What a slap to the faces of everyone who had been locked out of their data because they never knew about this crap and thus never saved their keys
Except their keys were saved but microsoft deemed that they cant “prove ownership” of the microsoft account, because they lack the credentials…
People called me paranoid when I said this would happen someday…
if theres money to be made it will happen one day
What does Microsoft think the fucking point of encryption is? Do they think I am encrypting my data to protect it from my dog?
i saw your dog using arch linux
Don’t be silly, the dog uses Puppy Linux.
As someone who used windows for way too long: they just simply don’t give a shit. Like at all
Why do you think the encryption capabilities on your PC are there for your sake? They might have sold them to you on that, but they are really there to protect copyright data because TPM allows encryption/decryption that is completely hidden from the rest of your system. Like an encrypted handshake that then transfers an encrypted key to decrypt the video stream. But it doesn’t save the decrypted data, it immediately re-encrypts it using your display’s private key (or whatever device is next in the chain, maybe your GPU). They can make it so that the unencrypted stream never touches your RAM or travels on any wire, which means you can’t pirate shows as you watch them unless you point a camera at your screen.
Obviously if they just said that was one of the main points, no one would want it and media companies couldn’t benefit from it because they’d have to compromise to sell content.
The other point was so that they could build a system where they hold the encryption keys and get to choose whose data is actually private. Obviously that’s an even harder sell.
So they did what marketers always do and lied by omission about what it was for and just outright lied if they ever said they’d never give the keys to law enforcement (did they ever even say that?).
Let go of the idea that someone selling something to you implies any kind of loyalty, especially when either party is a large corporation.
If you’re not the only one with the keys, is it really encrypted?
deleted by creator
Why is anyone surprised by this? And what kind of imbecile commits crimes and uses windows? 🤣
Not just that but also uploads a copy of the key to their Microsoft Account…
Many modern Windows computers rely on full-disk encryption, called BitLocker, which is enabled by default. This type of technology should prevent anyone except the device owner from accessing the data if the computer is locked and powered off. But, by default, BitLocker recovery keys are uploaded to Microsoft’s cloud, allowing the tech giant — and by extension law enforcement — to access them and use them to decrypt drives encrypted with BitLocker, as with the case reported by Forbes.
uploads a copy of the key to their Microsoft Account
Microsoft added that feature because people kept losing their encryption keys and thus losing all their files if they need to have their computer replaced. They get complaints either way - privacy advocates complain when the key is backed up, and sysadmins/users complain when the key isn’t backed up.
I think in cases like this, I’d rather the responsibility of burden be shifted towards individuals with autonomy than to large corporations. But I suppose in that case (reductionism warning) people might as well just use Linux.
Didn’t Osama bin Laden use Windows? 😂
Now I’m curious about that, haha!
After Bin Laden was killed, the CIA released the contents of his hard drive. Index can be found here. Search for “Windows” and you’ll find multiple system files, drivers, etc.
Just as I expected how security in Microsoft products works.
Amazing how every time you think they’ve finally stopped digging… they whip out the steam shovel and go “Hey y’all, watch this!”
Is anyone shocked by this? With everything that DHS, FBI, ICE, military, elected representatives, etc. are all doing without any concern or care for laws, civil rights, human rights, the Constitution, this should not be a shock to anyone. Corporations are bending over backwards to appease the talking orange and make more money. They do not care as long as profits are up and the shareholders are happy. A companies primary legal responsibility is to the shareholders, not the customers.
+100. People forget, or chose not to pay attention to the fact that Google sensor vault data was key evidence in convicting the January 6 insurrectionists (who were exonerated to become ICE). Surveillance capitalism doesn’t care which side you are on.
Small correction. They were not exonerated. They were pardoned. A pardon implicitly means guilt. Exonerated means their conviction was overturned.
Agreed. Wrong word choice. And its an important, major correction. Not a small one. :-)
Microslop’s OS is evidently untrustworthy and should not be used. I recommend replacing it with a Linux distribution.
People will still use it all the same though lol
People are creatures of habit, whereas fortune favors the bold.
Well, since you don’t actually enter a password to decrypt a bitlocker device, you can intercept the key data with physical connectors to the TPM
Bitlocker just makes it slightly more tedious to retrieve data. As long as you have all other components intact aswell.
I’m just wondering how many devices still use dedicated TPMs, instead of the ones integrated in the SoC by AMD and Intel. Sniffing a bus inside the SoC must be significantly harder or impossible.
