XPost: comp.os.linux.advocacy   
   From: mariasophia@comprehension.com   
      
   Paul wrote:   
   >>> 4. Is the Bitlocker password stored in the drive?   
   >>> '''' And the receovery ley as well?   
   >>> '''' Both recoverable by Micro$oft? :)   
   >>>   
   >> And ....   
   >> Is there a substitute for Bitlocker?'' What if I don't want to use it, but   
   still want encryption?   
   >>   
   >   
   > That would be Veracrypt, the successor to the compromised Truecrypt.   
      
   I had this discussion in a similar sense with Frank recently where he   
   prefers full-disk encryption while I prefer encrypted containers, but where   
   we all have to think with respect to this particular topic is where the   
   keys are stored.   
      
   In my situation, my password is known to me but I "could" store it in   
   KeepassDX (the cross-platform successor to Keepass), but where do most   
   people store their FDE keys when they use the default Windows FDE tools?   
      
   AFAIK, the key used by Windows Home Device Encryption is a standard   
   BitLocker recovery key (which is a 48 digit numeric key). It is not a   
   passphrase. You cannot replace it with a passphrase on Windows Home.   
      
   Meanwhile, Windows Pro is Full BitLocker, so no upload is required, and   
   either a passphrase or PIN is allowed with the full bitlocker product.   
      
   A. Windows Home   
      i. Windows Home does not include full BitLocker.   
      ii. It includes Device Encryption, which is a cut down version.   
      iii. Device Encryption requires a Microsoft account to store the   
           recovery key, so users who avoid MSA's cannot use it.   
      iv. Device Encryption cannot be managed with full BitLocker commands.   
      v. It has no Group Policy controls, no advanced protectors, and no   
         ability to encrypt only certain volumes.   
      
   B. Windows Pro   
      i. Windows Pro includes full BitLocker.   
      ii. BitLocker can encrypt OS drives, fixed data drives, and removable   
          drives.   
      iii. BitLocker can be used without a Microsoft account.   
      iv. BitLocker supports TPM, PIN, password, and recovery key options.   
      v. BitLocker has full command line control with manage-bde.   
      
   C. Summary   
      i. Windows Home = Device Encryption only, limited, account required.   
      ii. Windows Pro = Full BitLocker, full control, no account required.   
      iii. Device Encryption is sometimes called "BitLocker lite" because   
           it uses the same underlying driver but lacks the management   
           features.   
      
   Note this means that if we're worried about the topic of this thread, and   
   if we still wish to use bit locker, then we prolly' shouldn't be on Windows   
   Home but on Windows Pro (or, as Paul & Bill suggested, use other tools).   
   --   
   On Usenet, we trade decades of lessons so nobody has to learn them twice.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)