back to article Microsoft encrypts explanation of borked Windows 10 encryption

We know Microsoft can be pretty secretive about its spyware-as-a-service Windows 10, but Redmond has now taken its furtiveness to a whole new level. You may or may not know that its disk encryption tool Bitlocker has suddenly stopped working in the latest version of its operating system for a number of people. Bitlocker …

          1. captain veg

            Re: Translation follows...

            * Neither. Just plain Windows Update.

            * 7 Pro.

            * AD user with local administrative privileges.

            -A.

            1. RIBrsiq

              Re: Translation follows...

              @captain veg

              Ah! I see now. Thank you very much for taking the time to reply.

              Well, you're right that the update should still not show up, based on the KB. So I would bring that to Microsoft's attention, if I were you.

              As for your setup, well, it's not how I would do it. And it's probably not keeping with best practices. But I assume you have a good reason for doing it that way. After all, people don't deploy configurations that result in more work without a damned good reason!

              What I would suggest is maybe a GPO to apply the required registry values to those machines you want to block GWX on. Seems simplest, and should work.

      1. Frank Bitterlich

        Re: Translation follows...

        Sure, because as we all know, posting instructions on how to tinker with your registry so that the nagging stops into a large knowledgebase, is way better than to just add a "No, thanks, leave me alone"-Button to the nagware.

    1. oldcoder

      Re: Translation follows...

      And we won't tell you what was "fixed" either...

  1. Anonymous Coward
    Big Brother

    PLA Unit 61398 calling...

    All your disk-drive encryption keys are belong to us

  2. jake Silver badge

    This is a good example of why ...

    ... I no longer use any systems delivered by marketing instead of engineering.

    1. Preston Munchensonton
      Pint

      Re: This is a good example of why ...

      Bloody hell. So El Reg has upgrade from complete piss to propellerheads?

  3. frank ly

    Interpretation?

    "... a customer commitment to investigate reported security issues ..."

    Obviously, the customer has to investigated reported security issues themselves.

  4. tempemeaty
    Facepalm

    Full Tactical Facepalm engaged...

    Marketing double speak is the new encryption?

    HAHAHAHAHA....

  5. Anonymous Coward
    Anonymous Coward

    perfectly reasonable answer

    I've seen such many times: you ask them (any large organization) a precise question, and

    1. they don't reply

    2. upon 2nd, 3rd, etc. e-mail, they send an copy and paste reply, at best vaguely related to the topic, signed by some David, Peter or Mary, more often than not, unsigned ("company policy", I bet)

    3. if you still haven't got the clue (you clueless idiot) and send more emails asking, begging, demanding an answer, or merely frothing - you get the same copy and paste reply, until

    4. you give up

    5. SUCCESS!!! aka "we pride ourselves in providing active and meaningful feedback platform to our valued customers".

    1. Captain Badmouth

      Re: perfectly reasonable answer

      "signed by some David, Peter or Mary"

      Peter, Paul and Mary, shirley?

      Singing " Little boxes, made of Tickey-Tackey..."

  6. Dr. Mouse Silver badge

    Decrypted plaintext...

    "Windows 10 is the best! You should use it!! We fix broken things on Tuesdays! There are ghosts here..."

    Obligatory xkcds:

    https://xkcd.com/1293/

    https://xkcd.com/1032/

  7. Doctor Syntax Silver badge

    Simple explanation

    They put the query through to the hell-desk.

    1. Esme

      Re: Simple explanation

      If it got through to a hell-desk - well, one worth it's salt, they'd get a reasonable answer. Maybe even one regarded as a tad too honest by the hell-deskers employers*. It's if the response comes from the marketeers you're more likely to get that kind of dross.

      *I resemble this remark.

  8. Nissemus

    You can tell the statement is written by a marketing buiffoon because it includes the word "impact".

    On a related note, I've had to do a system restore today because this week's Windows 10 update screwed up my PC..

    1. Anonymous Coward
      Anonymous Coward

      On a related note, I've had to do a system restore today because this week's Windows 10 update screwed up my PC.

      Don't worry, it'll just download the screwy update and fuck your machine over a second time for you.

      1. I. Aproveofitspendingonspecificprojects

        I think the trick is not to load a Windows that isn't a prime number. Or follow a manfommars. But I am not sure how that last one goes.

    2. Adam 1

      Impact is a good word. It gets me out of figuring out whether I am trying to write affect or effect.

    3. anonymous boring coward Silver badge

      I agree with your assessment regarding the word "impact", but I think I noticed one or two other clues as well.

  9. Flash.Gordon

    Excellent picture

    No comment on the story but the picture made me laugh!