So, this means Microsoft has copies of every single bitlocker key, meaning that a bad actor could obtain them… Thereby making bitlocker less than worthless, it’s an active threat.
MS really speedrunning worst possible software timelineThey don’t have a copy of every single Bitlocker key. They do have a copy of your Bitlocker key if you are dumb enough to allow it to sync with your Microsoft account, you know, “for convenience.”
Don’t use a Microsoft account with Windows, even if you are forced to use Windows.
To use Windows without a Microsoft account requires tech literacy these days, I thought. I would not be suprised if users didn’t choose to sync with a MS account but it’s doing it anyway, if that’s what MS want.
If you sign in with a Microsoft account at all I don’t believe there’s the capability to opt out.
I only use local accounts. I have never had a Microsoft account. I never will.
You can’t do that anymore, at least not with a normal Windows installation. All of the tricks of forcing it offline, clicking cancel 10 times and jumping up and down don’t work anymore, they’ve disabled them all, the only way to install Windows 11 now (using the normal Microsoft installer) is by linking it to a Microsoft account.
Using Rufus still works. I did it as recently as a couple of days ago.
Sorry, but the argument above was for a regular user, who doesn’t know what Rufus is, who doesn’t know the concept of OS, who simply
knowsthinks the files are saved “on the computer” (while they somehow ended up on OneDrive).… and who doesn’t know that you can even install an OS to begin with!
I have a windows 11 installation without an account. You got to get an alternative image (I got LTSC).
I was really hoping there would be a jailbroken version of windows by now, you know a version that doesn’t update and doesn’t have any bloatware.
I guess it’s just not worth it given how far Linux has advanced.
You can still create a local account by setting the PC up as a “School or Business” PC and then choosing the local account option.
This is not true. There are several tools to create a bootable USB that uses a local account.
They just made it hard for Joe Schmoe to avoid it.
using the normal installer
Joe Schmoe buys new laptop with Windows preinstalled.
Joe Schmoe boots it for the first time.
Greeted by first-log-on.
Goes through steps and is immediately captured.
Just update a W10 local install. It won’t even try to ask you to add a microsoft account.
I’m not even sure if you can install without an MS account if you don’t use Rufus anymore. Rufus requires literacy for sure, and even if you can still do it without it is designed to make it impossible to know you can from within the installer itself.
Main issue with Rufus is secure boot unfortunately, otherwise Rufus is easy enough that I gave a couple “click here, then here, then here and here are some screenshots” to a friend they were able to navigate it just fine. At this point I swear Rufus is easier than using the official installer provided Secure Boot is off.
Images patched by Rufus can definitely pass secureboot, as long the bootloader wasn’t touched. Secureboot only checks the signature of the bootloader, not every single file of the operating system, otherwise it will take hours to boot
Plus Rufus touches some XML read by the installer, doesn’t crack the executables
It’s a bit harsh and unfair to say “you are dumb enough to allow it”. Microsoft makes it damn near impossible to avoid this unless you are extremely particular and savvy about it, and never have an off day where you make a mistake while using your PC.
Encryption doesn’t actually complete until you log in with a Microsoft account for Home Edition.
Anyways: Use Veracrypt.
Or just Linux + LUKS
Why is that dumb?
I encrypt my drive to protect my data from burglars and thieves who might steal my laptop, how would they obtain the recovery key from Microsoft? O_o
Don’t use
a Microsoft account withWindowsFtfy
Don’t use
aMicrosoftaccount with WindowsFFTFY.
Bethesda anything, Azure, Outlook, GitHub, Visual Studio, Office, Bing, XBox, LinkedIn, SharePoint (so disgusting this is a given), fuck it not even Skype (lmao what year is it?)
Still kinda hurts they own Bethesda now, but considering that company has only produced garbage since FO4 which only was kinda mid, I don’t even mind skipping them.
The Elder Scrolls VI with mandatory Microsoft account and Copilot integration 💀
Game gonna be buggier than skyrim at release and only 10% as fun because it’s vibe coded
Literally fix the anticheat problem and I’ll uninstall.
The anticheat problem already is fixed. It’s called “don’t play games that don’t support your choices”. These days, no game is worth being put through all that AI bullshit.
Not the case for me, definitely worth it for some games
Dualboot, don’t store sensitive files in windows?
