this post was submitted on 22 Oct 2023
384 points (95.5% liked)
Technology
59578 readers
2943 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I turned this off as soon as I setup the PC, there's zero need for this on desktops. Once again, Microsoft's making a stupid move.
Presumably you're relying on the security of your home, and if that's broken you've got bigger things to worry about.
I don't buy this. If my home security is compromised I have big issues, but my data security is probably one of the biggest. If my desktop gets yoinked or HD plucked, the degree of identity theft that could be pulled off is simply massive. I can think of little better peace of mind than knowing my HD was well encrypted if my home was violated.
Yeah I do agree and myself run FDE as a defence in depth measure and as a protection against specific threats such as the one you mentioned. I think we agree on that completely.
In saying that, I would further add that it shouldn't be relied upon as the only defensive measure as once someone has gained physical access to the device it's not going to protect you against targeted attacks. If someone has access to your home they could install a camera aimed at the keyboard, or a hardware keylogger, or the good ol' $5 wrench attack.
I use FDE because my locks are easily pickable. I don’t trust the landlord’s son that lives in the unit above mine. Also the computer is near a big window. Property crime is a popular activity in the area, so the smash-and-grab is a plausible threat. Defence in depth, though, so I still lock the front and interior office doors.
Good point. Smash & grabs are definitely a valid threat model that FDE can help mitigate the effects of. Can be more or less prevalent due to location and ease of access. Personally, I live in a high rise, access controlled apartment so the smash & grab is a non issue for me.
Another specific threat could be protection against government seizure.
Or what if your SSD borks it and you're unable to do a secure erase on it? Happened to my wife's laptop. I'm planning on smashing the SSD to ensure the data is destroyed before putting it in recycling.
Completely valid point. The kind of non-technical people wouldn't likely notice any difference in SSD speed anyway. It would be nice if they made it easier for technical people to disable the feature.
Yeah, but normally FDE overhead is so low, you may as well encrypt.
That's one issue I had with this article. It doesn't do any actually tests to compare it to other OS implementations. How can we condemn Microsoft for 45% slower speeds (in a specific benchmark on specific hardware) when there's no context to compare it to? And this claim is specifically only for software encryption where hardware level encryption is not available. Is it Windows 11 that's specifically causing this, or is it a general problem?
Comparing to macOS is actually impossible because fde can’t be turned off on Macs at all. Macs (and iPhones etc.) handle encryption of internal storage transparently in hardware at pretty much no overhead and without the CPU even having access to the key. You can only choose whether a login is required for the Secure Enclave hardware to be able to access the key.
On other platforms it’s pretty much a hardware question too. PC vendors and hard disk vendors could do the same thing Apple is doing regardless of whether the OS is Windows or Linux or whatever. How fast the OS based encryption is only matters on hardware that doesn’t have this functionality.
Exactly right. To me it seems overly clicky baity to specifically condemn Windows 11 for the overhead of software based encryption because the hardware doesn't support it. The same problem exists across all platforms (hypothetically) if there is no hardware support.
It would have been another thing if they could show this problem was unique to Windows 11, or if they focused on the fact that it was difficult to disable. Instead they put so much effort into saying Windows 11 runs 45% slower due to Bitlocker.
What was telling for me was the article from the same site from a few years ago about Microsoft disabling the use of hardware encryption by default because they couldn't trust the drive manufacturers to do it right.
Do they want things to be secure or fast?
Did you even read the article?
The configuration has a powerful cpu and fast ssd. There are multiple benchmark tools used, and 2 encryption methods, software and hardware.
Yes I did and everything you pointed out does nothing to address my comment.
How does pointing out that they did tests with different CPUs and SSDs, multiple benchmarking software, and different encryption methods do anything to address my complaint that they did not comment on whether this is a Windows 11 specific issue? Did you even ready comment?
It's largely useful on mobile devices because you can easily forget them somewhere and all a tech savvy person has to do to get the data is remove the HDD (if it's a laptop), or if it's integrated, reset the admin password with something like NT Offline Password Reset. Smartphones are another can of worms I won't get into, but I'm sure you understand.
With a desktop, it's highly unlikely you're carrying it around and will forget it some place. The only way someone can get the drive is to break into your residence and physically remove the drive, and as someone else said: if someone is breaking into your residence to get a HDD out of your PC, you have bigger problems.
Also, is always encrypting drives even a good or desirable thing for most users?
I don't know the details, but what if someone forgets the password, or some PC components get broken, but they still want their data put of there?
Disk encryption is something that should be a choice, opt-in.
That is why backup of your data is a necessity regardless of encryption or not.
Windows Education is fairly common on laptops (kind of a hybrid between Pro and Enterprise from what I can tell). But even in the case of Pro it would be up to the OEM if you're buying a pre-built. This would mostly only affect people who have gone out of the way to install Pro themselves, and don't know how to bypass it (although maybe some prebuilts have it used as an oversight, or intentional feature).
You can buy laptops with it installed, is what I meant to say.
I'd argue it's similar to the debate over whether HTTPS is needed for most sites (it is and there's little excuse not to at this point). It also matches what is expected from other devices like phones that are encrypted by default now.
As for data loss: for Home users at least, a recovery key is backed up to the user's Microsoft account.