  10. Youngdog

    No FDE - no Win10

    If you think I spent those extra pennies on an Evo Pro just to use M$ software encryption you can jog on

    1. Youngdog

      Re: No FDE - no Win10

      Wait sorry - just re-read the article. If I've FDEd using something other than bit locker does it affect BL functionality for other removable disks?

  11. RIBrsiq

    This is an annoying issue for those who use FDE, yes.

    But installing RTM, enabling BitLocker and then doing an in-place upgrade to 10586 works fine. No need for any gradual updating. I know, as I just did this a few days ago.

    BTW: how does one turn on the equivalent functionality (FDE using HW encryption on SED) on Linux, please?

    1. The Travelling Dangleberries

      So, if I understand you correctly, you believe that it is OK that MicroSoft dropped the ball on this one because no other OS offers the same features?

      1. RIBrsiq

        "So, if I understand you correctly, you believe that it is OK that MicroSoft dropped the ball on this one because no other OS offers the same features?"

        Fascinating! How did you arrive at that conclusion, please?

        If you are referring to my asking about Linux, then I am afraid you are very much off base: I use Linux, and I would just like to know if I can use the hardware encryption capability of SEDs with Linux, is all. Do not read too deeply into what is really a very shallow question: there's only the surface layer.

    2. Camilla Smythe

      BTW: how does one turn on the equivalent functionality (FDE using HW encryption on SED) on Linux, please?

      If you are a numpty like me then you 'Ask Google',

      https://www.google.co.uk/search?q=linux+encrypt+home+after+install&btnG=Search&gbv=1

      and find something like this,

      http://www.howtogeek.com/116032/how-to-encrypt-your-home-folder-after-installing-ubuntu/?PageSpeed=noscript

      Which happens to be the first on page link. I really wish the Linux community would do something about this sort of shit because personally speaking I'd rather have to dig down past 10 pages of results before finding something that might do the job in Windows without having to install 24 toolbars, a pile of adware and upgrading to a different browser and then being repeatedly asked to sign up for the proper version because the evaluation copy is about to run out.

      Of course that is not 'FDE', just the appropriate Home Folder and Swap. It may still be possible to do FDE after install and I get the impression that it is certainly the case that the option is available during an initial install.

      Not sure whether it is 'Hardware Encryption'. Otherwise sorry if it was not the answer you were looking for.

      1. RIBrsiq

        Thank you. I already use this on my Linux boxen.

        But it's not FDE. And it's not using the SED's HW encryption.

        The attraction of using HW encryption is that it has no performance impact, so it's very useful for system drive encryption -- or for any other drives that will see a lot of traffic.

        1. Camilla Smythe
          Pint

          But it's not FDE. And it's not using the SED's HW encryption.

          Muh-Huh. I kind of thought it was not the answer you were looking for....

          https://www.google.co.uk/search?q=%22Linux%22+SED+HW+encryption&btnG=Search&hl=en-GB&biw=&bih=&gbv=1

          YMWV or you will run out of gas but a quick scan of those suggests SED HW Encryption is drive/bios specific such that if your drive does it and your bios/motherboard supports it then there will be a bit of extra pain involved before something happens.

          ---> Apparently it's free and you may need some later on if you try things out.

    3. WorBlux

      Re: RIBsiq

      'BTW: how does one turn on the equivalent functionality (FDE using HW encryption on SED) on Linux, please?"

      msed by r0m30

      1. RIBrsiq

        Re: RIBsiq

        @WorBlux:

        Thank you for the reply. Very interesting.

        Looking at the documentation, I can see why the Linux zealots were reluctant to come forward, if this is the best Linux has to offer: it's not very user-friendly, is it?

        But it's good to see that someone is working on this, at least. And it *is* an uncommon usage scenario, so it would be rather low priority for anyone -- be it Microsoft, or anyone else. Here's hoping it will reach a usable state, sometime soon.

        1. Camilla Smythe

          Re: RIBsiq

          @WorBlux:

          Thank you for the reply. Very interesting.

          Looking at the documentation, I can see why the Linux zealots were reluctant to come forward, if this is the best Linux has to offer: it's not very user-friendly, is it?

          I might be inclined to turn into a 'Linux Zealot'. Then again, just before I do... given you have demonstrated your wealth of 'boxen' knowledge, perhaps you can sort things out for the rest of us.

          Looking forward to trickling your sweet cum down the back of my throat. I like Real Cherry Flavour without the stones and if you skin your interface just right everyone will be putting their heads up to drink from your fountain.

