Technology

68441 readers

2956 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

[email protected]

749

BitLocker encryption broken in less than 43 seconds with sub-$10 Raspberry Pi Pico — key can be sniffed when using an external TPM (www.tomshardware.com)

submitted 1 year ago by [email protected] to c/[email protected]

59 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 12 points 1 year ago (1 children)

FYI: You can set it to require a PIN + TPM, or even just a password eg using manage-bde -on c: -password.

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde-on

[–] [email protected] 3 points 1 year ago (1 children)

Thanks, that sounds really useful. I'm guessing it won't work unless you're local admin though.

[–] [email protected] 4 points 1 year ago (1 children)

Yep, you'll need local admin of course.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

Which kind of makes it useless in many corporate environments where it's most needed, since the users won't be able to set their own password.

[–] [email protected] 5 points 1 year ago (2 children)

I mean, if it's a corporate device then it's really a policy IT should be setting - this can be easily be done via a GPO or Intune policy, where an elevated script can prompt the end-user for a password.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

Yarp. And when they forget it we use the 48 numerical recovery key found using the recovery ID that shows on the screen when you hit escape (from the bitlocker screen)

[–] [email protected] 1 points 1 year ago (1 children)

It would be insane to let non admin change settings like this.

[–] [email protected] 1 points 1 year ago (1 children)

I'm talking about letting the user change their own password. I'm honestly not sure how that would be technically accomplished in this situation without having to contact IT each time. It seems like something Microsoft should provide a no-frills GUI for that doesn't require elevation.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Yeah, that could be neat as long as they still add a recovery key to the AD or somewhere else. A problem with that is that the users will likely choose shit passwords. That could be mitigated with password rules but still

I suspect Microsoft wants you to use TMP or physical keys instead of passwords.