My new PC supports BitLocker with Windows 11 Home

[DanZemke]

BitLocker hasn't been included with Widows Home in the past.  It appears that may be changing.

I received my new laptop, directly from Lenovo yesterday.  I've verified that the version of Windows shipped is actually Window 11 Home.  And that BitLocker is encrypting all of the files on my new laptop (ThinkPad T-14 Gen3 AMD).

So it appears that MS is moving towards encrypting all files (system and user) for everybody.

It will take some time, but IMO, encryption of all of our data is a good thing. 

it won't work for most older PCs like  my 6 year old laptop.  It would become way to sluggish .

Hopefully,  all Windows users will soon have their files encrypted by default.

[RV_]

Thanks for the heads up Dan! I looked it up and apparently all 11 Home computers can get that limited Bitlocker but it is encrypted as you said.

Here's all I could find:

https://www.windowscentral.com/how-configure-bitlocker-encryption-windows-11#section-how-to-set-up-bitlocker-on-windows-11-home

 

[DanZemke]

RV,

Interesting.   I didn't know that Windows Home users could turn on bitlocker.   This is the first time I've ever had a PC with the Home version of Windows.

What may be new, is that bitlocker encryption was the default.  Everything I received was encrypted upon my first use.  And any thing  I added (programs, text ...) was encrypted, without me having to jump through any hoops.

IMO, encryption by default , is an important change.

 

Edited February 25, 2023 by DanZemke
claity

[k4rs]

In my experience, encryption by default is a BAD idea.  First most people do not need it on their home computers.  Second, I doubt if the typical user knows how important is is to back up the recovery key.  Third, hard drives DO fail and most users do not backup their files regularly.   Things are different in a business with a good IT team for support, but they are probably not running the home edition. 

Safe Travels...

[DanZemke]

Roger,

There are pluses and minuses for almost all changes.  I don't disagree with any of your assertions. 

It's not clear to me, who decided, that my new PC would have its contents encrypted.  Was it Microsoft, Lenovo or both?  It was not me. 

So why, was this new approach selected?  Neither of these companies are IT idiots.  There must have been some expected benefit(s) in their minds.

Observation: After going thru the standard setup process, I ended up with a single ID.  It was an ID with Admin privileges. That surprised me.

Assertion: Many Windows Home users are frustrated by the need to have two IDs for their personal PC. They don't need that, for their phones.

Encrypting everything presents a dramatically reduced attack surface. My guess is that MS is trying to reduce attack risk and simplify things for most users.  If so, I think that is a worthy path to pursue.

[Chalkie]

4 hours ago, DanZemke said:

It's not clear to me, who decided, that my new PC would have its contents encrypted.  Was it Microsoft, Lenovo or both?  It was not me. 

Assertion: Many Windows Home users are frustrated by the need to have two IDs for their personal PC. They don't need that, for their phones.

My wife's relatively new laptop with Windows 11 Home does not have bitlocker turned on, it is a Dell. That suggests to me it may be Lenovo that made the choice to turn it on.

Your assertion left me a slightly confused. Are you referring to way back when a setup left you with a user account and an admin account? That has been a while. When we set her laptop up initially we did have to create a Microsoft account for her in the course of the process. It was something we had never done in the past as there was really no reason for her to have one. In the end she had a single login that was an admin account. 

[durangodon]

7 hours ago, Chalkie said:

When we set her laptop up initially we did have to create a Microsoft account for her in the course of the process.

Microsoft wants to be like Apple so bad.  They want you to buy into their unified ecosystem.  Apple requires that you create an Apple identity and use it on every Apple device. 

On Windows 10, when doing initial setup on your new MS laptop, you can just turn off the wifi and you can go by the sign-in screen by agreeing to do it later.  Is that still the case with Windows 11?

[k4rs]

16 hours ago, DanZemke said:

Encrypting everything presents a dramatically reduced attack surface. My guess is that MS is trying to reduce attack risk and simplify things for most users.  If so, I think that is a worthy path to pursue.

Hard disk encryption only provides protection from someone with physical access to the computer.  It does nothing to protect from the much more common online threats.  I recently had someone bring me a computer that was so infested with malware that it was basically unusable.   It was VERY slow due to 100% CPU usage, constant lock-ups, and frequent unexpected reboots.   I see this often so I proceeded as I usually do.  Boot from a flash drive, backup user files, wipe the hard drive, then re-install the operating system / applications and restore the data files.  In this case I discovered that the hard drive was encrypted with bitlocker.  The owner had no idea what bitlocker was and certainly had not turned it on or backed up the recovery key.    Fortunately I was able to get the computer to run stable enough to turn bitlocker off and proceed as usual.  It was a long, slow process that was touch and go there for a while but was ultimately successful.

