Git-Mirrors/privacyguides.org
1
0
Fork 0
mirror of https://github.com/privacyguides/privacyguides.org.git synced 2025-12-14 07:22:20 -05:00
Code Issues Projects Releases Packages Wiki Activity

Make corrections Bitlocker

Browse source
This commit is contained in:
Daniel Gray 2025-11-20 16:05:40 +00:00
parent ca23ca0978
commit f9204b55e9
No known key found for this signature in database
GPG key ID: 41911F722B0F9AE3
1 changed files with 6 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

9
docs/encryption.md
View file

@ -97,9 +97,10 @@ TrueCrypt has been [audited a number of times](https://en.wikipedia.org/wiki/Tru
Built-in OS encryption solutions generally leverage hardware security features such as a [secure cryptoprocessor](basics/hardware.md#tpmsecure-cryptoprocessor). Therefore, we recommend using the built-in encryption solutions for your operating system. For cross-platform encryption, we still recommend [cross-platform tools](#multi-platform) for additional flexibility and to avoid vendor lock-in. Built-in OS encryption solutions generally leverage hardware security features such as a [secure cryptoprocessor](basics/hardware.md#tpmsecure-cryptoprocessor). Therefore, we recommend using the built-in encryption solutions for your operating system. For cross-platform encryption, we still recommend [cross-platform tools](#multi-platform) for additional flexibility and to avoid vendor lock-in.
<details class="warning" markdown> <details class="warning" markdown>
<summary>Shut devices down when not in use.</summary> <summary>Shut devices down when not in use.</summary>
Powering off your devices when not in use provides the best security as this minimizes the attack surface of your FDE method as no keys are available in memory. Powering off your devices when theyre not in use provides the highest level of security, as it minimizes the attack surface of your FDE method by ensuring no encryption keys remain in memory.
</details> </details>
@ -109,7 +110,7 @@ Powering off your devices when not in use provides the best security as this min
![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right } ![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right }
**BitLocker** is the full volume encryption solution bundled with Microsoft Windows that uses the Trusted Platform Module ([TPM](https://learn.microsoft.com/windows/security/information-protection/tpm/how-windows-uses-the-tpm)) for hardware-based security. We recommend that you use Bitlocker with the [TPM+PIN](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/faq#what-is-the-difference-between-a-tpm-owner-password--recovery-password--recovery-key--pin--enhanced-pin--and-startup-key) option and not just your regular password as [extraction is impossible](https://blog.elcomsoft.com/2021/01/understanding-bitlocker-tpm-protection) when you use an extra a pre-boot protector like the PIN. The PIN is rate limited and the TPM will panic and lock access to the encryption key either permanently or for a period of time if someone attempts to brute force access. **BitLocker** is the full volume encryption solution bundled with Microsoft Windows that uses the Trusted Platform Module ([TPM](https://learn.microsoft.com/windows/security/information-protection/tpm/how-windows-uses-the-tpm)) for hardware-based security.
[:octicons-info-16:](https://learn.microsoft.com/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title="Documentation" } [:octicons-info-16:](https://learn.microsoft.com/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title="Documentation" }
@ -117,7 +118,9 @@ Powering off your devices when not in use provides the best security as this min
</div> </div>
BitLocker is [officially supported](https://support.microsoft.com/en-us/windows/bitlocker-overview-44c0c61c-989d-4a69-8822-b95cd49b1bbf) on the Pro, Enterprise, and Education editions of Windows. If you have Home edition we recommend you [upgrade to Pro](https://support.microsoft.com/en-us/windows/upgrade-windows-home-to-windows-pro-ef34d520-e73f-3198-c525-d1a218cc2818), which can be achieved without reinstalling Windows or losing your files. An alternative solution could be to use VeraCrypt's [system encryption](https://veracrypt.io/en/System%20Encryption.html) feature. VeraCrypt does not use the system's TPM chip and all encryption keys are stored in memory, leaving them [vulnerable to extraction](https://blog.elcomsoft.com/2021/06/breaking-veracrypt-obtaining-and-extracting-on-the-fly-encryption-keys) while the device is online and mounted. We also recommend if you're using Bitlocker to make sure you BitLocker is [officially supported](https://support.microsoft.com/en-us/windows/bitlocker-overview-44c0c61c-989d-4a69-8822-b95cd49b1bbf) on the Pro, Enterprise, and Education editions of Windows. The Home edition only supports automatic [Device Encryption](https://support.microsoft.com/en-us/windows/device-encryption-in-windows-cf7e2b6f-3e70-4882-9532-18633605b7df) and must meet specific hardware requirements. If youre using the Home edition, we recommend [upgrading to Pro](https://support.microsoft.com/en-us/windows/upgrade-windows-home-to-windows-pro-ef34d520-e73f-3198-c525-d1a218cc2818), which can be done without reinstalling Windows or losing your files.
Pro and higher editions also support the more secure pre-boot [TPM+PIN](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/faq#what-is-the-difference-between-a-tpm-owner-password--recovery-password--recovery-key--pin--enhanced-pin--and-startup-key) feature, configured through the appropriate [group policy](os/windows/group-policies.md#bitlocker-drive-encryption) settings. The PIN is rate limited and the TPM will panic and lock access to the encryption key either permanently or for a period of time if someone attempts to brute force access.
</details> </details>