-
-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update: Revamp full disk encryption section #2437
Conversation
✅ Deploy Preview for privacyguides ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
docs/encryption.md
Outdated
|
||
</details> | ||
|
||
While BitLocker is not officially supported on Windows Home, it can be enabled on Home editions with a few extra steps. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have we actually checked to see if this works? It did at one point but this indicates it might not #2407
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question, I did see that issue. To me it read as if it worked except they accidentally did the process on a non-boot drive since their drive letters were weird.
Which is why I added:
+ This guide assumes the drive letter of your operating system drive is "C". If it is not, replace `c:` with the correct drive letter in the following commands.
Though maybe I'm interpreting what they're saying wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was also a thread https://discuss.privacyguides.net/t/enabling-bitlocker-on-the-windows-11-home-edition/13303/ about it. could just check in a VM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The guide worked, my problem was that the drive letters were switched in the troubleshooter command prompt. I think the addition should explicitly mention the possibility of this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or we could just point home users to MAS.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The guide worked, my problem was that the drive letters were switched in the troubleshooter command prompt. I think the addition should explicitly mention the possibility of this.
Where should this be mentioned? It's been a few months since I went through the guide, so I'm admittedly not too familiar with it anymore.
or we could just point home users to MAS.
MAS works well — there's no denying that. Though I think it's more of a iykyk thing rather than something to be recommend.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MAS works well — there's no denying that. Though I think it's more of a iykyk thing rather than something to be recommend.
Is what we're suggesting any less illegal?
(rebased)
19d9058
to
a909cf7
Compare
0a94f3f
to
d80af39
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here are some little things to add:
Co-authored-by: rollsicecream <[email protected]> Signed-off-by: Jade van Dorsten <[email protected]>
Co-authored-by: rollsicecream <[email protected]> Signed-off-by: Jade van Dorsten <[email protected]>
I'm not sure whether the comments I've made create notifications, so check this. |
docs/encryption.md
Outdated
|
||
</details> | ||
|
||
While BitLocker is not officially supported on Windows Home, it can be enabled on Home editions with a few extra steps. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
MAS works well — there's no denying that. Though I think it's more of a iykyk thing rather than something to be recommend.
Is what we're suggesting any less illegal?
Co-authored-by: IDON-TEXIST <[email protected]> Signed-off-by: Jade van Dorsten <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the improvements on the BitLocker guide!
I notice that there are some steps to configure Group Policy settings in the guide. It might be better to point readers to the relevant section in the Group Policy page of the Windows Overview (specifically, https://www.privacyguides.org/en/os/windows/group-policies/#operating-system-drives) in order to avoid duplicating content across multiple pages. Any settings that are mentioned in the BitLocker guide that aren't already in the Group Policy page could be added to the latter. (Ideally, the Group Policy page is the central hub for all things related to LGPO on the Privacy Guides site.)
This is probably not in the scope of this PR, but just mentioning it as a passing suggestion.
Co-authored-by: redoomed1 <[email protected]> Signed-off-by: Jade van Dorsten <[email protected]>
Signed-off-by: Jade van Dorsten <[email protected]>
I think it might make more sense to move the group policy stuff to this page. We wouldn't want readers to gloss over it and then decide to unencrypt and reencrypt their drives later because they realize they want AES-256. Those policies don't make much sense to enable unless you're using or planning to use Bitlocker, anyway. |
This comment was marked as off-topic.
This comment was marked as off-topic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some things to fix.
Co-authored-by: rollsicecream <[email protected]> Signed-off-by: Jade van Dorsten <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other things to fix...
Co-authored-by: rollsicecream <[email protected]> Signed-off-by: Jade van Dorsten <[email protected]>
For encrypting the drive your operating system boots from, we generally recommend enabling the encryption software that comes with your operating system rather than using a third-party tool. This is because your operating system's native encryption tools often make use of OS and hardware-specific features like the [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor) in your device to protect your computer against more advanced physical attacks. For secondary drives and external drives which you *don't* boot from, we still recommend using open-source tools like [VeraCrypt](#veracrypt-disk) over the tools below, because they offer additional flexibility and let you avoid vendor lock-in. | ||
Full disk encryption (FDE) is a comprehensive data encryption solution, encompassing the operating system and system files. FDE principally leverages hardware security features, such as a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor) (e.g., a [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module)). Therefore, we recommend using the built-in FDE solutions for your operating system. For external drives, however, we still recommend [cross-platform tools](#multi-platform) for additional flexibility and to avoid vendor lock-in. | ||
|
||
Note the terms full *disk* encryption and full *volume* encryption are often used interchangeably. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These aren't the same though. Full disk implies the entire disk is encrypted and Full Volume encryption just means a volume on the disk is encrypted. I think we should probably avoid using either of these terms and just call it encryption.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The one you deleted still shows up in Apple's marketing materials so I think we can leave it.
@@ -102,63 +102,118 @@ Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/Tru | |||
|
|||
## OS Full Disk Encryption | |||
|
|||
For encrypting the drive your operating system boots from, we generally recommend enabling the encryption software that comes with your operating system rather than using a third-party tool. This is because your operating system's native encryption tools often make use of OS and hardware-specific features like the [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor) in your device to protect your computer against more advanced physical attacks. For secondary drives and external drives which you *don't* boot from, we still recommend using open-source tools like [VeraCrypt](#veracrypt-disk) over the tools below, because they offer additional flexibility and let you avoid vendor lock-in. | |||
Full disk encryption (FDE) is a comprehensive data encryption solution, encompassing the operating system and system files. FDE principally leverages hardware security features, such as a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor) (e.g., a [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module)). Therefore, we recommend using the built-in FDE solutions for your operating system. For external drives, however, we still recommend [cross-platform tools](#multi-platform) for additional flexibility and to avoid vendor lock-in. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Full disk encryption (FDE) is a comprehensive data encryption solution, encompassing the operating system and system files. FDE principally leverages hardware security features, such as a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor) (e.g., a [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module)). Therefore, we recommend using the built-in FDE solutions for your operating system. For external drives, however, we still recommend [cross-platform tools](#multi-platform) for additional flexibility and to avoid vendor lock-in. | |
Built-in OS encryption solutions generally leverage hardware security features, such as a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). Therefore, we recommend using the built-in encryption solutions for your operating system. For cross-platform encryption, we still recommend [cross-platform tools](#multi-platform) for additional flexibility and to avoid vendor lock-in. |
@@ -102,63 +102,118 @@ Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/Tru | |||
|
|||
## OS Full Disk Encryption |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
## OS Full Disk Encryption | |
## OS Encryption |
|
||
[:octicons-info-16:](https://learn.microsoft.com/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation} | ||
|
||
</details> | ||
|
||
</div> | ||
|
||
BitLocker is [only supported](https://support.microsoft.com/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites. | ||
To learn more about BitLocker and TPM, see "[Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection)" by ElcomSoft, a forensics company. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To learn more about BitLocker and TPM, see "[Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection)" by ElcomSoft, a forensics company. |
Thanks to those who provided feedback and changes to this PR. I’m closing it as the scope of these changes is too large, making it difficult to review and merge. If anyone more active in contributing to Privacy Guides would like to carry forward parts of these changes in a new PR, feel free to do so. |
Changes in the order they appear:
Up for discussion:
Maybe want to consider removing (or at least testing) the BitLocker on Home guide: update: Revamp full disk encryption section #2437 (comment)