|
|
|
|
|
|
by bri3d
28 days ago
|
|
|
> What will it take for more companies to truly understand their risks with Windows and being locked into Microsoft’s platforms? What? Most Linux distributions don't even enable FDE by default, and even when they do, they frequently use the exact same system as BitLocker (automated unlock sealed to TPM PCRs) with the exact same vulnerabilities (any signed OS image with a postboot authentication bypass gets you the disk content, as does any method for inspecting the state of system memory). This is an architectural tradeoff you can make on any platform and has nothing to do with "lock in." It's straightforward to configure BitLocker disk encryption to be more secure, but it creates enormous headaches for admins, so they don't do it. I do think that Apple have some better security defaults for FileVault ("enabling" FileVault basically consists of wrapping the existing hardware UID entangled key with the user's password as well) but this strategy does create big issues with remote password rotation or delegated authentication (ie, Active Directory), which is probably why Microsoft don't choose it as a default. |
|
|
Do they? Any time I've done FDE it's always been luks with a password, I've never seen one go for TPM by default!
I've only recently implemented luks+TPM on a personal laptop (and that was a PITA to do).