I believe that the possibility of data loss due to bitlocker is far worse than any potential reduced attack surface.

Safe Travels...

[Chalkie]

4 hours ago, durangodon said:

Microsoft wants to be like Apple so bad.  They want you to buy into their unified ecosystem.  Apple requires that you create an Apple identity and use it on every Apple device. 

On Windows 10, when doing initial setup on your new MS laptop, you can just turn off the wifi and you can go by the sign-in screen by agreeing to do it later.  Is that still the case with Windows 11?

While I generally agree with your sentiment it actually was alright. We now have her laptop set to backup on One Drive which it was never was before. 

[DanZemke]

17 hours ago, Chalkie said:

Are you referring to way back when a setup left you with a user account and an admin account?

Yes. My old laptop is 6 years old. I did not know that newer version of Windows ditched the user/admin permission seperation.

[DanZemke]

5 hours ago, k4rs said:

I believe that the possibility of data loss due to bitlocker is far worse than any potential reduced attack surface.

The standard install process on my new PC forced me to use, or create, a MS account.  My recovery key was added to the account as part of the install process. Chalkie's experience seems to have been similar.  I was not worried about a lost bitlocker recovery key.  And for others using a similar process for a new computer, I don't think recovering a lost recovery key is a significant issue for them either.

I agree with you, that my attack surface observation isn't a real concern for most RVers.

Suggestion.  Let's deescalate and move on.

[RV_]

I printed the list of all my computer's Bitlocker recovery keys. Go here if you need yours/one of yours and just use your Microsoft account and follow the directions. Pretty easy.

https://support.microsoft.com/en-au/windows/finding-your-bitlocker-recovery-key-in-windows-6b71ad27-0b89-ea08-f143-056f5ab347d6

Try it once now before you need it and you needn't worry about your bitlocker password. I like having my list stored with my other passwords on a Flash drive. 😊

[DanZemke]

RV,

I also use a 'belt and suspenders' approach for important things like passwords.  I agree with you (and Roger) that it is wise for almost everyone.

My approach is really old school - I've been using it for about 15 years.  Here's what I've been using for all of my passwords, verification codes, account numbers etc. It hasn't been updated in many years, but for my use, it doesn't need to be. BTW, it took me years to recognize the meaning of the chosen file name: "fSekrit.exe" = file Secret.  I renamed my file with a name like mysecrets.exe.

=====================================================================
"fSekrit is a small application for keeping securely encrypted notes. These notes are truly stand-alone; the editor program and your note are merged together into a tiny self-contained program file, bypassing the need to install a special application to view your data. This makes fSekrit ideal for keeping encrypted notes on, for example, USB flash drives.

Another advantage of using fSekrit is that your un-encrypted data is never stored on your harddisk. With a traditional encryption utility you would have to decrypt your file to disk, view or edit it, and then re-encrypt it. Unless you use secure file wiping tools, it would be a trivial matter for someone to retrieve your un-encrypted data, even though you deleted the temporary file. This is not a viable attack against fSekrit, though, since it never stores your un-encrypted data on disk. (See security notes about swapping and hibernation, though!)

fSekrit uses very strong encryption to ensure that your data is never at risk. Rather than using hocus-pocus home-brewed algorithms, fSekrit uses the standard, military grade, peer-reviewed AES/Rijndael in CBC mode, with a 256-bit keysize.

Self contained fSekrit notefiles are tiny! Only around 50k plus the size of your encrypted text. Furthermore, fSekrit runs across the entire windows range: 9x/NT/2K/XP, 32-bit as well as 64-bit x86 editions."
=====================================================================

The author made it Open Source 7 years ago: https://github.com/snemarch/fsekrit

In can be downloaded from this site (and many others): https://www.portablefreeware.com/index.php?id=784

[RV_]

Dan I do the same but used folder names and file names that one would not think were PWs and secret data. BUt first they have to find the mini flash drive. IT and its clone are not accessible without knowing where they are locked up away from the systems.

Thanks for the tips on the open source program and I will check it out.