back to article Microsoft encrypts explanation of borked Windows 10 encryption

We know Microsoft can be pretty secretive about its spyware-as-a-service Windows 10, but Redmond has now taken its furtiveness to a whole new level. You may or may not know that its disk encryption tool Bitlocker has suddenly stopped working in the latest version of its operating system for a number of people. Bitlocker …

  1. Mark 85 Silver badge
    Trollface

    We used to beat MS up for bad security

    And now they're encrypting everything... sort of. Or maybe it's just the explanations and what's actually in their updates.

    1. Anonymous Coward
      Anonymous Coward

      Re: We used to beat MS up for bad security

      Now why would I want to use bitlocker on my self encrypting SSD?

      1. oldcoder

        Re: We used to beat MS up for bad security

        For protection, of course.

        If you don't trust the ability of the SSD encryption to hold up under hardware attacks (they won't - the key is on the device, so hardware attacks can extract the key), then you layer an additional encryption on top.

  2. Richard 12 Silver badge

    Decrypted :

    **** off, we don't care.

    1. Richard Jones 1
      WTF?

      Re: Decrypted :

      Nearly right corrected version;

      **** we don't know, we only wrote the stuff.

      They have brought back another unwanted feature for me, a refusal to hibernate or sleep.

      1. Pascal Monett Silver badge
        Coat

        That response reminds me of the old joke of guys lost in a balloon in the fog . . .

        * link leads to joke in plane, largely less credible but the gist is the same

      2. Stoneshop Silver badge
        WTF?

        Re: Decrypted :

        They have brought back another unwanted feature for me, a refusal to hibernate or sleep.

        You're losing sleep over W10's lack of encryption, or its level of spying? There's a solution for that.

    2. Christian Berger

      Re: Decrypted :

      Decrypted: "We have no ****ing idea what happened as Windows is even more complex than gnome with systemd, but as we find out what department it it that messed up, we need to say something."

      1. Anonymous Coward
        Anonymous Coward

        Re: Decrypted :

        That's a little harsh, don't you think? At least Windows isn't as *needlessly* complex and Gnome and systemd, is it?

      2. I. Aproveofitspendingonspecificprojects

        Re: Decrypted :

        > Decrypted: "We have no ****ing idea what happened as Windows is even more complex than gnome with systemd, but as we find out what department it it that messed up, we need to say something."

        Thanks Bill that's a lot clearer.

        Pardon?

    3. dotdavid

      Re: Decrypted :

      > **** off, we don't care.

      More like "You have reached the Microsoft Press Relations department and don't quite understand your question. Please have this complimentary pre-approved canned statement"

  3. Anonymous Coward
    Anonymous Coward

    When is someone going to file a UK Class Action against M$

    under the Computer Misuse Act?

    1. Anonymous Coward
      Anonymous Coward

      Re: When is someone going to file a UK Class Action against M$

      Can class actions be brought in the UK for anything other than competition cases? Clue: no.

      1. Anonymous Coward
        Anonymous Coward

        Re: When is someone going to file a UK Class Action against M$

        Not True. The NEW consumer regulation allow for something LIKE a CLA. Im not entirely familiar with the ins and outs..

        1. Anonymous Coward
          Anonymous Coward

          Re: When is someone going to file a UK Class Action against M$

          Not True. The NEW consumer regulation allow for something LIKE a CLA. Im not entirely familiar with the ins and outs..

          Perhaps you should become familiar with those little details, then, because the change you're referring to is restricted to competition cases. If you Google it you'll find plenty of law firms' web pages summarising the scope of the change.

        2. Bluto Nash
          Trollface

          Re: When is someone going to file a UK Class Action against M$

          Im not entirely familiar with the ins and outs..

          This is Microsoft - it likely just means you're getting screwed again.

        3. Doctor Syntax Silver badge

          Re: When is someone going to file a UK Class Action against M$

          "The NEW consumer regulation allow for something LIKE a CLA. Im not entirely familiar with the ins and outs"

          Quite correct. You're not entirely familiar with the ins & outs. It's only available in limited circumstances related to competition.

          1. Anonymous Coward
            Anonymous Coward

            Re: When is someone going to file a UK Class Action against M$

            Yes, and like you, now I have seen the BBC clip, I know that too...

            I'm happy to have enlightened you.

        4. Michael Nidd

          Re: When is someone going to file a UK Class Action against M$

          And if TTIP goes through?

    2. msknight

      Re: When is someone going to file a UK Class Action against M$

      I still don't know why the M$'s malicious software removal tool doesn't de-install Windows.

