It may seem that way but I’m really not. An encryption key is just data. It’s critical security data to be sure but it’s still data and like other data you shouldn’t share anything that you wouldn’t want made public.
Don’t want MS to cough up your data when asked? Then don’t give it to them. In regards to your BL key that means storing it another way, such as on a jump drive or printing it out.
In the end if you have data of any type that you absolutely DO NOT want made public then you need to retain that data locally. If that means leaving the Microsoft or any other ecosystem then that’s the price that needs paid for keeping your data under your control.
This is the foundation of the entire privacy movement.
No, you really are. If you’re in control of an encryption key, then it’s perfectly fine to “give Microsoft your data” that’s encrypted by that key. An encryption key isn’t “just data”, it’s data that’s used to encrypt other data.
The problem here is not that Microsoft has access to your data, it’s that Microsoft has access to your encryption key.
Wouldn’t the hacker then need to track down your physical computer…steal it…use the bitlocker key…look to see if you actually have any data worth taking etc…?
Sure. It’s not anyone. It’s anyone that can get a warrant. Or anyone that have enough power/underhanded influence to ask them nicely. Or any admin that have access to cloud storage at MS (remember they where caught with some exec having full access to that a while ago). Or any big leak that could exfiltrate these data. And probably a handful of other people, like, someone getting access to your MS account for whatever reason (which kinda happen, seeing how people lose their mail account to phishing/scams all the time) suddenly having access to your keys from there.
If your keys are in a DB somewhere, there’s a lot of way they could get out. Would these ways coincide with someone actually having your drive at hand? Probably not. Still, the key not existing in plaintext in some third party storage close all these holes.
If you can’t possess the keys, you can’t give them when there’s a warrant. Microsoft designed a system that could obtain and decrypt those keys on purpose.
They designed a system that recommended that the average user use full disk encryption as part of device setup, and then provided a way that Grandma could easily recover her family photos when she set it up with their cloud.
This was built by an engineer trying to prevent a foreseeable issue. The intent was not malicious. The intent was to get more people more secure by default, since random hacker couldn’t compell ms to give them keys, while still allowing low tech literacy people to not get fucked.
It’s been a while since I installed a new Windows OS, but I’m pretty sure it prompts you to allow uploading your bitlocker key. It probably defaults to yes, but I doubt you can’t say no, or reset the key post onboarding if you want the privacy, and now it’s on you to record your key. You do have to have some technical understanding of the process, though, which is true of just about everything.
That all said, if a company has your data, it can be demanded by the government. This is a cautionary tale about keeping your secrets secret. Don’t put them in GitHub, don’t put them in Chrome, don’t put them online anywhere because the Internet never forgets.
Bitlocker is computer drive encryption. On W11 it’s supposed to be tied to the motherboards TPM. End to end encryption is not really applicable in this scenario. That phrase is more applicable to cloud services or storage where a telecom or CSP hosts or transports your data but can’t see what the data is.
Microsoft should not have the keys to decrypt Bitlocker ever.
Microsoft should not have the keys to decrypt Bitlocker ever.
Windows is a closed source and proprietary commercial Operating System. Microsoft is going to do whatever they like with it. If enough people get angry about an issue they may change their mind but that doesn’t change the nature of Microsoft’s ownership over their products.
I’ve been participating in discussion about what Microsoft should and shouldn’t do since the late 80s and it pretty much boils down to this: You need to select and use software that works the way you want it to. So if you don’t want MS to have your disk encryption key then don’t use Windows. If you don’t want MS to have access to your documents then don’t put them on any system that MS has control over.
It can be terrible inconvenient to protect your data in this way but this part and parcel of the privacy movement.
The word “Gave” is really doing some heavy lifting in that title. Microsoft produced the keys in response to a warrant as required by law.
If you don’t want a company, any company, to produce your data when given a warrant then you can’t give the company that data. At all. Ever.
Not fast food joints, not Uber, not YouTube, not even the grocery store.
Yes. But this completely invalidates the encryption. If anyone can decrypt your data without you giving the keys to them, it is not really encrypted.
The encryption key is data, don’t give it to ANYONE. “Two people can keep a secret if one of them is dead.”
Which means it’s useless if always uploaded to MS
You’re confusing two different things here, in a really weirdly obtuse way.
It may seem that way but I’m really not. An encryption key is just data. It’s critical security data to be sure but it’s still data and like other data you shouldn’t share anything that you wouldn’t want made public.