(Although I’m having a bit of trouble trying to do dualboot myself so… idk lol)
Of course thats what I’m already doing
Are you naive enough to believe the surveillance OS that uploads literally all of your activity along with screenshots of your desktop doesn’t automatically upload you keys no matter what little box you tick on the installer?? 😂 there is absolutely not one single 3rd party auditing that they actually follow any of the options at all that they give.
But, by default, BitLocker recovery keys are uploaded to Microsoft’s cloud, allowing the tech giant — and by extension law enforcement — to access them and use them to decrypt drives encrypted with BitLocker, as with the case reported by Forbes.
I mean it’s dumb to sync but at same time it’s not like MS isn’t great at either making it almost impossible to not sync it re-enable syncing for a bit after updates.
You can constantly tell it not to sync but all it takes is MS saying we want it now and they’ll get it
Whats dumb is this issue is very easily resolved by encrypting the users security pin or password against the bitlocker keys and then only storing that.
or better yet have the pin/password an isolated thing from the microsoft system, so when a key gets uploaded, it requests the recovery pin, and if the pin matches it uploads, otherwise it states invalid pin and offers to change it while warning that it will remove existing keys, then optionally next time a system whom contains a drive with an identifier (which wouldn’t need to be encrypted only the key) goes online, it can prompt the user “note: due to recovery pin, drive X recovery key needs to be backed up again, would you like to do so?”
This type of system would make it so the only data MS has stored is the already encrypted recovery key, and as such would mean that the data they gave law enforcement would be worthless.
Save a copy of your bitlocker keys to a Veracrypt drive with a password no shorter then 15 mixed characters. Then upload that encrypted container to any free service. They wont be able to open it and now you have a remote backup copy.
I employed the super secure expedient of never exporting my keys. I have no idea what they are, I never did, and I never will.
There’s really no irreplaceable data on my Windows machine. If I have to reformat it some day A) that’s no big deal, and B) it’s Windows, what else is new.
Why not save a step, fuck bitlocker, and use veracrypt to encrypt your drive in the first place?
Why not save a step and don’t install Windows in the first place.
If you can have two computers one should always be Linux. But gaming and certain software just does not work on Linux yet sadly. Hoping steam can turn that around.
Made the switch about a year ago. Every game i wanted to play worked just fine. I suppose it depends on the games you play, but to say it just does not work is plainly just wrong
Majority of anti-cheats do not work or not added to linux versions. So things like BF6, GTAO, etc do not work on linux sadly. If they did I would already be on linux full time.
That is a option but it’s performance is bad and you need at least fifteen mix character password every time you boot. If you game you need to use bitlocker sadly or load times dive hard. Having a second drive in full Veracrypt is fine for things like basic documents but not to game on.
If the password is long 15 characters that means you use a password manager. At that point just put the bitlocker password in the password manager
nope use password sentences easy when you make it a sentence you can remember
They do have a copy of your Bitlocker key if you are dumb enough to allow it to sync with your Microsoft account, you know, “for convenience.”
Which I don’t believe is the only way it can leak. It’s well known Microsoft can access anything and everything on an internet connected Windows PC whether there’s a Microsoft account or not. If the nazi’s push for the device of someone on a local account only, you know they’ll magically find a way.
i heard win11 its automatically used online for home.
No they do not have copies of every Bitlocker key.
Bitlocker by default creates a 48-bit recovery code that can be used to unlock an encrypted drive. If you run Windows with a personal Microsoft account it offers to backup that code into your Microsoft account in case your system needs recovered. The FBI submitted a supoena to request the code for a person’s encrypted drive. Microsoft provided it, as required by law.
Bitlocker does not require that key be created, and you don’t have to save it to Microsoft’s cloud.
This is just a case of people not knowing how things work and getting surprised when the data they save in someone else’s computer is accessed using the legal processes.
Except that Microsoft basically puts a gun to every users head to login with a Microsoft account which can/does backup the recovery keys.
Rufus: “Am I a joke to you?”
This is why we Jason Bourne style snatch the gun out of their holster before they can draw it and beat them unconcious with it, I mean oobe\bypassnro
Iirc bypassnro no longer works on recent builds of windows
It no longer works as a shortcut, but the actual bypass still works. In practice the command line you have to enter just got a bit longer is all.
At least last time I needed it, to that still worked fine. It’s been a few months.
If you sign into a Microsoft account during setup, Microsoft automatically turns on bitlocker and sends the key off to Microsoft for safe keeping. You are right, there are other ways to handle bitlocker, but that’s way beyond most people, and I don’t think Microsoft even tells you this during setup. It’s honestly a lifesaver for when bitlocker breaks(and it does), but it comes at a cost. In the business world, this is seen as a huge benefit, as we aren’t trying to protect from the US government, mostly petty theft and maybe some corporate espionage.