      1. Dan 55 Silver badge
        Trollface

        Re: When is someone going to file a UK Class Action against M$

        Because it doesn't work properly either.

        1. Pompous Git Silver badge

          Re: When is someone going to file a UK Class Action against M$

          Great minds like a think :-)

    3. oldcoder

      Re: When is someone going to file a UK Class Action against M$

      You would have better luck using a "false and misleading advertising" claim.

      That way you get them no matter what ...

  4. kryptylomese

    "Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide solutions via our current Update Tuesday schedule"

    The above is bollocks! Red Hat are much better at preventing, investigating and fixing security issues as all of their customers will confirm! Microsoft should not make misleading recommendations like this in fact I would go as far as to say it should be illegal from a consumer perspective.

    1. Timmy B Silver badge

      Is Red Hat a "platform"? Like all of these kind of statements that don't actually specify technical details (therefore for IT professionals) this is simply salesman-speak and thus automatically rubbish and should be ignored.

      1. SolidSquid

        It's as much a "platform" as Windows is, offering a desktop environment as well as lending itself to a variety of types of server environments to provide services from. Arguably they even have an "app store" via their repositories

        Although you have a point that the term "platform" is vague as hell and isn't really good at explaining what it does

        1. Timmy B Silver badge

          Exactly what I mean about salesman-speak. Platform could mean anything. After all is Red Hat the platform or Linux? It all means diddly really.

          1. TRT Silver badge

            "customer commitment to investigate reported "

            Of course, given the vagaries of English, that could equally means the customers are the ones committed to investigating the reports...

        2. Stoneshop Silver badge

          Platform

          The most common usage around here is that it's the entirety of hardware, OS and "middleware" (urgh), ready to run the user applications.

          Us techies understand it as implying it's something rather shaky high up with a lot of scaffolding underneath.

          1. amanfromMars 1 Silver badge

            Re: Platform @Stoneshop .... and Novel Platforms with Greater Light Speeding AIRCraft*

            Howdy, Stoneshop,

            There are those under no delusions working systems administrations in virtual platforms of operation realising Windows is muchmore olde business planphorm than leading edge executive base vessel and useful enough for conditions in those sorts of fields in virtual team terrains.

            *Advanced IntelAIgent Research Craft

            1. I. Aproveofitspendingonspecificprojects

              Re: Platform @Stoneshop .... and Novel Platforms with Greater Light Speeding AIRCraft*

              I might have guessed he could make sentence of it:

              >Howdy, Stoneshop,

              There are those under no delusions working systems administrations in virtual platforms of operation realising Windows is muchmore olde business planphorm than leading edge executive base vessel and useful enough for conditions in those sorts of fields in virtual team terrains.

              *Advanced IntelAIgent Research Craft

              What I think you do is count the number of primes then miss every other word reading it on a prime time, schedule until all the letters get use up, then you throw away the computer you first thought of and boil your head until no longer something or other shortage...

              1. I. Aproveofitspendingonspecificprojects

                Re: Platform @Stoneshop .... and Novel Platforms with Greater Light Speeding AIRCraft*

                I can't believe there are seven minutes to make this post better

                It can't last.

    2. Anonymous Coward
      Anonymous Coward

      FTFY: "the platform with only customer commitment"

      1. Fihart

        Exactly. Have an upvote.

    3. captain veg

      Sure, Windows is a platform. The train has already left.

      -A.

    4. Anonymous Coward
      Anonymous Coward

      proactively update impacted devices

      Translation: We'll change things on your computer remotely whenever we feel like it. You already consented via EULA, so you have no recourse.

    5. Anonymous Coward
      Anonymous Coward

      "Red Hat are much better at preventing, investigating and fixing security issues as all of their customers will confirm"

      Why then do they have vastly more security patches than Windows - even when you restrict RedHat to comparable feature sets - and are on average slower to deliver them (more days at risk) for a product that costs considerably more?

      1. oldcoder

        Vastly more software.

        "more days at risk"? Windows still has vulnerabilities from 19 years ago.

        RH fixes are actually provided, and not called "features".

    6. I. Aproveofitspendingonspecificprojects

      > "Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide solutions via our current Update Tuesday =

      There is a Windows customer with a commitment that is the only platform and it has, or had to investigate security issues that were reported I am not sure what poactively impacted devices are but once a month on Tuesdays or as soon as possible. I forget something something. And anyway I use Linux so there...