          1. RIBrsiq
            WTF?

            Re: RIBsiq

            @Camilla Smythe:

            You seem to be writing English, but the end result unfortunately does not mean anything to me.

            In any case, thank you for trying to help, earlier.

            1. Camilla Smythe

              Re: RIBsiq

              Thanks. Dilbert 1995-2005 appears to be working. I shall continue reading through to the present time in an effort to find your answer for you.

  12. kbb

    Not sure I follow

    If the drive is self-encrypting, what does enabling bitlocker give you (if it worked)?

    1. RIBrsiq

      Re: Not sure I follow

      Ah! Good question, actually.

      An SED will optionally use a HW engine to encrypt all data written to it. But, what does that *really* mean? I mean, if the drive is completely encrypted, how do you boot from it? And where do you store the key? How, for that matter, do you pass the key to the decryption engine? Obviously you cannot store it on the drive itself! Etc., etc.

      Microsoft's eDrive takes care of all this rather neatly and seamlessly, once its requirements are met. The only annoying thing, really, is the need to do a clean install of Windows to use it.

      I am wondering if there's an equivalently painless process -- or a better one! -- for Linux, and I am hoping someone here will be able to help.

      1. Palpy

        Re: Linux FDE

        I expect implementations vary with distros. I haven't bothered with encryption on most of my machines. The Thinkpad I bought for travelling runs Qubes. Encryption via Fedora. "Fedora's default implementation of LUKS is AES 128 with a SHA256 hashing."

        For what it's worth. I'm not bright enough to know anything about it, I just use it and move along.

  13. koolholio

    All in the implementation of the crypto

    When adding 256-bit XTS-AES encryption, I note XTS is "a block cipher mode of operation"

    Can you confirm it is not DMA port related?

  14. Sil

    I did not have this issue but I didn't have to do a clean install.

    Instead, I was notified the new Bitlocker was incompatible with the previous ones, so I had to unencrypt the SSD before reencrypting it with the newest version.

  15. Reg T.

    MS

    is a disease, is it not? Why do you airheads continue to make Gates & Co. billionaires?

    Those who love MS so much should follow on by taking whatever vaccines the Gates Foundation is forcing on poor inhabitants of India and Africa.

    W10 is a disaster, but - MS have openly revealed how they have been operating secretly since the inception. They are contemptible, conniving scum who do anything they can to "capture" clients.

    And they do that with the full cooperation (not requiring bribery) of hardware manufacturers, who load their crap into their products. They surreptitiously load software on older version Windows boxes forcing folk onto W10. At least with Apple, you know where the back door is.

    A major complaint of those coming from Windows to Linux over the years has been "I can't play my games on Linux".

    You "gamers" shouldn't complain about W10. Windows has always been crap. It is little different from the first version.

  16. Alistair
    Windows

    on disk encryption and (any os)

    I had this long winded explanation about FDE, and how linux and windows aren't really that different in the implementation. Scrubbed it.

    FDE at the disk requires that the disk and the BIOS both understand the idea, and the unlock key is either *hardware* (TPM) based or the bios knows how to ask the user for the key (sometimes both).

    Bitlocker, however, doesn't encrypt the boot block, the bootloader partition of windows. I follow the same standard on my linux and LUKs installs. Neither the boot block or the /boot partition is encrypted. After that however, we have LUKs. On one laptop I have LUKs for all working partitions including the vm's I run on the laptop, and *they* have LUKs on their disks too.

    The 'self encrypting drives' I've run into that do this silently *usually* are modified hardware TPM based encryption and simply don't have valid data when you stuff them in another system. These are worse than useless in an enterprise.

    1. RIBrsiq

      Re: on disk encryption and (any os)

      I can speak about Windows somewhat usefully, as I have been using eDrive for a while, now:

      * Can be done without TPM. You just need to supply the key on a UFD. Which seems stupid, if you ask me: store the key on the boot partition encrypted with a user-supplied password, FFS! Just as Linux does it (I think).

      * BitLocker is still BitLocker. IE, recovery agents in AD, etc., if you want them. So very applicable in an enterprise environment. If AD is compromised, well, that's a resume-generating event, one way or another, isn't it...? So it's nothing one needs to worry about, IMO. ;-)

      Here's some more info, if you'd care to read about it. I promise it's all fascinating stuff, for the slightly-paranoid:

      * What SED are: http://arstechnica.com/civis/viewtopic.php?f=11&t=1243475

      * How it's done on Windows: https://helgeklein.com/blog/2015/01/how-to-enable-bitlocker-hardware-encryption-with-ssd/

      * Someone tinkering with stuff on Gentoo: https://forums.gentoo.org/viewtopic-t-1001902.html

  17. Mikel

    One way encryption

    It's so encrypted that it can't be decrypted by anything - even the owner.