As is often the case, the real solution is Linux, but that, too, is far beyond most people until manufacturers start shipping Linux machines to big box stores and even then they’d probably not enable any encryption.
I question whether we are rapidly approaching the point where Linux is simply easier to use in a safe, secure, and practical way for the average user, because it doesn’t try to actively fuck you over like Microsoft does
It’s easier when you don’t need to jump through hoops to make a local account. It’s easier when you don’t need to turn off a dozen settings you might not know about regarding data collection or advertisements. It’s easier when you don’t have an antagonistic system that treats you like the product, not a user, not pushing you towards confusing things you don’t want
So, this means Microsoft has copies of every single bitlocker key
But, by default, BitLocker recovery keys are uploaded to Microsoft’s cloud
Not everyone follows the default. So no, it doesn’t mean Microsoft has copies of every single BitLocker key.
Hey copilot, give me the bitlocker key to the nuclear football!
Microsoft is already a bad actor and they have them. Or a bad actor could threaten microsoft physically and microsoft will hand them over. Wait, that already happened.
And people make fun of me for turning off secure boot and tpm. They just cause grief for no benefit.
Well this isn’t directly related to those, so maybe some derision is warranted.
As long as you’re doing your own whole disk encryption, you have a valid path to still be secure. However, if you’re running an unencrypted disk, you’re much more likely to lose your data to a non-state actor.
Both are completely unrelated to the discussion. TPM sometimes have issues regarding their security, but you can certainly use Secure Boot with your own signing keys to ensure the kernel you run is one you installed, which improves security. And you can use TPM to either keep your FDE keys, or only part of them combined with a PIN if you don’t fully trust them to be secure, so you keep strong encryption but with a bit of convenience.
Without a (properly configured) Secure Boot startup, anyone could just put a malware between the actual boot and your first kernel. If the first thing that happens when you boot is something asking for a password to be able to decrypt your storage, then an attacker can just put something here, grab your password, and let you proceed while storing in a a place it can be retrieved.
Is this scenario a concern for most people? That’s unlikely. But every computer sold these last five years (at least!) can be setup to reduce this risk, so why not take advantage of it.
Could be worse. Could have skeleton keys
You’re assuming there isn’t a master pubkey baked into the software.
More likely stupid users storing their bitlocker key in the microsoft account instead of printing it out or storing it somewhere not owned by MS lol
Federal investigators in Guam believed the devices held evidence that would help prove individuals handling the island’s Covid unemployment assistance program were part of a plot to steal funds.
Damn, they weren’t even doing this to go after pedos.
I’m curious where in the economic ladder this person fell. Rich enough to get a significant amount of money from the system, but still too poor to make the government look the other way.
The word “Gave” is really doing some heavy lifting in that title. Microsoft produced the keys in response to a warrant as required by law.
If you don’t want a company, any company, to produce your data when given a warrant then you can’t give the company that data. At all. Ever.
Not fast food joints, not Uber, not YouTube, not even the grocery store.
If you can’t possess the keys, you can’t give them when there’s a warrant. Microsoft designed a system that could obtain and decrypt those keys on purpose.
I’m certainly not a microslop supporter, but…
They designed a system that recommended that the average user use full disk encryption as part of device setup, and then provided a way that Grandma could easily recover her family photos when she set it up with their cloud.
This was built by an engineer trying to prevent a foreseeable issue. The intent was not malicious. The intent was to get more people more secure by default, since random hacker couldn’t compell ms to give them keys, while still allowing low tech literacy people to not get fucked.
It’s been a while since I installed a new Windows OS, but I’m pretty sure it prompts you to allow uploading your bitlocker key. It probably defaults to yes, but I doubt you can’t say no, or reset the key post onboarding if you want the privacy, and now it’s on you to record your key. You do have to have some technical understanding of the process, though, which is true of just about everything.
That all said, if a company has your data, it can be demanded by the government. This is a cautionary tale about keeping your secrets secret. Don’t put them in GitHub, don’t put them in Chrome, don’t put them online anywhere because the Internet never forgets.
They’re doing this because there’s demand (with actually, non malicious genuine needs), and the feature is clearly advertised AFAIK.
It’s not some evil conspiracy. Microsoft does enough shitty things without us needing to blame them for their users’ shitty OpSec.