  5. Camilla Smythe

    Silly Peeps

    How can Microsoft Slurp your data if you encrypt it?

    1. Steve Davies 3 Silver badge

      Re: Silly Peeps

      Don't be silly. They have the master keys to your encryption.

      Well that my impression until they come out and make a public statement along the lines that Apple has done w.r.t iPhone data encryption.

      But... even if they did just that how many here would believe them eh?

    2. Hans 1
      Facepalm

      Re: Silly Peeps

      An encrypted drive safeguards your data somewhat when your kit gets stolen, that is it. When windows is running, all required data on your drive is automatically decrypted, for each and every program that runs on your computer, including Microsoft's telemetry (or whatever they call their spyware this week) software.

      They don't need master keys, you other numpty, the data is decrypted on your system before it gets sent over a secure (I would hope for you, guyz) connection to mothership.

      Maybe you mean a Microsoft rep is sneaking into your house to slurp your data while you're at work ...

      1. Camilla Smythe
        Happy

        Re: Silly Peeps

        Ooops. Silly me. I am sure I understand now.

        Encryption is like DNT where you are just sending Microsoft a 1 to say do not look at my data and therefore they can ignore your implied request in order to check if you might be interested in buying some more socks.

        After all these days someone else might have encrypted your sock pictures, sock novels, sock videos, sock music and sock design software along with your .sck design files so it's not as if they really know whether or not you yourself chose to encrypt your sock data so it's best to play safe and have a good rummage about the place just to make sure.

        Thanks for clearing that one up for me. As for Microsoft Reps sneaking about the house when I am out.. It's not them, it's the Pixies. They use the Goblins at work when I am at home and Gremlins to supply the down votes on El Reg.

        1. Alister Silver badge
          Happy

          Re: Silly Peeps

          After all these days someone else might have encrypted your sock pictures, sock novels, sock videos, sock music and sock design software along with your .sck design files so it's not as if they really know whether or not you yourself chose to encrypt your sock data so it's best to play safe and have a good rummage about the place just to make sure.

          Ha, you're nothing but a sock-puppet...

          BTW, if anyone's thinking of buying me Xmas presents, I could do with some socks...

  6. msknight

    Translation follows...

    "Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible."

    ...we think we're the only operating system manufacturer on the planet. At least, that's worth talking to. Competitors are jokers who don't take security reports or bugs seriously.

    "We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."

    ... For fuck sake get off Windws 7 and 8 already. We've tried to warn you. Honestly. We even did you the favour of pushing our product down your private wire at great expense... to you... and you still didn't have the common bloody sense to push the single buton we helpfully popped up in the fucking task bar. Oh no. You even went to the extent of working out a secret registry key to turn off our helpfulness. Well, be warned, we're sending the boys round shortly.

    "Our standard policy is to provide solutions via our current Update Tuesday schedule."

    ... We'll fix it on Tuesday. No, we won't tell you which one.

    1. 's water music

      Re: Translation follows...

      "Our standard policy is to provide solutions via our current Update Tuesday schedule."

      See you next... ?

    2. msknight

      Re: Translation follows...

      Decryption was via the 128bit Bll-S-hit algorythm. Private key was, G0b3ldyg00k

    3. RIBrsiq

      Re: Translation follows...

      "You even went to the extent of working out a secret registry key to turn off our helpfulness".

      Eh...? Do you think registry keys happen by themselves? A type of 'shroom, mayhap...?

      Here's the relevant KB:

      https://support.microsoft.com/en-us/kb/3080351

      1. captain veg

        Re: Translation follows...

        Yes,, well that KB kicks off with a blatant lie.

        > The computer or device is joined to a domain.

        This one is. I still had to manually remove the GWX crap, and am continuing to have to carelly review all updates before applying them.

        -A.

        1. RIBrsiq

          Re: Translation follows...

          @captain veg:

          I've read about this, but did not face it myself. I think probably because all my PCs are using Enterprise, which's not eligible for the upgrade anyway.

          But I find it very interesting, so I would greatly appreciate it if you could please elaborate. In particular:

          * Are the updates being received through WSUS or SCCM?

          * What edition of Windows?

          * Is the local user a normal, limited user?

          1. captain veg

            Re: Translation follows...

            * Neither. Just plain Windows Update.

            * 7 Pro.

            * AD user with local administrative privileges.

            -A.

            1. RIBrsiq

              Re: Translation follows...

              @captain veg

              Ah! I see now. Thank you very much for taking the time to reply.

