#diskencryption — Public Fediverse posts

The data that I didn’t know I didn’t have to back up to Microsoft’s cloud

I spent more time than I’d planned Friday afternoon poking around the security settings of my Windows laptop, then undoing one setting that I am somewhat embarrassed to admit I had scarcely thought about over the previous two and a half years of using this HP.

The FBI gets some credit for that for making me rethink my own device security after some of its agents raided Washington Post reporter Hannah Natanson’s home two weeks ago and seized several of her devices–an obvious move to intimidate journalists– leaving the storage encryption on that hardware as the last line of defense for her data.

Forbes security writer Thomas Brewster gets the rest of the credit for a strong post Friday morning unpacking how Microsoft’s approach to device encryption via its BitLocker software can leave Windows computers open to law enforcement investigators who bring a valid legal order to the company requesting a particular user’s encryption recovery key.

“It’s possible for users to store those keys on a device they own, but Microsoft also recommends BitLocker users store their keys on its servers for convenience,” Brewster wrote. “While that means someone can access their data if they forget their password, or if repeated failed attempts to login lock the device, it also makes them vulnerable to law enforcement subpoenas and warrants.”

He reported that Microsoft gets about 20 requests a year for BitLocker keys but cannot respond to many of them because the customers involved didn’t back up those keys to its cloud.

Windows 11 Home’s Device Encryption isn’t branded as BitLocker in the Settings app, but it runs on the same framework. And as in the Pro, Enterprise and Education editions of Windows 11, it allows a choice of key-backup locations–which I did not realize until eyeballing Microsoft’s documentation after I’d read Brewster’s post.

I had gone unthinkingly with the default of having the recovery key backed up to my Microsoft 365 cloud storage; I don’t remember even being presented with a choice when I set up the computer in August of 2023. But since the key is only a string of 48 numbers periodically separated by dashes, there was no point in keeping it there.

Instead, I saved it in my end-to-end-encrypted password manager 1Password, where the security design does not expose backdoors that can be opened with a court order. Then I deleted the backed-up recovery key from my M365 storage after clicking a checkbox to confirm that I’d saved the key elsewhere–along with seven older ones I found saved there, going back to a Surface laptop I reviewed a decade or so ago.

(I don’t know how long it will take for this data to be gone from my online storage, although there is the option of decrypting and re-encrypting the laptop to ensure the old key is useless.)

I never should have taken Microsoft up on this offer. But Microsoft should not be leaving users in this position–as Johns Hopkins University cryptography professor Matthew Green told Brewster in that article. Apple’s FileVault device encryption now automatically encrypts recovery keys backed up to the company’s iCloud service (see this explainer from my friend Glenn Fleishman at Six Colors), leaving nothing for a third party to inspect with a warrant.

There are many areas where Microsoft can’t readily catch up with Apple, starting with having a mobile platform to complement its desktop operating system. But this should not be one of them.

#BitLocker #diskEncryption #encryption #FBI #HannahNatanson #keyEscrow #M365 #Microsoft365 #MicrosoftBackup #Windows11Home #WindowsDeviceEncryption

#Veracrypt 1.26.26 (dev) has been released (#TrueCrypt / #CipherShed / #DiskCryptor / #OTFE / #Crypto / #Encryption / #DiskEncryption / #Argon2 / #Argon2id / #GOSTBlockCipher / #RFC7801 / #RFC8891 / #BLAKE2s256 / #Streebog / #AES / #Camellia / #Kuznyechik / #Twofish / #IDRIX / #AMCrypto) https://veracrypt.io/

#Veracrypt 1.26.25 has been released (#TrueCrypt / #CipherShed / #DiskCryptor / #OTFE / #Crypto / #Encryption / #DiskEncryption / #Argon2 / #Argon2id / #GOSTBlockCipher / #RFC7801 / #RFC8891 / #BLAKE2s256 / #Streebog / #AES / #Camellia / #Kuznyechik / #Twofish / #IDRIX / #AMCrypto) https://veracrypt.io/