Here’s Microsoft’s overview page of bitlocker. Show me where it clearly says they can decrypt your drive.
https://support.microsoft.com/en-us/windows/bitlocker-overview-44c0c61c-989d-4a69-8822-b95cd49b1bbf
Yes. But this completely invalidates the encryption. If anyone can decrypt your data without you giving the keys to them, it is not really encrypted.
The encryption key is data, don’t give it to ANYONE. “Two people can keep a secret if one of them is dead.”
Which means it’s useless if always uploaded to MS
You’re confusing two different things here, in a really weirdly obtuse way.
It may seem that way but I’m really not. An encryption key is just data. It’s critical security data to be sure but it’s still data and like other data you shouldn’t share anything that you wouldn’t want made public.
Don’t want MS to cough up your data when asked? Then don’t give it to them. In regards to your BL key that means storing it another way, such as on a jump drive or printing it out.
In the end if you have data of any type that you absolutely DO NOT want made public then you need to retain that data locally. If that means leaving the Microsoft or any other ecosystem then that’s the price that needs paid for keeping your data under your control.
This is the foundation of the entire privacy movement.
No, you really are. If you’re in control of an encryption key, then it’s perfectly fine to “give Microsoft your data” that’s encrypted by that key. An encryption key isn’t “just data”, it’s data that’s used to encrypt other data.
The problem here is not that Microsoft has access to your data, it’s that Microsoft has access to your encryption key.
Its not anyone though. Not anyone can get a warrant and demand the keys
if Microsoft has the power to give the keys to the feds what happens when Microsoft gets hacked?
or they give the keys or whatever data willingly, and then say they are hacked as an excuse.
Wouldn’t the hacker then need to track down your physical computer…steal it…use the bitlocker key…look to see if you actually have any data worth taking etc…?
Actually they’d probably set up a Bitlocker key shop on the dark web
Anyone included Microsoft. You’re thinking of the word “everyone”
Anyone as in “a single person”. They don’t mean everyone has access.
Sure. It’s not anyone. It’s anyone that can get a warrant. Or anyone that have enough power/underhanded influence to ask them nicely. Or any admin that have access to cloud storage at MS (remember they where caught with some exec having full access to that a while ago). Or any big leak that could exfiltrate these data. And probably a handful of other people, like, someone getting access to your MS account for whatever reason (which kinda happen, seeing how people lose their mail account to phishing/scams all the time) suddenly having access to your keys from there.
If your keys are in a DB somewhere, there’s a lot of way they could get out. Would these ways coincide with someone actually having your drive at hand? Probably not. Still, the key not existing in plaintext in some third party storage close all these holes.
what happens when fydor monikov the sleeper agent from the kgb working at the fbi gets a copy of these master keys
KGB is inside the oval office 💀
(I mean they literally deported a Russian dissident back to russia… need say more?)
Are they really sleepers any more?
Yes, according to whistleblowers from the CIA. Russia and China are regularly doing this
Just to clarify… my question wasn’t “do sleepers exist” it was should we continue to call them sleepers when they have broad access to the administrative branch of the US government.
I’m stupid. How do thet even produce the keys?
Your computer generate a random key using (hopefully) a trusted PRNG with good enough sources. This key is then used to encrypt your data. This key is stored in your computer’s TPM module, and provided to the OS only if the chip approves all the checks in places. In addition, you get that key displayed to you, so you can write it down (or alternatively save the key file somewhere of your convenience). This is relatively good as far as security goes (unless the TPM is broken, which can happen).
And then, unless you jumped through hoops to disable it, your PC sends the key to Microsoft so they can just keep it linked to your account. That’s the part that sucks, because then, they have the key, can unlock your drive on your behalf, and have to produce it if asked by a judge or something.
Note that there are relatively safe way to protect these keys even if they are backed up in “the cloud”, by encrypting them beforehand using your actual password. It’s not absolutely perfect, but can make it very hard/costly/impossible to retrieve, depending on the resources of the attacker/government agency. But MS didn’t chose this way. I don’t know if it’s because of sheer incompetence, inattention, or because this feature is claimed to be here to “help” people that lose their key, and as such are likely to lose their password too, but it is what it is.
“help” people that lose their key
Funny enough, people have lost access to their bitlocker encrypted drive because of some weird issues that triggered the windows intallation to revert to asking for the full bitlocker encryption key (I think if you disable secure boot or mess with CPU upgrades or the TPM, or some weird update broke, that can happen), which they didn’t have and forgot the microsoft account. But microsoft can’t help because they forgot about their acount credentials.