              Well, you're right that the update should still not show up, based on the KB. So I would bring that to Microsoft's attention, if I were you.

              As for your setup, well, it's not how I would do it. And it's probably not keeping with best practices. But I assume you have a good reason for doing it that way. After all, people don't deploy configurations that result in more work without a damned good reason!

              What I would suggest is maybe a GPO to apply the required registry values to those machines you want to block GWX on. Seems simplest, and should work.

      2. Frank Bitterlich

        Re: Translation follows...

        Sure, because as we all know, posting instructions on how to tinker with your registry so that the nagging stops into a large knowledgebase, is way better than to just add a "No, thanks, leave me alone"-Button to the nagware.

    4. oldcoder

      Re: Translation follows...

      And we won't tell you what was "fixed" either...

  7. Anonymous Coward
    Big Brother

    PLA Unit 61398 calling...

    All your disk-drive encryption keys are belong to us

  8. jake Silver badge

    This is a good example of why ...

    ... I no longer use any systems delivered by marketing instead of engineering.

    1. Preston Munchensonton
      Pint

      Re: This is a good example of why ...

      Bloody hell. So El Reg has upgrade from complete piss to propellerheads?

  9. frank ly

    Interpretation?

    "... a customer commitment to investigate reported security issues ..."

    Obviously, the customer has to investigated reported security issues themselves.

  10. tempemeaty
    Facepalm

    Full Tactical Facepalm engaged...

    Marketing double speak is the new encryption?

    HAHAHAHAHA....

  11. Anonymous Coward
    Anonymous Coward

    perfectly reasonable answer

    I've seen such many times: you ask them (any large organization) a precise question, and

    1. they don't reply

    2. upon 2nd, 3rd, etc. e-mail, they send an copy and paste reply, at best vaguely related to the topic, signed by some David, Peter or Mary, more often than not, unsigned ("company policy", I bet)

    3. if you still haven't got the clue (you clueless idiot) and send more emails asking, begging, demanding an answer, or merely frothing - you get the same copy and paste reply, until

    4. you give up

    5. SUCCESS!!! aka "we pride ourselves in providing active and meaningful feedback platform to our valued customers".

    1. Captain Badmouth

      Re: perfectly reasonable answer

      "signed by some David, Peter or Mary"

      Peter, Paul and Mary, shirley?

      Singing " Little boxes, made of Tickey-Tackey..."

  12. Dr. Mouse Silver badge

    Decrypted plaintext...

    "Windows 10 is the best! You should use it!! We fix broken things on Tuesdays! There are ghosts here..."

    Obligatory xkcds:

    https://xkcd.com/1293/

    https://xkcd.com/1032/

  13. Doctor Syntax Silver badge

    Simple explanation

    They put the query through to the hell-desk.

    1. Esme

      Re: Simple explanation

      If it got through to a hell-desk - well, one worth it's salt, they'd get a reasonable answer. Maybe even one regarded as a tad too honest by the hell-deskers employers*. It's if the response comes from the marketeers you're more likely to get that kind of dross.

      *I resemble this remark.

  14. Nissemus

    You can tell the statement is written by a marketing buiffoon because it includes the word "impact".

    On a related note, I've had to do a system restore today because this week's Windows 10 update screwed up my PC..

    1. Anonymous Coward
      Anonymous Coward

      On a related note, I've had to do a system restore today because this week's Windows 10 update screwed up my PC.

      Don't worry, it'll just download the screwy update and fuck your machine over a second time for you.

      1. I. Aproveofitspendingonspecificprojects

        I think the trick is not to load a Windows that isn't a prime number. Or follow a manfommars. But I am not sure how that last one goes.

    2. Adam 1

      Impact is a good word. It gets me out of figuring out whether I am trying to write affect or effect.

    3. anonymous boring coward Silver badge

      I agree with your assessment regarding the word "impact", but I think I noticed one or two other clues as well.

  15. Flash.Gordon

    Excellent picture

    No comment on the story but the picture made me laugh!

  16. Youngdog

    No FDE - no Win10

    If you think I spent those extra pennies on an Evo Pro just to use M$ software encryption you can jog on

    1. Youngdog

      Re: No FDE - no Win10

      Wait sorry - just re-read the article. If I've FDEd using something other than bit locker does it affect BL functionality for other removable disks?

  17. RIBrsiq

    This is an annoying issue for those who use FDE, yes.

    But installing RTM, enabling BitLocker and then doing an in-place upgrade to 10586 works fine. No need for any gradual updating. I know, as I just did this a few days ago.

