Microsoft encrypts explanation of borked Windows 10 encryption We know Microsoft can be pretty secretive about its spyware-as-a-service Windows 10, but Redmond has now taken its furtiveness to a whole new level. You may or may not know that its disk encryption tool Bitlocker has suddenly stopped working in the latest version of its operating system for a number of people. Bitlocker …
@captain veg
Ah! I see now. Thank you very much for taking the time to reply.
Well, you're right that the update should still not show up, based on the KB. So I would bring that to Microsoft's attention, if I were you.
As for your setup, well, it's not how I would do it. And it's probably not keeping with best practices. But I assume you have a good reason for doing it that way. After all, people don't deploy configurations that result in more work without a damned good reason!
What I would suggest is maybe a GPO to apply the required registry values to those machines you want to block GWX on. Seems simplest, and should work.
I've seen such many times: you ask them (any large organization) a precise question, and
1. they don't reply
2. upon 2nd, 3rd, etc. e-mail, they send an copy and paste reply, at best vaguely related to the topic, signed by some David, Peter or Mary, more often than not, unsigned ("company policy", I bet)
3. if you still haven't got the clue (you clueless idiot) and send more emails asking, begging, demanding an answer, or merely frothing - you get the same copy and paste reply, until
4. you give up
5. SUCCESS!!! aka "we pride ourselves in providing active and meaningful feedback platform to our valued customers".
If it got through to a hell-desk - well, one worth it's salt, they'd get a reasonable answer. Maybe even one regarded as a tad too honest by the hell-deskers employers*. It's if the response comes from the marketeers you're more likely to get that kind of dross.
*I resemble this remark.
This is an annoying issue for those who use FDE, yes.
But installing RTM, enabling BitLocker and then doing an in-place upgrade to 10586 works fine. No need for any gradual updating. I know, as I just did this a few days ago.
BTW: how does one turn on the equivalent functionality (FDE using HW encryption on SED) on Linux, please?
"So, if I understand you correctly, you believe that it is OK that MicroSoft dropped the ball on this one because no other OS offers the same features?"
Fascinating! How did you arrive at that conclusion, please?
If you are referring to my asking about Linux, then I am afraid you are very much off base: I use Linux, and I would just like to know if I can use the hardware encryption capability of SEDs with Linux, is all. Do not read too deeply into what is really a very shallow question: there's only the surface layer.
BTW: how does one turn on the equivalent functionality (FDE using HW encryption on SED) on Linux, please?
If you are a numpty like me then you 'Ask Google',
https://www.google.co.uk/search?q=linux+encrypt+home+after+install&btnG=Search&gbv=1
and find something like this,
http://www.howtogeek.com/116032/how-to-encrypt-your-home-folder-after-installing-ubuntu/?PageSpeed=noscript
Which happens to be the first on page link. I really wish the Linux community would do something about this sort of shit because personally speaking I'd rather have to dig down past 10 pages of results before finding something that might do the job in Windows without having to install 24 toolbars, a pile of adware and upgrading to a different browser and then being repeatedly asked to sign up for the proper version because the evaluation copy is about to run out.
Of course that is not 'FDE', just the appropriate Home Folder and Swap. It may still be possible to do FDE after install and I get the impression that it is certainly the case that the option is available during an initial install.
Not sure whether it is 'Hardware Encryption'. Otherwise sorry if it was not the answer you were looking for.
Thank you. I already use this on my Linux boxen.
But it's not FDE. And it's not using the SED's HW encryption.
The attraction of using HW encryption is that it has no performance impact, so it's very useful for system drive encryption -- or for any other drives that will see a lot of traffic.
But it's not FDE. And it's not using the SED's HW encryption.
Muh-Huh. I kind of thought it was not the answer you were looking for....
https://www.google.co.uk/search?q=%22Linux%22+SED+HW+encryption&btnG=Search&hl=en-GB&biw=&bih=&gbv=1
YMWV or you will run out of gas but a quick scan of those suggests SED HW Encryption is drive/bios specific such that if your drive does it and your bios/motherboard supports it then there will be a bit of extra pain involved before something happens.