    A likely problem is that the Beast hasn't worked out a back door API deal with the self encrypting drive makers yet, and so can't uphold their commitments to various TLAs to keep that back door open. People might start encrypting stuff on their PCs that Microsoft can't grant access to recover.

    1. RIBrsiq

      Re: One way encryption

      Nice theory.

      Except:

      * BitLocker still works. And still does FDE, just not leveraging the HW of SEDs.

      * Even that works, if you upgrade from Windows 10 RTM after already enabling hardware encryption. Just make sure you never turn it off, because you wouldn't be able to turn it back on!

      Anyway, it seems like a minor bug, in the larger scheme of things. Hopefully will be fixed soon because it's bloody annoying. But probably not very high on the list of priorities right now. I mean, how many people are impacted, would you imagine...? I'd guess it's not a high percentage of users!

  18. thx1138v2

    Fix? This IS The Fix

    Anyone at NSA or GCHQ will tell you that the only encryption worth its salt is the one that only they can break. Who, pray tell, do you think provided the new encryption algorithms? So much cheaper for Microsoft to just use an existing system than develop their own. Got to keep an eye on that bottom line, don't ya know.

    Knowing MS, however, we might expect the NSA encryption to end up in Europe and the GCHQ version to end up in North America. Which, of course, will require an update to the ORtRTAE (One Ring to Rule Them All Encryption).

    Of course, the immediate fix is to copy your data from the encrypted drive to an unencrypted drive or MS encrypted drive so "they", whoever that might be, can have access to it.

    1. amanfromMars 1 Silver badge

      Re: Fix? And when is IS The Fix, an Exploitable Flaw and Abiding Zeroday Vulnerability?

      Fix? This IS The Fix

      Anyone at NSA or GCHQ will tell you that the only encryption worth its salt is the one that only they can break. …. thx1138v2

      That belief is the ongoing problem causing all manner of escalating woes and deepening difficulties, thx1138v2, for the only encryption worth its salt is the one which cannot be broken, surely. Everything and anything else not supplying that, and purporting to be encryption, is vapourware and a conspiracy and fraud being perpetrated by colluding parties on the innocent and gullible, guilty and aware alike.

      And yes, that emboldened headline question is correctly written.

  19. Sub 20 Pilot

    I keep all of my work and personal data on a Truecrypt volume on a separate hdd to the OS (W7) As far as I can see this covers my obligations under the data protection acts in the UK and I can display due diligence if there is any data relating to my clients that is leaked online or whatever.

    I know it has been shelved and that the tinfoil hat wearers are all concerned about it but for my purposes it does the job. Also means that none of my data is stored on any servers outside the UK and I am not held ransom by the usual mega corporations when they decide to change or bugger up their systems.

    Any UK government agency that wants to see what I have got on my disk only needs to ask, any agency outside the UK can go fuck itself, I am not in their jurisdiction.

    Edit: Also forgot to add (before I get castigated by a lot of people who presume to know my affairs better than me ) that all of this data is backed up on separate external drives, same encryption, at least 1 jumbo jet width apart. Anything bigger than that which lands on my house will make any back up redundant anyway !

    1. RIBrsiq
      Thumb Up

      Seems good to me. And TrueCrypt has been very thoroughly audited.

      On the other hand, if your main concern is displaying due diligence in a court of law if you ever have to, you might want to consider if you want to go through the extra effort of defending your decision to continue using a software package after its unknown developers very publicly pulled it, saying that it is not secure...

      I mean, you and I know it's secure; but will the judge...?

      1. MrTuK

        Seems good to me. And TrueCrypt has been very thoroughly audited.

        On the other hand, if your main concern is displaying due diligence in a court of law if you ever have to, you might want to consider if you want to go through the extra effort of defending your decision to continue using a software package after its unknown developers very publicly pulled it, saying that it is not secure...

        I mean, you and I know it's secure; but will the judge...?

        Veracrypt fixes the issues with Truecrypt and can also read and write to Truecrypt encrypted partitions as well !

  20. John Tserkezis

    "but later reinstating the files after fixing a privacy bug."

    Yes, the privacy bug offered too much privacy for the user. So they fixed it.

  21. a_yank_lurker Silver badge

    Buzzword Bingo

    "Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide solutions via our current Update Tuesday schedule"

    Slurp is doing the usual suspect buzzword bingo. How many layers of encryption are there in the quote? Now if the NSA would earns it keep.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020