    BTW: how does one turn on the equivalent functionality (FDE using HW encryption on SED) on Linux, please?

    1. The Travelling Dangleberries

      So, if I understand you correctly, you believe that it is OK that MicroSoft dropped the ball on this one because no other OS offers the same features?

      1. RIBrsiq

        "So, if I understand you correctly, you believe that it is OK that MicroSoft dropped the ball on this one because no other OS offers the same features?"

        Fascinating! How did you arrive at that conclusion, please?

        If you are referring to my asking about Linux, then I am afraid you are very much off base: I use Linux, and I would just like to know if I can use the hardware encryption capability of SEDs with Linux, is all. Do not read too deeply into what is really a very shallow question: there's only the surface layer.

    2. Camilla Smythe

      BTW: how does one turn on the equivalent functionality (FDE using HW encryption on SED) on Linux, please?

      If you are a numpty like me then you 'Ask Google',

      https://www.google.co.uk/search?q=linux+encrypt+home+after+install&btnG=Search&gbv=1

      and find something like this,

      http://www.howtogeek.com/116032/how-to-encrypt-your-home-folder-after-installing-ubuntu/?PageSpeed=noscript

      Which happens to be the first on page link. I really wish the Linux community would do something about this sort of shit because personally speaking I'd rather have to dig down past 10 pages of results before finding something that might do the job in Windows without having to install 24 toolbars, a pile of adware and upgrading to a different browser and then being repeatedly asked to sign up for the proper version because the evaluation copy is about to run out.

      Of course that is not 'FDE', just the appropriate Home Folder and Swap. It may still be possible to do FDE after install and I get the impression that it is certainly the case that the option is available during an initial install.

      Not sure whether it is 'Hardware Encryption'. Otherwise sorry if it was not the answer you were looking for.

      1. RIBrsiq

        Thank you. I already use this on my Linux boxen.

        But it's not FDE. And it's not using the SED's HW encryption.

        The attraction of using HW encryption is that it has no performance impact, so it's very useful for system drive encryption -- or for any other drives that will see a lot of traffic.

        1. Camilla Smythe
          Pint

          But it's not FDE. And it's not using the SED's HW encryption.

          Muh-Huh. I kind of thought it was not the answer you were looking for....

          https://www.google.co.uk/search?q=%22Linux%22+SED+HW+encryption&btnG=Search&hl=en-GB&biw=&bih=&gbv=1

          YMWV or you will run out of gas but a quick scan of those suggests SED HW Encryption is drive/bios specific such that if your drive does it and your bios/motherboard supports it then there will be a bit of extra pain involved before something happens.

          ---> Apparently it's free and you may need some later on if you try things out.

    3. WorBlux

      Re: RIBsiq

      'BTW: how does one turn on the equivalent functionality (FDE using HW encryption on SED) on Linux, please?"

      msed by r0m30

      1. RIBrsiq

        Re: RIBsiq

        @WorBlux:

        Thank you for the reply. Very interesting.

        Looking at the documentation, I can see why the Linux zealots were reluctant to come forward, if this is the best Linux has to offer: it's not very user-friendly, is it?

        But it's good to see that someone is working on this, at least. And it *is* an uncommon usage scenario, so it would be rather low priority for anyone -- be it Microsoft, or anyone else. Here's hoping it will reach a usable state, sometime soon.

        1. Camilla Smythe

          Re: RIBsiq

          @WorBlux:

          Thank you for the reply. Very interesting.

          Looking at the documentation, I can see why the Linux zealots were reluctant to come forward, if this is the best Linux has to offer: it's not very user-friendly, is it?

          I might be inclined to turn into a 'Linux Zealot'. Then again, just before I do... given you have demonstrated your wealth of 'boxen' knowledge, perhaps you can sort things out for the rest of us.

          Looking forward to trickling your sweet cum down the back of my throat. I like Real Cherry Flavour without the stones and if you skin your interface just right everyone will be putting their heads up to drink from your fountain.

          1. RIBrsiq
            WTF?

            Re: RIBsiq

            @Camilla Smythe:

            You seem to be writing English, but the end result unfortunately does not mean anything to me.

            In any case, thank you for trying to help, earlier.

            1. Camilla Smythe

              Re: RIBsiq

              Thanks. Dilbert 1995-2005 appears to be working. I shall continue reading through to the present time in an effort to find your answer for you.

  18. kbb

    Not sure I follow

    If the drive is self-encrypting, what does enabling bitlocker give you (if it worked)?