---> Apparently it's free and you may need some later on if you try things out.
@WorBlux:
Thank you for the reply. Very interesting.
Looking at the documentation, I can see why the Linux zealots were reluctant to come forward, if this is the best Linux has to offer: it's not very user-friendly, is it?
But it's good to see that someone is working on this, at least. And it *is* an uncommon usage scenario, so it would be rather low priority for anyone -- be it Microsoft, or anyone else. Here's hoping it will reach a usable state, sometime soon.
@WorBlux:
Thank you for the reply. Very interesting.
Looking at the documentation, I can see why the Linux zealots were reluctant to come forward, if this is the best Linux has to offer: it's not very user-friendly, is it?
I might be inclined to turn into a 'Linux Zealot'. Then again, just before I do... given you have demonstrated your wealth of 'boxen' knowledge, perhaps you can sort things out for the rest of us.
Looking forward to trickling your sweet cum down the back of my throat. I like Real Cherry Flavour without the stones and if you skin your interface just right everyone will be putting their heads up to drink from your fountain.
Ah! Good question, actually.
An SED will optionally use a HW engine to encrypt all data written to it. But, what does that *really* mean? I mean, if the drive is completely encrypted, how do you boot from it? And where do you store the key? How, for that matter, do you pass the key to the decryption engine? Obviously you cannot store it on the drive itself! Etc., etc.
Microsoft's eDrive takes care of all this rather neatly and seamlessly, once its requirements are met. The only annoying thing, really, is the need to do a clean install of Windows to use it.
I am wondering if there's an equivalently painless process -- or a better one! -- for Linux, and I am hoping someone here will be able to help.
I expect implementations vary with distros. I haven't bothered with encryption on most of my machines. The Thinkpad I bought for travelling runs Qubes. Encryption via Fedora. "Fedora's default implementation of LUKS is AES 128 with a SHA256 hashing."
For what it's worth. I'm not bright enough to know anything about it, I just use it and move along.
is a disease, is it not? Why do you airheads continue to make Gates & Co. billionaires?
Those who love MS so much should follow on by taking whatever vaccines the Gates Foundation is forcing on poor inhabitants of India and Africa.
W10 is a disaster, but - MS have openly revealed how they have been operating secretly since the inception. They are contemptible, conniving scum who do anything they can to "capture" clients.
And they do that with the full cooperation (not requiring bribery) of hardware manufacturers, who load their crap into their products. They surreptitiously load software on older version Windows boxes forcing folk onto W10. At least with Apple, you know where the back door is.
A major complaint of those coming from Windows to Linux over the years has been "I can't play my games on Linux".
You "gamers" shouldn't complain about W10. Windows has always been crap. It is little different from the first version.
I had this long winded explanation about FDE, and how linux and windows aren't really that different in the implementation. Scrubbed it.
FDE at the disk requires that the disk and the BIOS both understand the idea, and the unlock key is either *hardware* (TPM) based or the bios knows how to ask the user for the key (sometimes both).
Bitlocker, however, doesn't encrypt the boot block, the bootloader partition of windows. I follow the same standard on my linux and LUKs installs. Neither the boot block or the /boot partition is encrypted. After that however, we have LUKs. On one laptop I have LUKs for all working partitions including the vm's I run on the laptop, and *they* have LUKs on their disks too.
The 'self encrypting drives' I've run into that do this silently *usually* are modified hardware TPM based encryption and simply don't have valid data when you stuff them in another system. These are worse than useless in an enterprise.
I can speak about Windows somewhat usefully, as I have been using eDrive for a while, now:
* Can be done without TPM. You just need to supply the key on a UFD. Which seems stupid, if you ask me: store the key on the boot partition encrypted with a user-supplied password, FFS! Just as Linux does it (I think).