They should’ve asked the FBI for help lolz
It happened TWICE on my Lenovo laptop, when it automatically installed a firmware update from windows update
And then, unless you jumped through hoops to disable it, your PC sends the key to Microsoft so they can just keep it linked to your account.
You’d probably also have to jump through the hoops to disable windows recall too.
I’m pretty sure all tpms can be read with an electric interference reader when they’re probed, as an intended loophole
I don’t know about intentionally designing that. It would violate contracts and have to be a hidden, but broadly conspiratorial activity. I have some professional experience in consumer electronics, and I remember when TPMs started becoming a required component for CE. It took several years to become commonplace; a slow transition from security by obscurity to sensible practices when devices started to be internet connected.
Nevertheless, from my experience, I’d say the TPMs aren’t there for user security, they are there to keep Hollywood movies safe.
deleted by creator
In Windows 11, if the main user logs in with a Microsoft account (which is mandatory unless you do some hacks during the install), it automatically encrypts the main drive by default without asking the user consent and uploads the decryption key to Microsoft servers (again, without user consent, but usually this is appreciated because sometimes automatic BIOS updates via windows update wipe the tpm and keep all your data at ransom.)
Microsoft built the encryption in Windows so know how to get around it. In theory that remains a closely guarded secret but there are the warrants and the NSA and…
Nope, this isn’t even a “backdoor”. The key itself was automatically uploaded to your microsoft account, so they can just take the key from the microsoft servers and walk right in. This isn’t some secret, a quick online search will reveal this as public information. They literally tell you the key will get uploaded.
I’d go as far as to say it’s similar to a landlord requiring a key to access the apartment your renting from them. Sure, they probably won’t abuse that power, most don’t, but the doesn’t mean they can’t.
The bigger picture to me is it’s pretty clear then internally, Microsoft views you as a “tenant” of THEIR OS. Not a purchaser. This is why they use the words “This PC” in replace of “My PC”.
Yes, I think we can absolutely say that companies are pushing for consumers to use the cloud instead of their own hardware, but in this context, I’d say it’s more egregious showing their mindset that you’re just renting their software from them.
Nah, a landlord cannot legally deny access to an apartment/house you paid for, like you can literally call the cops (make sure you have a copy of the lease safely stored on your phone or something) and get let back in. They need a court case to evict you.
But microsoft can deny access your OS, and with the manatory full disk encryption implemented, you can’t even get back in to retrieve your data. (kinda like WannaCrypt) And this would be all legal since ToS and mandatory arbittation bs. No court case needed to hold your files hostage.
So I’d say Microsoft is like 10x worse than a landlord
Not true with E2EE, they can’t give over shit when they don’t have the keys
Bitlocker is computer drive encryption. On W11 it’s supposed to be tied to the motherboards TPM. End to end encryption is not really applicable in this scenario. That phrase is more applicable to cloud services or storage where a telecom or CSP hosts or transports your data but can’t see what the data is.
Microsoft should not have the keys to decrypt Bitlocker ever.
Ofc its not applicable in that one scenario
Microsoft should not have the keys to decrypt Bitlocker ever.
Windows is a closed source and proprietary commercial Operating System. Microsoft is going to do whatever they like with it. If enough people get angry about an issue they may change their mind but that doesn’t change the nature of Microsoft’s ownership over their products.
I’ve been participating in discussion about what Microsoft should and shouldn’t do since the late 80s and it pretty much boils down to this: You need to select and use software that works the way you want it to. So if you don’t want MS to have your disk encryption key then don’t use Windows. If you don’t want MS to have access to your documents then don’t put them on any system that MS has control over.
It can be terrible inconvenient to protect your data in this way but this part and parcel of the privacy movement.
Well, storing the key in the specific provider‘s cloud isn‘t a good idea anyway - the same counts for iCloud as well. There are things that should be separated from each other because of reasons, this one is just another proof for the need to do so.
Daily reminder that verified boot is objectively superior to “secure boot”, once again a common Linux W and another example of Google actually promoting some good security practices
Same thing?
You can add custom keys to secure boot.
That doesn’t make it the same thing
Both are different names for a process that ensures the boot process is loading the correct non-malicious code.
Secure boot verifies the system is booting correct code, verified boot can ensure total system integrity and can protect against tampering. Furthermore the Linux implementation of secure boot is very often in the least secure method.
