[dspillett]

This is something that is difficult when trying to encourage less technical users to be secure. Once you convince them to do things right, they've heard of circumstances like this and are petrified of accidentally losing something.

In a commercial environment there are ways and means¹ but getting a non-technical user to securely and safely manage access credentials is can be a time consuming education process. Especially after the first time someone comes to you to hack their stuff because they've lost their keys & they never did do that backup thing you good then about³ and you tell them it simply isn't possible.

Even those of us with experience in the field sometimes make mistakes that we can't revert, so people without that experience can be forgiven to an extent for trading security for what they think is safety (but is really just convenience).

Solutions, that don't involve someone being an unpaid 24/7 infrastructure support tech, on a postcard please!

----

[1] if procedures are properly followed² code is in source control and documents are in equivalent storage, the most you should be able to lose is today's work

[2] yeah, I know…

[3] or that uses the same, now lost, credentials

[briHass]

This is why Microsoft Windows is so adamant about having you create an online account as your means of sign-in on modern Windows versions. FDE requires it on some versions.

Telling users that forgot their password that not only do they need to reinstall Windows, but that every single document, photo, video of their grandkids, etc. is now lost forever is untenable. At the same time, FDE is important for security, so what is a reasonable compromise? Allow some form of online recovery options (secured by the full expertise of MS security folks) by linking an account to serve as your 'IT-guy managed AD in the cloud'

[dspillett]

Well, one if the official reasons/excuses. Tracking in various forms is the main reason MS is so adamant about that…

[TeMPOraL]

The most effective kind of abuse is when the abuser has something genuine to offer to convince the other party to stay in an otherwise detrimental relationship.

[jojobas]

FDE with someone "in the cloud" having the key is defeating the purpose of FDE. Windows used to offer printing a very long key on paper.

[ilammy]

Depends on your threat model.

Most people protect against access by whoever stole their laptop, with Microsoft and TLAs not being considered a threat. Those who do probably don't use Windows in the first place.

[jsmith99]

It's actually a really elegant solution as there is nil correlation of risk: the key is useless without physical access and physical access is useless without knowing the login.

Your government might be able to get the key - if that's part of your threat model - but they probably have easier ways to force you to give it up.

Anyway, FDE is often on by default. Do you really believe the average user is going to print out the backup key?! Do even tech savvy users have printouts of all their eg 2FA codes? Anyway, that would have worse correlation of risk as users would probably keep the printout next to their computer.

[ilyt]

> It's actually a really elegant solution as there is nil correlation of risk: the key is useless without physical access and physical access is useless without knowing the login.

That is assuming you somehow forget your encryption key but remember the login to your microsoft account... that you used once 2 years ago when you were installing the machine.

It also means anyone that does get the login for your MS stuff can decrypt your laptop

[pca006132]

The encryption key is much longer than the typical password, and people often use password managers to store website login, so I think it is reasonable to assume that they can forget the encryption key and remember their microsoft account login.

Anyone that does get the login for that MS account can decrypt the laptop, but often times they don't have physical access to the laptop (say some hacker who does not know you personally). If they let people around them get the credential, I think it is likely that they will let others get the encryption key even if it is not saved on the cloud.

And I think backup using the cloud is a nice option, although it would be better to have a master password that you remember and doesn't require writing it down physically. That way people having access to your cloud will not be able to read it, and you still have it when your house burn down (which does happen for some people...).

[colechristensen]

>trying to encourage less technical users to be secure

The threat of “losing the keys to all the data” is considerably larger than the threat of having your computer and data stolen for an average home user. It can’t just be a matter of more secure is better… you have to have an idea of what you’re trying to prevent.

All of our shit has been lost in one leak or another so at this point it seems like it barely matters.

[doubled112]

My happy medium is encrypted PCs that sync everything onto my unencrypted home server.

If you're already in my bedroom, I've got bigger problems than my family photos.

