Hacker News new | ask | show | jobs
by bootsmann 34 days ago
You need a separate pin because windows lives on the encrypted disk so you need to decrypt it before you can boot completely.
2 comments
cubefox 34 days ago
Couldn't they just use the PIN also Windows password? Then the PIN screen would have to look like the Windows login screen.
link
majorchord 33 days ago
what about systems with multiple users?
link
rafram 34 days ago
macOS solved this (and a lot of other problems) by putting the OS on a separate read-only partition - technically an APFS volume - that doesn’t get encrypted. Microsoft’s backwards-compatibility obsession might not let them make that the default, but they could at least make it an option.
link
ranger_danger 33 days ago
Not encrypting the OS means it's no longer considered FDE in my opinion.

But Windows doesn't need the OS to decrypt a BitLocker volume anyway because the bootloader can do it... otherwise how could a FDE disk ever boot in the first place?

link
rafram 33 days ago
Why not? The macOS OS partition is signed and read-only. Unless you disable SIP (which you shouldn't), your OS partition is bit-for-bit identical to everyone else's.
link
ranger_danger 33 days ago
> your OS partition is bit-for-bit identical to everyone else's

Unless I want to change it... or have multiple OSes/partitions where I need the entire disk encrypted.

link