    1. RIBrsiq

      Re: Not sure I follow

      Ah! Good question, actually.

      An SED will optionally use a HW engine to encrypt all data written to it. But, what does that *really* mean? I mean, if the drive is completely encrypted, how do you boot from it? And where do you store the key? How, for that matter, do you pass the key to the decryption engine? Obviously you cannot store it on the drive itself! Etc., etc.

      Microsoft's eDrive takes care of all this rather neatly and seamlessly, once its requirements are met. The only annoying thing, really, is the need to do a clean install of Windows to use it.

      I am wondering if there's an equivalently painless process -- or a better one! -- for Linux, and I am hoping someone here will be able to help.

      1. Palpy

        Re: Linux FDE

        I expect implementations vary with distros. I haven't bothered with encryption on most of my machines. The Thinkpad I bought for travelling runs Qubes. Encryption via Fedora. "Fedora's default implementation of LUKS is AES 128 with a SHA256 hashing."

        For what it's worth. I'm not bright enough to know anything about it, I just use it and move along.

  19. koolholio

    All in the implementation of the crypto

    When adding 256-bit XTS-AES encryption, I note XTS is "a block cipher mode of operation"

    Can you confirm it is not DMA port related?

  20. Sil

    I did not have this issue but I didn't have to do a clean install.

    Instead, I was notified the new Bitlocker was incompatible with the previous ones, so I had to unencrypt the SSD before reencrypting it with the newest version.

  21. Reg T.

    MS

    is a disease, is it not? Why do you airheads continue to make Gates & Co. billionaires?

    Those who love MS so much should follow on by taking whatever vaccines the Gates Foundation is forcing on poor inhabitants of India and Africa.

    W10 is a disaster, but - MS have openly revealed how they have been operating secretly since the inception. They are contemptible, conniving scum who do anything they can to "capture" clients.

    And they do that with the full cooperation (not requiring bribery) of hardware manufacturers, who load their crap into their products. They surreptitiously load software on older version Windows boxes forcing folk onto W10. At least with Apple, you know where the back door is.

    A major complaint of those coming from Windows to Linux over the years has been "I can't play my games on Linux".

    You "gamers" shouldn't complain about W10. Windows has always been crap. It is little different from the first version.

  22. Alistair
    Windows

    on disk encryption and (any os)

    I had this long winded explanation about FDE, and how linux and windows aren't really that different in the implementation. Scrubbed it.

    FDE at the disk requires that the disk and the BIOS both understand the idea, and the unlock key is either *hardware* (TPM) based or the bios knows how to ask the user for the key (sometimes both).

    Bitlocker, however, doesn't encrypt the boot block, the bootloader partition of windows. I follow the same standard on my linux and LUKs installs. Neither the boot block or the /boot partition is encrypted. After that however, we have LUKs. On one laptop I have LUKs for all working partitions including the vm's I run on the laptop, and *they* have LUKs on their disks too.

    The 'self encrypting drives' I've run into that do this silently *usually* are modified hardware TPM based encryption and simply don't have valid data when you stuff them in another system. These are worse than useless in an enterprise.

    1. RIBrsiq

      Re: on disk encryption and (any os)

      I can speak about Windows somewhat usefully, as I have been using eDrive for a while, now:

      * Can be done without TPM. You just need to supply the key on a UFD. Which seems stupid, if you ask me: store the key on the boot partition encrypted with a user-supplied password, FFS! Just as Linux does it (I think).

      * BitLocker is still BitLocker. IE, recovery agents in AD, etc., if you want them. So very applicable in an enterprise environment. If AD is compromised, well, that's a resume-generating event, one way or another, isn't it...? So it's nothing one needs to worry about, IMO. ;-)

      Here's some more info, if you'd care to read about it. I promise it's all fascinating stuff, for the slightly-paranoid:

      * What SED are: http://arstechnica.com/civis/viewtopic.php?f=11&t=1243475

      * How it's done on Windows: https://helgeklein.com/blog/2015/01/how-to-enable-bitlocker-hardware-encryption-with-ssd/

      * Someone tinkering with stuff on Gentoo: https://forums.gentoo.org/viewtopic-t-1001902.html

  23. Mikel

    One way encryption

    It's so encrypted that it can't be decrypted by anything - even the owner.

    A likely problem is that the Beast hasn't worked out a back door API deal with the self encrypting drive makers yet, and so can't uphold their commitments to various TLAs to keep that back door open. People might start encrypting stuff on their PCs that Microsoft can't grant access to recover.

