with the [TPM+PIN](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/faq#what-is-the-difference-between-a-tpm-owner-password--recovery-password--recovery-key--pin--enhanced-pin--and-startup-key) option and not just your regular password as [extraction is impossible](https://blog.elcomsoft.com/2021/01/understanding-bitlocker-tpm-protection) when you use an extra a pre-boot protector like the PIN. The PIN is rate limited and the TPM will panic and lock access to the encryption key either permanently or for a period of time if someone attempts to brute force access. |
There was a problem hiding this comment.
| **BitLocker** is the full volume encryption solution bundled with Microsoft Windows that uses the Trusted Platform Module ([TPM](https://learn.microsoft.com/windows/security/information-protection/tpm/how-windows-uses-the-tpm)) for hardware-based security. We recommend that you use Bitlocker with the [TPM+PIN](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/faq#what-is-the-difference-between-a-tpm-owner-password--recovery-password--recovery-key--pin--enhanced-pin--and-startup-key) option and not just your regular password as [extraction is impossible](https://blog.elcomsoft.com/2021/01/understanding-bitlocker-tpm-protection) when you use an extra a pre-boot protector like the PIN. The PIN is rate limited and the TPM will panic and lock access to the encryption key either permanently or for a period of time if someone attempts to brute force access. | |
| **BitLocker** is the full volume encryption solution bundled with Microsoft Windows that uses the Trusted Platform Module ([TPM](https://learn.microsoft.com/windows/security/information-protection/tpm/how-windows-uses-the-tpm)) for hardware-based security. We recommend that you use BitLocker with the [TPM+PIN](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/configure?tabs=os#require-additional-authentication-at-startup) option and not just your regular password as [extraction is impossible](https://blog.elcomsoft.com/2021/01/understanding-bitlocker-tpm-protection) when you use a pre-boot protector like the PIN. The PIN is rate limited and the TPM will panic and lock access to the encryption key either permanently or for a period of time if someone attempts to brute force access. |
There was a problem hiding this comment.
The TPM+PIN page you've linked doesn't really explain how to use the TPM+PIN.
This one might be better?
There was a problem hiding this comment.
Might link to that actually, and simply say that you should click on Settings > Accounts > Sign-in options and then select either "PIN (Windows Hello) or "Security Key", you can do it with a local user account too, don't need to have signed in with a microsoft account.
There was a problem hiding this comment.
I think you might be misunderstanding, Windows Hello is different from the Bitlocker startup PIN.
There was a problem hiding this comment.
Oh, yeah. The TPM+PIN is pre boot not post boot like login. I forgot about that
Seems like it's more like LUKS password on Linux.
github-project-automation
bot
moved this from Unreviewed
to Needs Changes
in PR Review Status
docs/encryption.md
Outdated
| { align=right } | ||
|
|
||
| **BitLocker** is the full volume encryption solution bundled with Microsoft Windows that uses the Trusted Platform Module ([TPM](https://learn.microsoft.com/windows/security/information-protection/tpm/how-windows-uses-the-tpm)) for hardware-based security. | ||
| **BitLocker** is the full volume encryption solution bundled with Microsoft Windows that uses the Trusted Platform Module ([TPM](https://learn.microsoft.com/windows/security/information-protection/tpm/how-windows-uses-the-tpm)) for hardware-based security. We recommend that you use Bitlocker with the [TPM+PIN](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/faq#what-is-the-difference-between-a-tpm-owner-password--recovery-password--recovery-key--pin--enhanced-pin--and-startup-key) option and not just your regular password as [extraction is impossible](https://blog.elcomsoft.com/2021/01/understanding-bitlocker-tpm-protection) when you use an extra a pre-boot protector like the PIN. The PIN is rate limited and the TPM will panic and lock access to the encryption key either permanently or for a period of time if someone attempts to brute force access. |
There was a problem hiding this comment.
The TPM+PIN page you've linked doesn't really explain how to use the TPM+PIN.
This one might be better?
docs/encryption.md
Outdated
| Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data. | ||
| </div> | ||
| BitLocker is [officially supported](https://support.microsoft.com/en-us/windows/bitlocker-overview-44c0c61c-989d-4a69-8822-b95cd49b1bbf) on the Pro, Enterprise, and Education editions of Windows. If you have Home edition we recommend you [upgrade to Pro](https://support.microsoft.com/en-us/windows/upgrade-windows-home-to-windows-pro-ef34d520-e73f-3198-c525-d1a218cc2818), which can be achieved without reinstalling Windows or losing your files. An alternative solution could be to use VeraCrypt's [system encryption](https://veracrypt.io/en/System%20Encryption.html) feature. VeraCrypt does not use the system's TPM chip and all encryption keys are stored in memory, leaving them [vulnerable to extraction](https://blog.elcomsoft.com/2021/06/breaking-veracrypt-obtaining-and-extracting-on-the-fly-encryption-keys) while the device is online and mounted. We also recommend if you're using Bitlocker to make sure you |
There was a problem hiding this comment.
If we are already recommending people upgrade to Pro or Enterprise versions, I don't think we should recommend VeraCrypt for this when the Windows built-in tools are there and provide superior security.
It seems like VeraCrypt's implementation is a bit buggy as well, especially since the upgrade from Windows 10 to Windows 11.
https://github.com/veracrypt/VeraCrypt/issues?q=Full%20disk%20encryption
There was a problem hiding this comment.
Windows 11 Home also automatically enables device encryption as long as the device is officially supported.
There was a problem hiding this comment.
I found on my desktop computer automatic device encryption was not working. It turned out because of that last one regarding PCR7 binding. It turns out there's a few other reasons besides the ones stated there that can prevent that for example if I go into.
- Win + R
- Enter "msinfo32"
- Ctrl + Shift + Enter
The reason is "Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device(s) detected." Kind of odd this machine doesn't have anything like Thunderbolt. Turns out the reason for that can be a little more obscure https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker#un-allowed-dma-capable-busdevices-detected
dngray
force-pushed
the
pr-bitlocker-unavailable-home-edition
branch
from
9e75e3c to
f9204b5
Compare
List of changes proposed in this PR: