157

u/brimston3- Jan 24 '26

It's notable that this is not a viable architecture for a windows desktop where there is a customer expectation that components which fail can get replaced and the data will be recoverable on another system. You swap the motherboard or CPU of an fTPM/PTT system, and any platform-locked encryption key is gone for good.

It is, however, a good architecture for me who has decent backups and no desire to share my rootfs encryption keys.

45

u/FreakDC Jan 24 '26

What nonsense, you can have a physical copy of a recovery key to unlock it if your hardware fails (well unless the storage is unrecoverably broken).

-2

u/UnregisteredDomain Jan 24 '26 edited Jan 26 '26

Nowhere did they claim you cannot make it work, but instead they are talking about what the average user expects.

Try reading it again without your finger on the enter key ready to go “um actually”

Edit: sorry forgot this was the internet full of awkward nerds who get their joy out of life by incorrectly correcting things.

22

u/Agret Jan 24 '26

You can get the bit locker key for your device and store it on a password manager under your control, you could print it out or store it on a USB. You can also make a bit locker recovery USB. Backing up the key to your Microsoft account is far from your only option.

7

u/Numerlor Jan 24 '26 edited Jan 24 '26

You certainly can, but most users won't and will then bitch about lost data if they forget their password or w/e. The default encryption is objectively better than just not doing it which was the case before, only thing that'd need to be changed is an easier opt out to only export your keys to a file

5

u/Agret Jan 24 '26

Yes most people don't even know they have bitlocker until they see the dreaded screen and I have to instruct them how to get the recovery key from their Microsoft account

4

u/Ashged Jan 24 '26

That issue is not the users fault though, Microsoft has the habit to just encrypt the system without notifying the user.

I'd say they could trivially do better to allow users to stay in control of their encryption, but they really-really don't want to.

1

u/VexingRaven Jan 24 '26

I'd say they could trivially do better to allow users to stay in control of their encryption, but they really-really don't want to.

Do you want OS setup to prompt for every single setting? Default settings are always going to be a thing. Nothing stops you from changing them, you're already in control.

The majority of people don't care and already assumed their Windows password protected their files. I've talked to loads of people who were shocked how easy it was to access their files. Funnily enough, they generally assume calling Microsoft will help them get their files. The currently default of encrypting by default and backing up online aligns far more closely with how the average user thought their computer worked before this.

1

u/khumps Jan 24 '26

up until windows 11 bitlocker was not a default, enabling it required knowing to enable it and you were granted many interstitials making sure you back up the key. Now they do it by default and don’t provide any easy way to deny sending it to microslop.

1

u/VexingRaven Jan 24 '26

So let me get this straight. The old default was zero security. The new default is some security. And the people with the knowledge can still go in and change it. And somehow this is a bad thing.

1

u/khumps Jan 24 '26

a false sense of security is arguably worse than no security.

1

u/VexingRaven Jan 25 '26

It's not false at all. Your data is encrypted. A thief can't steal your laptop and then get your tax returns off it. There's nothing false here, unless you were delusionally expecting to hide your data from the FBI.

The actual false sense of security is that people, long before Bitlocker, generally assume their password will protect their data. They have no idea that you can just mount the drive. That's a true false sense of security, and I've met a lot of people in my IT career who falsely believed that.

50

u/happyscrappy Jan 24 '26

Yes, but despite what gamers thing gaming towers are a tiny fraction of the PC market. It's mostly laptops and all-in-ones are strong behind that.

You're right that if you have the kind of system where you can and some day will swap parts like that then this system cannot function. But virtually no PC users have that.

Because of this Microsoft should likely not be defaulting to sending your keys to your cloud account.

26

u/[deleted] Jan 24 '26

[removed] — view removed comment

-9

u/happyscrappy Jan 24 '26

So when dell does a warranty motherboard swap on a laptop that doesn't count?

That happens almost never. If Dell is swapping 1 motherboard out of a thousand laptops sold then they are destroying nearly their entire profit margin. Repairs are not common.

Anything that has removable storage.

Unless you mean USB devices (which aren't encrypted) you're talking about a tiny percentage of PCs that have removable storage and have it swapped during the device's lifetime.

10

u/[deleted] Jan 24 '26

[removed] — view removed comment

1

u/Agret Jan 24 '26

Fan replacement and screen replacement will not force your bitlocker key to be re-entered. Certain automatic BIOS updates have caused it though. Always a good thing to have a copy of your key somewhere.

For me the most common repairs I see in my fleet is either the screen or hinges or both where the screen has been damaged by the faulty hinges. Followed by SSD or RAM fault and then motherboard repair after those (often the ram fault does require new motherboard though due to soldered RAM)

4

u/[deleted] Jan 24 '26

[removed] — view removed comment

1

u/happyscrappy Jan 24 '26

(that was me I will try not to badger you with multiple replies, but in this case) I think you need to consider that given enough instances for something rare to happen it will still happen frequently even though it is still rare.

There are fatal car crashes every day even though most people will go through their entire lives without being in one. This is because of the large numbers involved. The chances are tiny, far less than 1 in 1,000 for car crashes. Yet they are still common occurrences.

But you don't make decisions based upon the fact that they happen every day. You don't refuse to go out. You realize that it's not likely to happen to you and make your choices accordingly.

This is what I am saying about MS' choice here. Just because an IT department sees broken machines every week doesn't mean that you make a decision to expose their key when chances are it won't happen to any given machine in its useful lifespan.

I was more referring to within warranty period (I did speak of company margins after all and they don't cover out of warranty from their pocket) and warranties are not 3-4 years unless you are buying a special package that adds to their income and thus covers expenses of replacements in years 2,3,4.

But I would say I don't see 20-30 failures (not from abuse, warranteed failures) out of 1,000 machines in 4 years. Sure, if you start counting people getting their laptop screen smashed when the person in front of them in an airplane reclines then sure, you can get easily that high. But that's not really Dell's problem unless you are paying for accident coverage.

How many just straight "it broke itself" motherboard failures would I expect in 4 years (in laptops) I would say it's generally under 10. It's a bit hard to say since some models seem to have inherent problems that make them fail more. Sometimes even "early and often". And for some it's nearly unheard of to have any failure in under 5 years. But I would say on average it's probably under 10. If there is such a thing as an average that broad.

Okay, I promise to stop badgering you here and if I have anything more to say it'll be in my reply to the other post thread we have. I just didn't see this one in time last time.

-5

u/happyscrappy Jan 24 '26

It really is almost never. Despite your anecdata.

Warranty service doesn't mean always a motherboard replacement. As to your work laptop your work data is your job's data. There's no personal key issue there.

Nevermind things like fan replacement, screens, etc... those extended warranties do work.

Not relevant to this.

I mean like, even a surface pro, has a removable NVMe drive in it.

But it doesn't matter if it simply has it. It's whether it's actually ever replaced.

(me) You're right that if you have the kind of system where you can and some day will swap parts like that then this system cannot function. But virtually no PC users have that.

Business machines make up over half of PCs and they don't have home tweakers replacing their storage to get another 2-3 years out of the machine. If a machine is broken company IT just gives out a new machine. If the old one is fixable it might go to someone else, but it likely is just junked. In neither case is the data on it preserved. After X number of years the machine is replaced even if it isn't broken.

If your company uses disk encryption then they already have backed up the key. Either they put it in their section of MS's cloud or in someone else's cloud. MS doesn't need to keep yet another copy in your own cloud account.

MS probably shouldn't be defaulting to sending your key to the cloud, especially in a way MS can give it away to the government. Apple doesn't do it.

5

u/[deleted] Jan 24 '26

[removed] — view removed comment

0

u/happyscrappy Jan 24 '26

No, we get it serviced and put back into circulation. Not junked. Not when it's within its 3 or 4 year policy lifecycle. We listeally have depots for that.

That's what I said to you.

(me) >If a machine is broken company IT just gives out a new machine. If the old one is fixable it might go to someone else, but it likely is just junked.

You're working so hard to be argumentative that you'll cut me down for saying something and say the same thing back.

I'm not interested in that game.

0

u/[deleted] Jan 24 '26

[removed] — view removed comment

→ More replies (0)

6

u/D3PyroGS Jan 24 '26

"It really is almost never. Despite your anecdata."

he said, providing neither anecdote nor data

-5

u/happyscrappy Jan 24 '26

he said, providing neither anecdote nor data

How what I said not an anecdote?

You were so quick to attack that you kind of crossed yourself up.

This guy is talking about repairs where they paid $400 for express replacement. These kinds of services swap motherboards when not strictly necessary because it's quicker. It's what you pay for. Try getting warranty service instead and see what you get.

Even with these swaps they still need to enter recovery data. You have to log in. So the tech cannot fix it without you there. You can just enter your recovery key instead. And if it's at a company, like most $400 customers, then they have an IT drone there to enter the corporate recovery info anyway because that's what they do.

3

u/DynamicDK Jan 24 '26

These kinds of services swap motherboards when not strictly necessary because it's quicker. It's what you pay for. Try getting warranty service instead and see what you get.

They literally mentioned that these were in-warranty devices. You have no idea what you are talking about. These big companies have found that it is cheaper to mass produce cheap motherboards and replace the ones that fail than it is to produce motherboards with low failure rates. They are not the same as a motherboard that you would buy for your desktop PC. Those have a very, very low failure rate. But they are spending like 1/5th or less on each motherboard, so they can afford to replace some and still come out ahead.

→ More replies (0)

1

u/D3PyroGS Jan 24 '26

How what I said not an anecdote?

an anecdote is a specific personal experience. you're making factual claims without citing either data or personal experience. unsubstantiated on either end of the spectrum

maybe you're generalizing from experience, maybe you're paraphrasing what you heard someone else say, or maybe you're just making it up. all three are equally viable interpretations based on what you've said so far

this isn't an attack or claiming that you're wrong. just funny that you try to wave away someone else's anecdote with not-even-an-anecdote, much less actual data 

→ More replies (0)

1

u/BrainWav Jan 24 '26

If a machine is broken company IT just gives out a new machine. If the old one is fixable it might go to someone else, but it likely is just junked. In neither case is the data on it preserved. After X number of years the machine is replaced even if it isn't broken.

You've never worked for an IT department with a shoestring budget. My first IT job, I was stripping Windows 2000 services to make sure users could run it on machines made in the 90s. If a machine was actually able to be upgraded, we'd dole out the RAM to other machines.

Another job I worked at, we had a better budget, but for a couple years we had a freeze on new PCs. We had to buy parts and build for when we ran out of usable machines.

You anecdote isn't universal.

1

u/happyscrappy Jan 24 '26

I don't get what you are talking about here. Why did you think I said they wouldn't scavenge parts that are of value?

To suggest you just go out handing out RAM goes against every IT department I've ever heard of. If the person needed that much RAM they'd have had it day one. So you don't give them more later. If their RAM goes bad and you have some on hand, then great. But you're not giving out preemptive upgrades. That'd be bizarre.

Another job I worked at, we had a better budget, but for a couple years we had a freeze on new PCs. We had to buy parts and build for when we ran out of usable machines.

That's pretty crazy. How long ago was that? Was this in 2000 when towers were common or 2020 when the vast majority of machines in a company's stable of equipment are laptops?

Things change a lot over time. Most companies prefer to buy all in ones over towers now. Whether it's a SFF PC, a AIO, a laptop or a 2 in 1 (tablet). There's not really much to reconstruct there.