    1. RIBrsiq

      Re: One way encryption

      Nice theory.

      Except:

      * BitLocker still works. And still does FDE, just not leveraging the HW of SEDs.

      * Even that works, if you upgrade from Windows 10 RTM after already enabling hardware encryption. Just make sure you never turn it off, because you wouldn't be able to turn it back on!

      Anyway, it seems like a minor bug, in the larger scheme of things. Hopefully will be fixed soon because it's bloody annoying. But probably not very high on the list of priorities right now. I mean, how many people are impacted, would you imagine...? I'd guess it's not a high percentage of users!

  24. thx1138v2

    Fix? This IS The Fix

    Anyone at NSA or GCHQ will tell you that the only encryption worth its salt is the one that only they can break. Who, pray tell, do you think provided the new encryption algorithms? So much cheaper for Microsoft to just use an existing system than develop their own. Got to keep an eye on that bottom line, don't ya know.

    Knowing MS, however, we might expect the NSA encryption to end up in Europe and the GCHQ version to end up in North America. Which, of course, will require an update to the ORtRTAE (One Ring to Rule Them All Encryption).

    Of course, the immediate fix is to copy your data from the encrypted drive to an unencrypted drive or MS encrypted drive so "they", whoever that might be, can have access to it.

    1. amanfromMars 1 Silver badge

      Re: Fix? And when is IS The Fix, an Exploitable Flaw and Abiding Zeroday Vulnerability?

      Fix? This IS The Fix

      Anyone at NSA or GCHQ will tell you that the only encryption worth its salt is the one that only they can break. …. thx1138v2

      That belief is the ongoing problem causing all manner of escalating woes and deepening difficulties, thx1138v2, for the only encryption worth its salt is the one which cannot be broken, surely. Everything and anything else not supplying that, and purporting to be encryption, is vapourware and a conspiracy and fraud being perpetrated by colluding parties on the innocent and gullible, guilty and aware alike.

      And yes, that emboldened headline question is correctly written.

  25. Sub 20 Pilot

    I keep all of my work and personal data on a Truecrypt volume on a separate hdd to the OS (W7) As far as I can see this covers my obligations under the data protection acts in the UK and I can display due diligence if there is any data relating to my clients that is leaked online or whatever.

    I know it has been shelved and that the tinfoil hat wearers are all concerned about it but for my purposes it does the job. Also means that none of my data is stored on any servers outside the UK and I am not held ransom by the usual mega corporations when they decide to change or bugger up their systems.

    Any UK government agency that wants to see what I have got on my disk only needs to ask, any agency outside the UK can go fuck itself, I am not in their jurisdiction.

    Edit: Also forgot to add (before I get castigated by a lot of people who presume to know my affairs better than me ) that all of this data is backed up on separate external drives, same encryption, at least 1 jumbo jet width apart. Anything bigger than that which lands on my house will make any back up redundant anyway !

    1. RIBrsiq
      Thumb Up

      Seems good to me. And TrueCrypt has been very thoroughly audited.

      On the other hand, if your main concern is displaying due diligence in a court of law if you ever have to, you might want to consider if you want to go through the extra effort of defending your decision to continue using a software package after its unknown developers very publicly pulled it, saying that it is not secure...

      I mean, you and I know it's secure; but will the judge...?

      1. MrTuK

        Seems good to me. And TrueCrypt has been very thoroughly audited.

        On the other hand, if your main concern is displaying due diligence in a court of law if you ever have to, you might want to consider if you want to go through the extra effort of defending your decision to continue using a software package after its unknown developers very publicly pulled it, saying that it is not secure...

        I mean, you and I know it's secure; but will the judge...?

        Veracrypt fixes the issues with Truecrypt and can also read and write to Truecrypt encrypted partitions as well !

  26. John Tserkezis

    "but later reinstating the files after fixing a privacy bug."

    Yes, the privacy bug offered too much privacy for the user. So they fixed it.

  27. a_yank_lurker Silver badge

    Buzzword Bingo

    "Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide solutions via our current Update Tuesday schedule"

    Slurp is doing the usual suspect buzzword bingo. How many layers of encryption are there in the quote? Now if the NSA would earns it keep.

    1. RIBrsiq
      Happy

      Re: Buzzword Bingo

      "How many layers of encryption are there in the quote?"

      None. It clearly doesn't mean anything at all.

      But it's probably useful as a source of randomness, in a pinch.

