• Moonrise2473@feddit.it
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    it happened to me, the computer had a firmware (BIOS) update and it reset the TPM holding the decryption key was wiped.

    But anyway you had a backup of the decryption key, right? Right?

    (The reason microsoft insists so much on having everyone login with microsoft accounts is that bitlocker encryption keys are uploaded in the cloud so you if you follow the link on the boot error message, you can unlock your drive)

    (a “side effect” of this automatic encryption key upload on the cloud is that your drive is not encrypted for law enforcement)

    • fuzzzerd@programming.dev
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Is there a way to sign in with Microsoft account and not upload your key to the cloud?

      This also makes me wonder if Android does the same thing with its device encryption, since you must login with a Google account.

      • Raxiel@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Yes, you have to opt in.
        I use a Microsoft account for my user profile, and recently reinstalled windows. I didn’t choose the account backup and so despite signing back into the same account, the encrypted partitions on my non-boot drives could only be unlocked by pasting the key in directly, there wasn’t an option to restore it.

      • XTornado@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Yeah I think so, like it ask you where you can to store the key and if you want to upload a copy or something like that it has been a while since I did setup the encryption.

        That said OMG there should be a nicer way to introduce the damn key on boot… with a USB or something I had to type it so many times when I was fixing a booting issue.

        • Moonrise2473@feddit.it
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          On Windows 11 when you sign in with a Microsoft account and the device fully supports bitlocker, it starts encrypting the drive without any user consent or acknowledgement. It did so on my laptop

          Only with a local account you’re prompted to save a backup somewhere else, and it’s picky, doesn’t let you save it on the drive that’s going to be encrypted

          • XTornado@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Idk man… maybe is a recent change or something but on my three devices I installed Win 11, I activated Bitlocker after a while, it was not activated on my install/login. So my experience is completely different it didn’t start encrypting without consent. And to be clear I have used Microsoft accounts on all of them.

            • Moonrise2473@feddit.it
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              On my Lenovo laptop my drive was encrypted without my consent, I was very pissed (due to a bug that wiped the tpm during a firmware update, I had 20 minutes of panic because I had no idea what was the bitlocker decryption key)

              • Raxiel@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                It seems to be a behaviour particular to portable devices. I’d argue encryption by default is a good thing on a device that’s more likely to be stolen (and the identity theft implications that brings) but clearly it needs to be better communicated to the end user.
                I reinstalled windows 11 recently and had to manually re-encrypt the boot drive, which also prompted me to save a copy of the key. I had the option of backing up to my MS account, saving a txt file (which it refuses to let you place on any encrypted drive, even if it’s a different one to the one you’re encrypting at the time), or print it (which can be to a PDF you can save anywhere). It’s possible to access the backup options at any time after that as well. I usually take the last option, save the pdf to the same drive then copy paste the key into my password manager then delete the file.