[kefka]

> BitLocker.... In what way does it come up short?

By forcing an escrow key linked to Microsoft and whomever owns the TPM on your computer.

By definition, backdoor keys and hidden users who can access encrypted content is just absolutely, horribly wrong. And there's no way to turn it off... Well, I'm sure someone will say there's 10 regkeys to change that might fix it on a specific version.

Still does nothing regarding the "trust" with the TPM.

[izacus]

Apple uses TPM-like hardware for their encryption as well - and that's what the OP was asking about. The same solution.

[haikuginger]

They actually don't; not for Macs anyway - although that might be different for the models with TouchID. FileVault on the Mac is entirely software-based.

[izacus]

Yeah, on touchbar MPBs they store keys in the TouchID coprocessor which does the same as TPM on other machines.

[haikuginger]

Do they escrow across reboots? I know they don't on iOS.

[Karunamon]

What do you mean linked to Microsoft? And if your TPM, the hardware device that stores keys, is pwned, the whole exercise is meaningless anyways

[kuschku]

The TPM is pwned, by default. It's closed, secret, and as the AMT issuws showed, has a lot of software running in it with questionable security.

That's why the whole excercise is meaningless if you leave the keys on the device, and why you should put them on external hardware TPMs or key vaults. Even a YubiKey is better.

Now you just need a system that supports reading keys from such a device during boot.

[izacus]

You can use YubiKey to store BitLocker decryption key.

[kuschku]

And? That still allows MS to decrypt the drive.

[Karunamon]

False. You are given a non-default option to upload a backup of your Bitlocker key to Onedrive. By what evidence are you claiming Microsoft gets to decrypt the drive if this option isn't selected?

[Karunamon]

TPM and AMT are two entirely different technologies with entirely different classes of security concerns. The Intel management engine (which runs the AMT software) is effectively a separate CPU that runs full programs and has direct memory/hardware access, while the TPM is not.

The TPM is a PKI device, nothing more. It cannot take over your computer.

[kefka]

MS encrypts your stuff with your AND microsofts key. Look for this "feature" by a if you forget your password, and log into OneDrive.

Their encryption by definition, is already backdoored to MS. Game over.

And that's nothing about the stupidity of the TPM itself.

[gruez]

>MS encrypts your stuff with your AND microsofts key. Look for this "feature" by a if you forget your password, and log into OneDrive.

This statement is misleading. When setting up bitlocker, you have the option of saving your recovery key to onedrive. It's not mandatory or even the default choice.