Don’t want MS to cough up your data when asked? Then don’t give it to them. In regards to your BL key that means storing it another way, such as on a jump drive or printing it out.
In the end if you have data of any type that you absolutely DO NOT want made public then you need to retain that data locally. If that means leaving the Microsoft or any other ecosystem then that’s the price that needs paid for keeping your data under your control.
This is the foundation of the entire privacy movement.
No, you really are. If you’re in control of an encryption key, then it’s perfectly fine to “give Microsoft your data” that’s encrypted by that key. An encryption key isn’t “just data”, it’s data that’s used to encrypt other data.
The problem here is not that Microsoft has access to your data, it’s that Microsoft has access to your encryption key.
Its not anyone though. Not anyone can get a warrant and demand the keys
if Microsoft has the power to give the keys to the feds what happens when Microsoft gets hacked?
or they give the keys or whatever data willingly, and then say they are hacked as an excuse.
Wouldn’t the hacker then need to track down your physical computer…steal it…use the bitlocker key…look to see if you actually have any data worth taking etc…?
Anyone as in “a single person”. They don’t mean everyone has access.
Sure. It’s not anyone. It’s anyone that can get a warrant. Or anyone that have enough power/underhanded influence to ask them nicely. Or any admin that have access to cloud storage at MS (remember they where caught with some exec having full access to that a while ago). Or any big leak that could exfiltrate these data. And probably a handful of other people, like, someone getting access to your MS account for whatever reason (which kinda happen, seeing how people lose their mail account to phishing/scams all the time) suddenly having access to your keys from there.
If your keys are in a DB somewhere, there’s a lot of way they could get out. Would these ways coincide with someone actually having your drive at hand? Probably not. Still, the key not existing in plaintext in some third party storage close all these holes.
Anyone included Microsoft. You’re thinking of the word “everyone”
If you can’t possess the keys, you can’t give them when there’s a warrant. Microsoft designed a system that could obtain and decrypt those keys on purpose.
I’m certainly not a microslop supporter, but…
They designed a system that recommended that the average user use full disk encryption as part of device setup, and then provided a way that Grandma could easily recover her family photos when she set it up with their cloud.
This was built by an engineer trying to prevent a foreseeable issue. The intent was not malicious. The intent was to get more people more secure by default, since random hacker couldn’t compell ms to give them keys, while still allowing low tech literacy people to not get fucked.
It’s been a while since I installed a new Windows OS, but I’m pretty sure it prompts you to allow uploading your bitlocker key. It probably defaults to yes, but I doubt you can’t say no, or reset the key post onboarding if you want the privacy, and now it’s on you to record your key. You do have to have some technical understanding of the process, though, which is true of just about everything.
That all said, if a company has your data, it can be demanded by the government. This is a cautionary tale about keeping your secrets secret. Don’t put them in GitHub, don’t put them in Chrome, don’t put them online anywhere because the Internet never forgets.
They’re doing this because there’s demand (with actually, non malicious genuine needs), and the feature is clearly advertised AFAIK.
It’s not some evil conspiracy. Microsoft does enough shitty things without us needing to blame them for their users’ shitty OpSec.
Here’s Microsoft’s overview page of bitlocker. Show me where it clearly says they can decrypt your drive.
https://support.microsoft.com/en-us/windows/bitlocker-overview-44c0c61c-989d-4a69-8822-b95cd49b1bbf
Not true with E2EE, they can’t give over shit when they don’t have the keys
Bitlocker is computer drive encryption. On W11 it’s supposed to be tied to the motherboards TPM. End to end encryption is not really applicable in this scenario. That phrase is more applicable to cloud services or storage where a telecom or CSP hosts or transports your data but can’t see what the data is.
Microsoft should not have the keys to decrypt Bitlocker ever.
Windows is a closed source and proprietary commercial Operating System. Microsoft is going to do whatever they like with it. If enough people get angry about an issue they may change their mind but that doesn’t change the nature of Microsoft’s ownership over their products.
I’ve been participating in discussion about what Microsoft should and shouldn’t do since the late 80s and it pretty much boils down to this: You need to select and use software that works the way you want it to. So if you don’t want MS to have your disk encryption key then don’t use Windows. If you don’t want MS to have access to your documents then don’t put them on any system that MS has control over.
It can be terrible inconvenient to protect your data in this way but this part and parcel of the privacy movement.
Ofc its not applicable in that once scenario