If I leave my laptop on the bus, it's a VISA problem.

This isn't for everybody, but it's probably the safest my family can be.

[foobiekr]

This is not great from a robbery point of view or a disposal point of view.

Syncing to a cloud service would be better.

[dspillett]

This is the other side of the problem: the issue is wider than your data and doesn't even need to be about FDE or other encryption. Simply using decent passwords/passphrases more generally is a hurdle to jump before even considering FDE because the other set of risks are when a bot gains access to the machine by those means it may be able to gain access to information to enable identity fraud or even get direct access to banking information (most care a lot more when their money is at stake than just their data or reputation). The circumstance in this post may not seem relevant here to us, but to a non-technical user the two are easily conflated (“I heard about someone who used a strong password and lost access to everything when it was forgotten”).

[ipython]

Everyone forgets about the CIA triad - security is not just about confidentiality, but also integrity and availability.

[calvinmorrison]

I am sitting on a 12TB array after my move I just can't come up with the combination...

However, there are better options for users - how about Smartcards? You know, like yubikey / U2F before the web?

You can even use it with LUKS

[girvo]

As much as I adore my Yuibikey, my girlfriend thinks I’m decidedly weird because I have two: one on my actual keys, and a backup that’s in my safe at home. Which is annoying because not every system lets me setup two Yubikeys (though TOTP is fine at least). I’m not using it for FDE, but I am using it for securing my password manager (which does support both keys) which holds the backup keys for said FDE and so on.

[gwillen]

Name and shame sites that don't support using multiple Yubikeys! I'm pretty sure they're violating the guidelines in the standard if they do that.

[ufmace]

I think AWS is still the only one I know of doing that, or did they finally fix that?

Yup, just checked, they still are.

[kogir]

AWS is my largest annoyance in this regard.

[vanous]

The issue I have is that the second key can't really sit in the safe all the time because everytime you setup new service, it needs to be taken out and added.

[ilyt]

It's weird that we had that issue solved ages ago (like SSH, just add multiple public keys to the account, no need to have private key available for that), yet keep inventing worse way to do it.

Especially that most YK versions do support pub/private key auth...

[girvo]

Absolutely, but it's worth the trade-off for me personally. I get weird looks from my partner because of it though haha

[klodolph]

> Solutions, that don't involve someone being an unpaid 24/7 infrastructure support tech, on a postcard please!

One step at a time!

1. Back up your data.

2. Test restoring your data.

3. Automate your backups.

4. Automate your test restores.

5. Now you are ready for full-disk encryption.

It is okay if you do not complete all steps. More steps is better. Do not skip ahead.

[marginalia_nu]

So as long as you keep your data unencrypted next to your encrypted data, you're fine. Checks out.

[klodolph]

I get it, it’s fun to make jabs at posts on HN. You don’t need to lean so hard into the trope.

I may have assumed that your backups were encrypted, just because so many backup tools do it automatically. And I didn’t put that in the post. Predictably, I get some kind of jerk replying to the comment with a sarcastic jab, rather than any kind of interesting discussion.

Accidental data loss is the big risk, and for most people, it’s a bigger risk than any risk of someone reading your unencrypted data. It makes sense to start with the most serious risks (data loss), and work your way down to the minor risks (compromise).

It makes not sense to start by encrypting your data, because it significantly increases your risk of data loss, in the absence of good backups. That’s what the article is talking about.

[marginalia_nu]

I legitimately didn't, and still don't, see how this solves the problem of less technical users losing their encryption keys.

[klodolph]

Because it gives you a longer period of time to learn the keys without consequences if you forget.

If you encrypt your HD, you’re suddenly in a position where forgetting your key will lose all your data. It’s like walking off a cliff and hoping you can fly.

If you start by making backups and doing test restores, there’s a period of time where you are still forced to remember the key (to do the restore), but the consequences for losing it are low.

[marginalia_nu]

Yeah I don't think this would help my mother.