  28. Anonymous Coward
    WTF?

    Why?

    Given this and all the other horrors I read about Windows 10, why is anyone using it at all?

    It breaks privacy, it breaks encryption, it breaks a lot of software and drivers, it breaks the UI, it breaks trust, it breaks your ownership of your own PC, and for people on capped data plans, it breaks your data cap too just in case you thought it couldn't get worse.

    Nothing in it seems to work properly - for some reason Microsoft appear to have fiddled with everything from the hardware abstraction layers upwards, and fiddled badly. I haven't yet read anything positive, except that it has a sort-of start menu which is kind of better than the tiles in Windows 8.

    1. Paul 129
      Trollface

      Re: Why?

      Cause when you try to install Vista or ealier, on a windows 10 certified machine..... IT wont work.

      Mandatory EFI*

      EFI; Initially I thought it was all about killing of linux. The scalps that it actually claims today are XP and Win2K. A successful result for MS

      *Egregious Ferret Insertion

      1. oldcoder

        Re: Why?

        Hint: try using grub to boot XP on an EFI system.

  29. arctic_haze

    The second Tuesday of the month experience

    After the latest Microsoft Tuesday which almost killed my Windows 7 touchscreen device, I will try to remember my vow to wait at least five days with any Windows updates (and also hide anything that may be a Windows 10 installer in disguise).

  30. Panopticon

    The recovery password can be recovered from a BitLocker enabled computer provided it can be logged into e.g. by running: manage-bde.exe -protectors -get C: -Type recoverypassword

    Just more ineptitude from the guys at MS who've never really understood the whole principle of Encryption in the first place, it's not supposed to be recoverable.

    Windows has a long history of snafu and borking cryptography, they even completely screwed up Kerberos implementations in Windows 7 leading the maintainers of it to be left shaking there heads saying "Windows jus' doesn't get it!" which is true when you reflect it's supposed to be for protection of government departments and there own data, but then these government departments "holla" on about needing better security whilst they then try to erode it - claiming it helps bad guys. It must be marvellous to work in an environment of complete idiots who just do not understand why it's important and where it's use isn't even that highly mandated in the first place.

    Goodness me just imagine if they'd used TrueCrypt to store all there secret documents, then they might not have got shared all over the Web! Suck's eh? Meanwhile in other news, they have access to so much data, they're drowning in it and the bad guys are talking over coffee and lunch in the local McDonalds instead of over the internet.

    1. NomNomNom

      about time parliament authorized a drone strike against ronald mcdonald, I always thought that dipshit had something to hide, otherwise why dress up like a clown?

    2. RIBrsiq

      It's possible to save the recovery password of a BitLocker volume if you already have access to it, yes.

      How is this a problem...?

      The alternative would be the need to migrate all the data to a new volume if you lose the recovery password of an old one and are not comfortable with the idea of not having a recovery option.

  31. NomNomNom

    Microsoft?? more like M$cro$oft

    upvote if you think this comment is edgy

  32. Anonymous Coward
    Anonymous Coward

    Eve

    Perhaps the 'powers that be' have decided that snooping via the network is ultimately going to be too hard as unbiquitous encryption (slow but inevitably) takes hold.

    So where else to target... easy, just put the listeners on the target devices themselves and get whatever information they need regardless of what grade of encryption is used for network traffic. Having an OS which allows them to hide this effectively becomes very important.

    In order to do this though they need to embed the malware at a very deep level so it can't be easily discovered. Possibly even lower than the level at which the current software encryption between the encrypted hard drive and the applications on the OS operate...

    Perhaps this is part of MS contribution to the 'cause'...

  33. rtb61

    All you hard drives are belong to us. Once M$ went with Windows anal probe 10, it had to be pretty obvious nothing would force them to drop that massive invasion of privacy short of new laws and regulations. Basically they like windows 8 are going to try to force it through and not give a crap about customer opposition.

  34. Blacklight
    Mushroom

    Whut?

    "I'm sorry Dave, you want to add encryption to a self encrypting drive? I'm afraid we (and various agencies of choice) can't decrypt that (so we don't like it)".

    Well, probably.

    I was mortified to see the default is to save BitLocker keys "into the (MS) cloud" for you(r safety). Unless you have Win 10 Pro, in which case you are allegedly deemed capable of not losing your keys.

    1. Alistair
      Windows

      Re: Whut?

      " Unless you have Win 10 Pro, in which case you are allegedly deemed capable of not losing your keys simply not told that it is being collected for you.

      FTFY

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020