XPost: alt.comp.os.windows-10, alt.comp.microsoft.windows   
   From: mariasophia@comprehension.com   
      
   PSA: Veracrypt has pre boot authentication   
        (& why it may be better for older PCs)   
      
   Many thanks to Frank Slootweg and others for responding to discussions such   
   that I needed to delve deeper in order to respond intelligently to their   
   concerns on how BitLocker on Windows Home and Pro differs from VeraCrypt.   
      
   Anything said below might be wrong, but from my research I have tried to   
   distil what I surmise is the distinction as I dug deeper in response to   
   criticisms specifically from Frank and Chris about my low friction high   
   protection model for direct data protection (& my disdain for biometrics).   
      
   Specifically, for protection from a burglar who steals our PC for the data.   
      
   1. VeraCrypt has pre boot authentication.   
      A. When you encrypt the system drive VeraCrypt installs a small boot   
         loader in the system partition.   
      B. That boot loader appears before Windows starts and requires a   
         password. Without that password the encryption key is never released.   
      
   2. What this means in practice   
      A. The OS cannot load until the correct password is entered.   
      B. The drive cannot be read by removing it and attaching it to another   
         machine. The data remains encrypted.   
      C. Biometrics cannot be used at this stage. Only a password or a   
         password plus keyfile can unlock the system.   
      
   3. BitLocker on Windows Home   
      A. Uses device encryption with TPM auto unlock.   
      B. No pre boot PIN is available.   
         This means the TPM releases the key without user input.   
      C. The user sign-in password or PIN is only for unlocking Windows after   
         the encryption key has already been released by the TPM.   
      D. Biometrics such as fingerprint or face unlock operate at the same   
         stage as the PIN. They unlock the session, not the encrypted drive.   
      E. Convenient for daily use, but weaker against physical theft because   
         the burglar can move the drive to another machine and attempt TPM   
         based attacks.   
      
   4. BitLocker on Windows Pro   
      A. Supports a pre boot PIN. This is the closest equivalent to VeraCrypt   
         pre-boot authentication.   
      B. The encryption key is not released until the PIN is entered.   
      C. Stronger than TPM auto unlock, but still tied to Microsoft account   
         recovery keys unless the user changes that default.   
      D. Biometrics do not apply at pre boot. They only unlock the Windows   
         session after the encryption key has been released.   
      
   5. VeraCrypt on any Windows edition   
      A. Always requires a password at boot. No TPM auto unlock exists.   
      B. Works the same on Home and Pro because it does not depend on Windows   
         features.   
      C. Can use keyfiles for an extra factor.   
         Strong if the keyfile is kept offline (e.g., usb stick or paper).   
      D. Does not support biometrics. This is by design because biometrics   
         cannot be used before the OS loads.   
      
   6. Why this matters specifically for the topic of theft of the entire PC.   
      A. Pre boot authentication protects the encryption key before any OS   
         code runs.   
      B. It prevents offline attacks where the drive is removed.   
      C. It is the strongest layer for data at rest protection on consumer   
         hardware.   
      D. Biometrics improve convenience for sign in, but they do not protect   
         encrypted data because they operate after the key has been released.   
      
   7. Summary   
      A. BIOS or UEFI passwords protect firmware settings.   
      B. BitLocker Home relies on TPM auto unlock, so no pre boot protection.   
      C. BitLocker Pro can use a pre boot PIN, which improves security.   
      D. VeraCrypt always uses pre boot authentication, regardless of Windows   
         edition (which is one reason it's a more universal solution).   
      E. OS sign in protects only the active session.   
      F. Biometrics reduce friction but do not protect encrypted data.   
      
   PSA: VeraCrypt has pre boot authentication.   
      
   Summary for older desktops   
   Older machines from around 2009 often lack a TPM or have an early TPM which   
   Windows will not use for device encryption. BitLocker Home depends on TPM   
   auto unlock and BitLocker Pro depends on TPM for its strongest modes.   
   Without   
   a TPM these features fall back to weaker modes or do not work at all. By   
   contrast VeraCrypt does not need a TPM. It works the same on any hardware   
   and   
   always uses a password at boot. That makes it a more universal solution for   
   older desktops where TPM based protection is not available.   
      
   Many thanks to Frank Slootweg and others for responding to discussions such   
   that I needed to delve deeper in order to respond intelligently to their   
   concerns on how BitLocker on Windows Home and Pro differs from VeraCrypt.   
      
   Anything said below might be wrong, but from my research I have tried to   
   distil what I surmise is the distinction as I dug deeper in response to   
   criticisms specifically from Frank and Chris about my low friction high   
   protection model for direct data protection and my disdain for biometrics.   
      
   Specifically, for protection from a burglar who steals our PC for the data.   
      
   1. VeraCrypt has pre boot authentication.   
      A. When you encrypt the system drive VeraCrypt installs a small boot   
         loader in the system partition.   
      B. That boot loader appears before Windows starts and requires a   
         password. Without that password the encryption key is never released.   
      
   2. What this means in practice   
      A. The OS cannot load until the correct password is entered.   
      B. The drive cannot be read by removing it and attaching it to another   
         machine. The data remains encrypted.   
      C. Biometrics cannot be used at this stage. Only a password or a   
         password plus keyfile can unlock the system.   
      
   3. BitLocker on Windows Home   
      A. Uses device encryption with TPM auto unlock.   
      B. No pre boot PIN is available. The TPM releases the key without user   
         input.   
      C. The user sign in password or PIN is only for unlocking Windows after   
         the encryption key has already been released by the TPM.   
      D. Biometrics such as fingerprint or face unlock operate at the same   
         stage as the PIN. They unlock the session, not the encrypted drive.   
      E. Convenient for daily use, but weaker against physical theft because   
         the burglar can move the drive to another machine and attempt TPM   
         based attacks.   
      
   4. BitLocker on Windows Pro   
      A. Supports a pre boot PIN. This is the closest equivalent to VeraCrypt   
         pre boot authentication.   
      B. The encryption key is not released until the PIN is entered.   
      
   [continued in next message]   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)