#Veracrypt 1.26.24 has been released (#TrueCrypt / #CipherShed / #DiskCryptor / #OTFE / #Crypto / #Encryption / #DiskEncryption / #GOSTBlockCipher / #RFC7801 / #RFC8891 / #BLAKE2s256 / #Whirlpool / #Streebog / #AES / #Camellia / #Kuznyechik / #Serpent / #Twofish / #IDRIX / #AMCrypto) https://veracrypt.fr/

"A swap file can be used to reserve swap-space within an existing partition & may also be setup inside an encrypted blockdevice's partition."
So all I had to do is make sure swap file is setup in fstab & just point all resume=UUID= to the UUID of primary partition where the #swap file is & that is it. my brain exploded🤯 from how easy it was.
p.s. reminder to anyone doing #LUKS it is only as good as the password you pick so pick something good!
#CryptSetup #Linux #LVM #hibernate #DiskEncryption

Long ago when I was installing #Kali #Linux on my #Dell Latitude E5570 #Laptop
I went with LVM on LUKS https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS
& at the time I thought I'd go with a swap file on / (I was unaware of Swap crypt🙄)
I was never able to get hibernate to work, until now😀...
Let me say many websites & forums all say if you want hibernate to work on LUKS, you have to go with swap crypt.
Not true, if you read https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption#Using_a_swap_file
#CryptSetup #LVM #LUKS #SWAP #hibernate #DiskEncryption

Thanks for all the suggestions and links.

I will try putting a new / temporary key into the initramfs just for while I am out of town - the chance of power outage is higher than the chance of burglary.

I'll remove the temp key and rebuild the initramfs after I get back home. Normally, I'm in front of the computer when it reboots, so entering the password manually (as I've been doing for a few years) is fine.

#DMCrypt #DiskEncryption #Linux

Is there a good way to have a #Linux server reboot unattended when the root partition is dm_crypt encrypted? I'm not super worried about bad guys being physically present. More just worried that a power outage might initiate a reboot while I am not present.

Is including the key file in the initramfs (correct terminology?) that horrible a thing if physical access to the machine is not a concern?

Thoughts or advice?

#DMCrypt #DiskEncryption

How to protect files in use on a system powered on from physical theft or tampering?

https://security.stackexchange.com/questions/269251/how-to-protect-files-in-use-on-a-system-powered-on-from-physical-theft-or-tamper

#diskencryption #fileencryption #physicalaccess #encryption #linux

AEAD: Authenticating a digest of my data instead the data itself

https://security.stackexchange.com/questions/269129/aead-authenticating-a-digest-of-my-data-instead-the-data-itself

#authentication #diskencryption #fileencryption #encryption #aead

AEAD: Authenticating a digest of my data instead the data itself

https://security.stackexchange.com/questions/269129/aead-authenticating-a-digest-of-my-data-instead-the-data-itself

#authentication #diskencryption #fileencryption #encryption #aead

AEAD: Authenticating a digest of my data instead the data itself

https://security.stackexchange.com/questions/269129/aead-authenticating-a-digest-of-my-data-instead-the-data-itself

#authentication #diskencryption #fileencryption #encryption #aead

AEAD: Authenticating a digest of my data instead the data itself

https://security.stackexchange.com/questions/269129/aead-authenticating-a-digest-of-my-data-instead-the-data-itself

#authentication #diskencryption #fileencryption #encryption #aead

#ActuLibre This Unpatchable Flaw Affects All Intel CPUs Released in Last 5 Years -> http://feedproxy.google.com/~r/TheHackersNews/~3/Q1ioFgpK0n0/intel-csme-vulnerability.html #intelvulnerability #fastestprocessor #diskencryption #intelprocessor #cybersecurity #encryption #IntelCPU #TPMChip