XPost: alt.comp.os.windows-11   
   From: mariasophia@comprehension.com   
      
   Frank Slootweg wrote:   
   >   Windows Device Encryption also works with a local account. I only have   
   > a local account and don't have a Microsoft Account. I believe the key is   
   > stored in the machine's BIOS or similar, hence my comment on saving the   
   > key somewhere locally in case the machine has a fatal hardware failure.   
      
   Hi Frank,   
      
   Much appreciated your deeper explanation of FDE as I use containers instead   
   (which I use for convenience so I only enter a passphrase when needed).   
      
   My use model employs  partial encryption (e.g., VeraCrypt containers), so   
   Frank's more-standard use model of full encryption on Windows Home is new   
   to me. What I've researched about Windows FDE may be wrong, but here is my   
   best understanding of the pros and cons of the two models, in practice.   
      
   i. Device Encryption on Windows Home does not support password or PIN   
      protectors. The only protector is the TPM.   
      
   ii. Because the TPM is the protector, the machine unlocks the encrypted   
       drive automatically. We do not enter the 48 digit recovery key at   
       startup. That key is only for recovery mode.   
      
   iii. Windows may still ask for our normal account password after the   
        drive is unlocked. That password is for signing in to Windows, not   
        for unlocking the disk. Device Encryption on Home cannot require a   
        boot password or PIN. Only Windows Pro can do that.   
      
   iv. If the TPM state changes or the disk is moved, Windows will stop at   
       a recovery screen and ask for the 48 digit key. That is when we plug   
       in our USB stick or type the 48 digits from our paper copy.   
      
   v. If the machine boots normally, we never see the key prompt. The TPM   
      unlocks the drive silently. The recovery key itself is not stored in   
      BIOS in readable form. The TPM holds the cryptographic material that   
      unlocks the disk.   
      
   vi. This is why Windows Home cannot be used for high security. We cannot   
       force a password at boot, disable TPM auto unlock, or require user   
       presence. Only Windows Pro can do that.   
      
   If we want true password-protected FDE, we need:   
    a. Windows 10 Pro or Windows 11 Pro   
    b. Or a third-party FDE tool   
    c. Or Linux with LUKS, which always supports passphrases   
      
   I thank Frank for his suggestions as I created my low-friction protection   
   model years ago (maybe even decades ago) when Truecrypt was still a thing.   
   --   
   On Usenet, we old men trade facts so everyone can make better choices.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)