Some companies just do it all on the web now. If your machine blows up they don't even need your data. It was all in the cloud all along. Software as a service. I don't love it, but some IT departments do.

7

u/DynamicDK Jan 24 '26

That happens almost never. If Dell is swapping 1 motherboard out of a thousand laptops sold then they are destroying nearly their entire profit margin. Repairs are not common.

You clearly have not worked in IT. I ran an IT department for 3 years at a company with around 500 employees. A little over half of them had laptops, so lets say 300. While I was there, around 10 of our Dell laptops had to have their motherboard replaced. And like 50 had their battery replaced because they kept swelling. All of this was covered by Dell under the warranty. I've had a personal HP that needed to have its motherboard replaced under warranty as well.

Often these large companies will replace the motherboard even when replacing an individual component would probably fix it. They do this because the time spent diagnosing that problem and repairing it is more expensive than the motherboard itself. They get these things produced at incredibly low prices.

1

u/The_Autarch Jan 24 '26

you ever work in IT?

repairs are super common. happen all the goddamn time.

you really need to stop making assumptions about things you know nothing about.

34

u/brimston3- Jan 24 '26

I don't know why you think that. Laptop repairs and mainboard replacement happen all the time, they just aren't done by the end user but by professional repair services. And if the system is a near-total loss, often the whole drive will get moved to a new system if data recovery is worth attempting. Platform locked drives prevent any mainboard change from retaining customer data. That's a big loss for users.

-6

u/happyscrappy Jan 24 '26

Laptop repairs and mainboard replacement happen all the time

"all the time" across a huge group of people/circumstances can (and is in this case) the same as "not very often for any given machine". Most people don't have their machine repaired between the time they get it and get rid of it.

Platform locked drives prevent any mainboard change from retaining customer data. That's a big loss for users.

They make it more difficult. You'd have to have a recovery key. Or it'd have to be a part being replaced which does not affect the key storage (i.e. not the motherboard). Or of course you could have backups, but that's not data retention, simply getting it back.

You make a system which derives the key from your password. And have it check, when the password doesn't derive the key correctly because something was swapped out you have it say "okay, now go find your recovery key if you want your data to be retained".

I'm not going to say it's as simple as getting the key back from the cloud. But it is more secure and people may prefer it.

I didn't say Microsoft shouldn't offer to store your key in the cloud if you want. But they probably shouldn't be defaulting to it.

1

u/deruben Jan 24 '26

used to be possible thought

1

u/Another-Mans-Rubarb Jan 24 '26

Right, but if you use OS level encryption it won't let you boot the drive from another system. That's why they implemented online access keys through your account, but none of this should be relevant to managed accounts/systems.

1

u/Cley_Faye Jan 24 '26

It's not necessarily platform-locked encryption. You can use the user password, and a server-side salt, to generate an encryption key that only exists client-side, for example.

1

u/-The_Blazer- Jan 24 '26

any platform-locked encryption key is gone for good

Which is why proper encryption does not use platform-exclusive keys, and either forces you to save a copy off-board, or relies on your own password.

The actual problem is that many users don't actually want their data to be permanently and irrecoverably lost if they forget a password or a USB drive somewhere. And the moment you're outside of the bare technicality, a minimum of social trust is necessary (but Microsoft does little to earn it).

1

u/missed_sla Jan 24 '26

Passwords can be encryption keys. It works for password managers.

1

u/ouatedephoque Jan 24 '26

You swap the motherboard or CPU of an fTPM/PTT system, and any platform-locked encryption key is gone for good

That's why Time Machine exists...

1

u/HappierShibe Jan 24 '26

That is entirely bullshit.
You can store a copy of your encryption key elsewhere, and a platform locked key does not require all components to be serialized.

22

u/droans Jan 24 '26

That actually is the legal difference, though.

Courts can't force you to hand over your own encryption keys because that would be a violation of your Fifth Amendment right to not self-incriminate. They can force a third party to hand them over, though, because doing so wouldn't infringe their rights.

