this post was submitted on 07 Feb 2024
738 points (97.7% liked)

Technology

59323 readers
4666 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] smileyhead@discuss.tchncs.de -3 points 9 months ago (1 children)

Solution: Just encrypt it with a password.

[–] BaroqueInMind@kbin.social 31 points 9 months ago (2 children)

Bit locker is a password controlled drive encryption. Am I being dumb or are you seriously saying that?

[–] tias@discuss.tchncs.de 26 points 9 months ago* (last edited 9 months ago) (1 children)

I guess they mean use the password as part of the encryption key, or encrypt the key with the password. Bitlocker doesn't use the user's password in that way, which is why it can boot an encrypted system without user interaction. That part always seemed very sketchy to me.

[–] d3Xt3r@lemmy.nz 12 points 9 months ago (1 children)

FYI: You can set it to require a PIN + TPM, or even just a password eg using manage-bde -on c: -password.

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-on

[–] tias@discuss.tchncs.de 3 points 9 months ago (1 children)

Thanks, that sounds really useful. I'm guessing it won't work unless you're local admin though.

[–] d3Xt3r@lemmy.nz 4 points 9 months ago (1 children)

Yep, you'll need local admin of course.

[–] tias@discuss.tchncs.de -2 points 9 months ago* (last edited 9 months ago) (1 children)

Which kind of makes it useless in many corporate environments where it's most needed, since the users won't be able to set their own password.

[–] d3Xt3r@lemmy.nz 5 points 9 months ago (2 children)

I mean, if it's a corporate device then it's really a policy IT should be setting - this can be easily be done via a GPO or Intune policy, where an elevated script can prompt the end-user for a password.

[–] LifeInMultipleChoice@lemmy.world 2 points 9 months ago* (last edited 9 months ago)

Yarp. And when they forget it we use the 48 numerical recovery key found using the recovery ID that shows on the screen when you hit escape (from the bitlocker screen)

[–] lud@lemm.ee 1 points 9 months ago (1 children)

It would be insane to let non admin change settings like this.

[–] tias@discuss.tchncs.de 1 points 9 months ago (1 children)

I'm talking about letting the user change their own password. I'm honestly not sure how that would be technically accomplished in this situation without having to contact IT each time. It seems like something Microsoft should provide a no-frills GUI for that doesn't require elevation.

[–] lud@lemm.ee 1 points 9 months ago* (last edited 9 months ago)

Yeah, that could be neat as long as they still add a recovery key to the AD or somewhere else. A problem with that is that the users will likely choose shit passwords. That could be mitigated with password rules but still

I suspect Microsoft wants you to use TMP or physical keys instead of passwords.