Microsoft will be enabling full disk encryption on clean Win 11 installs soonish

[thewayne]

A forthcoming version of Windows 11 known as 24H2 will enable Bitlocker device encryption (FDE) by default. This can be turned off if you want to get into Control Panel and deactivate it. The article notes that Tom's Hardware found that FDE can slow down disc access by 45% on solid-state drives. Additionally, Microsoft requires that the encryption key is uploaded to your Microsoft cloud account, meaning they have the means for decrypting your drive.

MS holding the key to your drive is a theoretical vulnerability. I have not read of them cooperating with authorities in the decryption of drives, much like Apple has not, though in Apple's case, they don't hold keys and cannot.

Personally, I don't think disk encryption is a good idea for the average home user. You should maintain good backups and keep them disconnected from your PC, preferably in a fire-proof lockbox or off-site. Have two sets (or more) and rotate between them so you have fall-back points if one of the backup sets fail.

We have a concept in IT that backups don't exist until you test them or need them, until that time they just exist in a void. When you pull them out and try to restore from them, that's when you find out whether or not they're any good. Backup disks and tapes fail, which is why if you value your data you want multiple copies to reduce the chance of one copy failing.

https://www.theverge.com/2024/8/14/24220138/microsoft-bitlocker-device-encryption-windows-11-default

https://tech.slashdot.org/story/24/08/14/1559240/microsoft-is-enabling-bitlocker-device-encryption-by-default-on-windows-11

Comments

[garote]

I always summarize it to people like so:

“If you don’t have a backup, it’s already lost.”

Forces them to contemplate the situation.

[thewayne]

nods That's an excellent way of putting it!  You never know when/if something is gonna blow up!

[disneydream06]

Sounds like Big Brother is coming for us and it's not the government. :o
Hugs, Jon

[marahmarie]

I'm failing to see the logic leap from "encryption bad" to "backups good". Like, if you want what's on your device you should perform backups whether the drive in question's encrypted or not, I'd think. "Back up your drive" ≠ "encrypting it" and so I'm honestly just lost.

[moonhare]

I never thought about Microsoft’s encryption until I had a capture fail using Dell ImageAssist. Once decrypted, the capture ran smoothly.

Then we had a motherboard failure on another machine. I was told that all would be well with replacement as long as the drive wasn’t encrypted… it wasn’t encrypted and all went well.

And backups. OSL had a boatload of computers in their lab to test their software. Me? Grab and go. Hope it works when needed! After my CMOS failure and all the related problems I copied what I could and have that in various places

[kraig]

I don't know what drives Tom's is using, but that's FUD. Many corporations have FDE requirements, my own included; there's no appreciable effect, and certainly not a 45% performance loss. We run hardware out to 7-8 years old.

One should of course have backups anyway, regardless of the state of drive encryption. In my experience, it takes a catastrophic data loss to convince retail-type users of this. Of course, if they're buying brand new Windows 11 computers, OneDrive is just a few clicks and a credit card number away.

[silveradept]

Interesting decision, and I wonder why, since usually encryption like that is usually only effective when the disk is at rest. I wonder how many people still keep their machines shut down at night where the encryption would be effective.

[thewayne]

I don't think it's worth the risk for individuals and small companies.  If you have a skilled IT team behind you for support with good policies and key management in place, that's a different story.  I can't say that I've ever seen good policies and key management.

[thewayne]

I don't pay for OneDrive, the free level is quite sufficient to my needs.  But I'm comfortable reinstalling from scratch and downloading my data back to where it should be.  No idea what tests or hardware Tom's was using, I didn't pursue that angle.  We don't use drive encryption at my campus, main campus might use it on some of their systems, perhaps in research labs and such, I don't know.

[thewayne]

Excellent point.  If someone installs a remote trojan on your PC, they're accessing your system when it's awake and the data is unlocked and readable.  I'm not entirely sure about this.

[halfshellvenus]

As a home user, DNW! I cannot express how much.

Not for the speed slowdown, necessarily, but for having to put the encryption key into a (hackable) cloud account. Gah!

[kraig]

I don't know what Toms is using either. I do know that what they're saying doesn't match with my experience, or that of a lot of other people in my position (information security on a research-intensive campus, let's say, across several thousands of systems).

I believe that what Tom's is saying is true: they find massive slowdown on some hardware. That some hardware is doing quite a lot of heavy lifting though, and I wonder if it's very likely that somebody would find that hardware in a system capable of running Windows 11. In other words, I think that article is clickbait.