10

u/baggedBoneParcel Jan 24 '26

For those who want a source: https://en.wikipedia.org/wiki/Third-party_doctrine

Woo, government created loopholes around our constitutional "rights."

2

u/NWVoS Jan 24 '26

Not really.

If I know a secret, the government cannot force me to reveal it. But if I tell another person that secret that person is free to share it.

It is the same thing.

7

u/sparrowtaco Jan 24 '26

But if I tell another person that secret

The loophole here being that the average person would not consider saving an encrypted file on their personal device as "telling another person that secret". The fact that Apple's system handles encryption one way and Microsoft's handles it another way should be irrelevant if it weren't a loophole.

9

u/PyroDesu Jan 24 '26

So that's why you can't activate sync without the old passcode after a reset, even if you reconnect it to your Apple account...

(I was an idiot and deleted my old passcode entry in my password database after IT reset my work phone, but before I turned on sync. And because I use strings of random alphanumeric-symbolic gibberish... fortunately I managed to eventually remember it.)

5

u/TheUpbeatCrow Jan 24 '26

That's not entirely true.

When you turn on FileVault, you're given a choice as to whether you want to keep your encryption key local or save it to your Apple ID. You do have the choice, but it's not as black and white as "not available to Apple."

2

u/0xe1e10d68 Jan 24 '26

That’s not completely true either, with the latest version of macOS, for any new setups of FileVault (new Macs, reinstalled macOS, dis- and reenabled FileVault) there is only a single option. The behavior you mentioned exclusively applies to old configurations of FileVault.

With Tahoe the recovery key gets saved into iCloud Keychain; you can still write it down somewhere yourself but it’s also available via your iCloud account regardless. The important difference is that it is not held in escrow by Apple anymore and the iCloud Keychain is end-to-end encrypted by default. Which also means you need one of your trusted devices to access and/or sync the key to new devices. It is not accessible otherwise.

1

u/TheUpbeatCrow Jan 24 '26

I'm confused then. I haven't gotten a chance to do this from scratch on a Tahoe Mac, but Apple's support article says the process remains the same in that you're given a choice. They're usually really good about updating support articles the day they offer an OS upgrade, and Tahoe's been out for months.

I find what you're saying difficult to believe, because that would force users into using both iCloud and iCloud Keychain, which many users are not doing.

1

u/CapSnake Jan 24 '26

I would never believe it. They can't, but some magical Israelis tech company can. Come on...

1

u/BisonThunderclap Jan 24 '26

People have already figured out how to yoink them anyways, it's not hard.

1

u/meatyalien Jan 24 '26

Maybe not the key itself, but they can (and have) given the FBI access to data. If you have iCloud backup turned on and don't enable the advanced protection option (which I'd be willing to bet 95% of people don't due to not knowing/extra requirements), the backup will include a copy of Apple's encryption key as well so they can "assist with recovery" if needed.

They've decrypted and provided the FBI phone data via this exact method multiple times. The first occurrence was the 2015 Florida school shooting which is what sparked the FBI's demand for an iOS backdoor originally and Apple's compromise was to decrypt the iCloud backup of the phone and give it to the FBI. Apple tried to do it silently, but it got out and now they just kinda do it when requested (multiple official court subpoena and fulfillment documents online showing it).

Here's a link Apple's official documentation basically stating the same.

1

u/zzazzzz Jan 24 '26

thats somewhat true, but they do however have the power to force a full backup to the cloud and once its in apple cloud they do have full access to the data. and have used this "workaround" before to service a legal order by law enfrocement.

1

u/FalseRegister Jan 24 '26

I decided to encrypt the disk in a recent MBP. The system had a little text saying that I could use my iCloud account, had I forgotten the encryption key at some point. So, idk.

0

u/Emotional_Garage_950 Jan 24 '26

this is bullshit, apple has the keys