XPost: comp.os.linux.advocacy   
   From: nospam@needed.invalid   
      
   On Sat, 1/24/2026 12:20 PM, Alan K. wrote:   
   > On 1/24/26 10:02 AM, Mr. Man-wai Chang wrote:   
   >> On 24/1/2026 10:58 pm, Mr. Man-wai Chang wrote:   
   >>> On 24/1/2026 10:21 pm, CrudeSausage wrote:   
   >>>>   
   >>>> What is the point of encryption if Microsoft can unlock any of your   
   >>>> computers whenever it feels like it?   
   >>> Actually.... I always wonder:   
   >>>   
   >>> 1. Is Bitlocker just a password prompt? :)   
   >>> 2. Does Bitlocker really enecrypt the whole drive?   
   >>> 3. If (2) is true, is the encryption using user-supplied   
   >>>       passowrd as a mask? Or is it using a standard mask?   
   >>>   
   >>> If the encryption is using a standard mask, not surprising that FBI can   
   >>> decrypt any Bitlocker drives. :)   
   >> And ....   
   >>   
   >> 4. Is the Bitlocker password stored in the drive?   
   >>      And the receovery ley as well?   
   >>      Both recoverable by Micro$oft? :)   
   >>   
   > And ....   
   > Is there a substitute for Bitlocker?   What if I don't want to use it, but   
   still want encryption?   
   >   
      
   That would be Veracrypt, the successor to the compromised Truecrypt.   
      
      https://en.wikipedia.org/wiki/VeraCrypt   
      
      https://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software   
      
   The Truecrypt dev signaled that law enforcement had been for   
   a visit, and not to use it.   
      
   The white space on C: has plaintext copies of things you have   
   been editing, so one option is to Veracrypt the entire C: .   
   That covers the leakage aspect of C: in Windows.   
      
   You should not keep, say, a single encrypted ZIP archive, because   
   when you work with it, you leave crap on the disk. An application   
   like Heidi Eraser can help with leakage, but C: leaks like a sieve   
   and you should be prepared to do experiments to see if an item has   
   leaked or not. Encrypting the entire C: is a bit better, in that   
   then you are not relying on Heidi Eraser to be a bulletproof solution.   
      
   You do not want the running OS to be watching you while you set   
   up the encryption, so you could do some of that offline. Test   
   with a separate HDD with the Windows cloned onto it, that your   
   knowledge of how to do these things, is solid, before doing it   
   to your daily driver. Maybe there is some way to use GRUB to   
   unlock the volume, then chain-boot the decrypted Windows.   
      
   When you boot, some partition has to be plaintext to support   
   the graphical dialog of the tool that will ask for the password.   
   But that partition is not for personal file storage, and that   
   partition really should not be getting modified all that often.   
      
   You can also encrypt the entire drive, but that requires   
   a prompt come from somewhere to unlock it. All storage   
   devices have FDE (Full Disk Encryption), but we do not   
   know the extent to which this is compromised for law enforcement.   
   The first generation of hard drive to have FDE, there was a problem   
   with the FDE, but any modern disks should be OK. Microsoft on Windows 11 Home,   
   would be using FDE, rather than Bitlocker-without-Elephant-Diffuser.   
   In fact, your disk right now could already be encrypted with FDE.   
      
        manage-bde -status      # Admin window   
      
   Encryption is a write-once read-never technology, so be absolutely   
   sure it is worth it to be doing this. You could get up tomorrow morning,   
   turn on the computer, enter the Veracrypt password and receive   
   "volume not found" or similar. Think about the enhanced failure   
   modes while using cryptography. Just turning off the power in the   
   middle of a session, could ruin it (Windows itself, can typically   
   survive that). Is it journaled ? Does it have   
   functional recovery ? And so on. Nothing here is encrypted :-)   
   I have enough trouble as it is. I don't even know how   
   to set these things up (you can tell from the text above :-) ).   
      
   Most of the lightweight methods, are for preventing casual snooping,   
   rather than for keeping out a policeman. You would need to read   
   the stories about journalists who worked with others via encrypted   
   communications, as to how they protect their assets at home. A journalist   
   was in the news a couple days ago, for having all of their possessions   
   swept up in a witch hunt. And that will be a test of their cryptography   
   and their skill set.   
      
       Paul   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)