this post was submitted on 07 Feb 2024
739 points (97.7% liked)

Technology

58137 readers
5226 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
739
BitLocker encryption broken in less than 43 seconds with sub-$10 Raspberry Pi Pico — key can be sniffed when using an external TPM (www.tomshardware.com)
submitted 7 months ago by [email protected] to c/[email protected]
68 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 12 points 7 months ago (1 children)

FYI: You can set it to require a PIN + TPM, or even just a password eg using manage-bde -on c: -password.

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-on

[–] [email protected] 3 points 7 months ago (1 children)

Thanks, that sounds really useful. I'm guessing it won't work unless you're local admin though.

[–] [email protected] 4 points 7 months ago (1 children)

Yep, you'll need local admin of course.

[–] [email protected] -2 points 7 months ago* (last edited 7 months ago) (1 children)

Which kind of makes it useless in many corporate environments where it's most needed, since the users won't be able to set their own password.

[–] [email protected] 5 points 7 months ago (2 children)

I mean, if it's a corporate device then it's really a policy IT should be setting - this can be easily be done via a GPO or Intune policy, where an elevated script can prompt the end-user for a password.

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago)

Yarp. And when they forget it we use the 48 numerical recovery key found using the recovery ID that shows on the screen when you hit escape (from the bitlocker screen)

[–] [email protected] 1 points 7 months ago (1 children)

It would be insane to let non admin change settings like this.

[–] [email protected] 1 points 7 months ago (1 children)

I'm talking about letting the user change their own password. I'm honestly not sure how that would be technically accomplished in this situation without having to contact IT each time. It seems like something Microsoft should provide a no-frills GUI for that doesn't require elevation.

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago)

Yeah, that could be neat as long as they still add a recovery key to the AD or somewhere else. A problem with that is that the users will likely choose shit passwords. That could be mitigated with password rules but still

I suspect Microsoft wants you to use TMP or physical keys instead of passwords.