* BitLocker is still BitLocker. IE, recovery agents in AD, etc., if you want them. So very applicable in an enterprise environment. If AD is compromised, well, that's a resume-generating event, one way or another, isn't it...? So it's nothing one needs to worry about, IMO. ;-)
Here's some more info, if you'd care to read about it. I promise it's all fascinating stuff, for the slightly-paranoid:
* What SED are: http://arstechnica.com/civis/viewtopic.php?f=11&t=1243475
* How it's done on Windows: https://helgeklein.com/blog/2015/01/how-to-enable-bitlocker-hardware-encryption-with-ssd/
* Someone tinkering with stuff on Gentoo: https://forums.gentoo.org/viewtopic-t-1001902.html
It's so encrypted that it can't be decrypted by anything - even the owner.
A likely problem is that the Beast hasn't worked out a back door API deal with the self encrypting drive makers yet, and so can't uphold their commitments to various TLAs to keep that back door open. People might start encrypting stuff on their PCs that Microsoft can't grant access to recover.
Nice theory.
Except:
* BitLocker still works. And still does FDE, just not leveraging the HW of SEDs.
* Even that works, if you upgrade from Windows 10 RTM after already enabling hardware encryption. Just make sure you never turn it off, because you wouldn't be able to turn it back on!
Anyway, it seems like a minor bug, in the larger scheme of things. Hopefully will be fixed soon because it's bloody annoying. But probably not very high on the list of priorities right now. I mean, how many people are impacted, would you imagine...? I'd guess it's not a high percentage of users!
Anyone at NSA or GCHQ will tell you that the only encryption worth its salt is the one that only they can break. Who, pray tell, do you think provided the new encryption algorithms? So much cheaper for Microsoft to just use an existing system than develop their own. Got to keep an eye on that bottom line, don't ya know.
Knowing MS, however, we might expect the NSA encryption to end up in Europe and the GCHQ version to end up in North America. Which, of course, will require an update to the ORtRTAE (One Ring to Rule Them All Encryption).
Of course, the immediate fix is to copy your data from the encrypted drive to an unencrypted drive or MS encrypted drive so "they", whoever that might be, can have access to it.
Fix? This IS The FixAnyone at NSA or GCHQ will tell you that the only encryption worth its salt is the one that only they can break. …. thx1138v2
That belief is the ongoing problem causing all manner of escalating woes and deepening difficulties, thx1138v2, for the only encryption worth its salt is the one which cannot be broken, surely. Everything and anything else not supplying that, and purporting to be encryption, is vapourware and a conspiracy and fraud being perpetrated by colluding parties on the innocent and gullible, guilty and aware alike.
And yes, that emboldened headline question is correctly written.
I keep all of my work and personal data on a Truecrypt volume on a separate hdd to the OS (W7) As far as I can see this covers my obligations under the data protection acts in the UK and I can display due diligence if there is any data relating to my clients that is leaked online or whatever.
I know it has been shelved and that the tinfoil hat wearers are all concerned about it but for my purposes it does the job. Also means that none of my data is stored on any servers outside the UK and I am not held ransom by the usual mega corporations when they decide to change or bugger up their systems.
Any UK government agency that wants to see what I have got on my disk only needs to ask, any agency outside the UK can go fuck itself, I am not in their jurisdiction.
Edit: Also forgot to add (before I get castigated by a lot of people who presume to know my affairs better than me ) that all of this data is backed up on separate external drives, same encryption, at least 1 jumbo jet width apart. Anything bigger than that which lands on my house will make any back up redundant anyway !
Seems good to me. And TrueCrypt has been very thoroughly audited.
On the other hand, if your main concern is displaying due diligence in a court of law if you ever have to, you might want to consider if you want to go through the extra effort of defending your decision to continue using a software package after its unknown developers very publicly pulled it, saying that it is not secure...
I mean, you and I know it's secure; but will the judge...?
On the other hand, if your main concern is displaying due diligence in a court of law if you ever have to, you might want to consider if you want to go through the extra effort of defending your decision to continue using a software package after its unknown developers very publicly pulled it, saying that it is not secure...
I mean, you and I know it's secure; but will the judge...?
Veracrypt fixes the issues with Truecrypt and can also read and write to Truecrypt encrypted partitions as well !
"Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide solutions via our current Update Tuesday schedule"
Slurp is doing the usual suspect buzzword bingo. How many layers of encryption are there in the quote? Now if the NSA would earns it keep.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
