XPost: alt.comp.os.windows-10   
   From: this@ddress.is.invalid   
      
   Maria Sophia  wrote:   
   [...]   
   > Hi Frank,   
   >   
   > This discussion is welcome because it compares very different use models.   
   [...]   
   > My usage pattern is different from yours perhaps because my hardware is   
   > from 2009 and does not wake reliably from sleep or hibernation, so daily   
   > shutdown is normal for me.   
      
     That makes sensw, but it allso means that you spend more time per day   
   on shutting down and booting up, than I could possibly ever spend on   
   needing to 'enter' credentials or otherwise unlok things! :-)   
      
   [...]   
      
   > About recovery keys, AFAIK, Device Encryption may not require the user to   
   > store one manually, but it still ties recovery to Microsoft infrastructure   
   > unless the user intervenes by taking deliberate steps to prevent the   
   > default behavior. My approach avoids that by not using OS level encryption.   
   >   
   > AFAIK, Windows Device Encryption on Home automatically backs up the   
   > recovery key to the user's Microsoft account unless the user actively stops   
   > it. That default behavior is what ties recovery to Microsoft   
   > infrastructure.   
      
     Windows Device Encryption also works with a local account. I only have   
   a local account and don't have a Microsoft Account. I believe the key is   
   stored in the machine's BIOS or similar, hence my comment on saving the   
   key somewhere locally in case the machine has a fatal hardware failure.   
      
   > The passwords for my encrypted containers are stored in KeePassDX inside   
   > an encrypted database that is backed up offline. So the container keys   
   > are not tied to a cloud identity. The only passwd I need to know is that to   
   > the KeepassDX database, but in general, I remember my encrypted volume   
   > passwords so I don't need to access the backup inside the keepass db.   
      
     Yes, but you *do* need to enter (or auto-fill) those passwords when   
   you 'open' your containers. That may well be way more effort than the   
   occasional screen-unlock that I might have to do. (Note: Screen-unlock,   
   not Sign-in, because I never sign-out, unless I have to for some   
   uncommon reason.) Note: *I* don't consider any of this any effort at   
   all, but as you do, I describe the difference between your and my way of   
   doing things.   
      
   > Given what we've compared I agree that neither model is universally better   
   > since mine is designed for minimum friction and yours is designed for a far   
   > greater threat model than I feel at my home in the Santa Cruz Mountains.   
   >   
   > I'm sure a burglary happens where I live, but I have no experience with it   
   > and I don't need to add a dozen locks to my doors that have to be opened   
   > all day, every day. I prefer simply to lock the shed where I keep my tools,   
   > and then, once a week or so, I can go to the trouble to unlock it then.   
      
     I am also not afraid of my system getting stolen from our house, but   
   it is a laptop which regularly travels outside our house and there it's   
   way more prone to being stolen/lost/damaged. In contrast, my wife's   
   system is a 'desktop' (actually a Mini-PC) and that does not have a   
   bootup password, no Sign-in/Unlock password and no encryption of any   
   kind.   
      
   [...]   
      
   > Both approaches are valid depending on hardware age, habits and   
   > tolerance for friction. I have no tolerance for extra steps.   
      
     I also have no tolerance for extra steps, that's why we live in a   
   one-level appartment! :-)   
      
   [...]   
      
   > --   
   > If it takes two steps to do something on a computer, cut it in half.   
      
     Isn't that a waste of a probably perfectly good computer! :-)   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)