Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update: Revamp full disk encryption section #2437

Closed
wants to merge 14 commits into from

Conversation

vandorsx
Copy link

@vandorsx vandorsx commented Mar 15, 2024

Changes in the order they appear:

  • Re-wrote the introduction to the FDE section.
    • The information is the same, it just reads a bit better now.
    • Added a note that FDE and FVE are generally used interchangeably. Previously, the term "full volume encryption" was used without a precursor.
  • Re-wrote the BitLocker card
    • Immediately mention it's for Windows and it's proprietary.
    • Make explicit mention of the hardware security TPM.
    • Remove "The main reason we recommend it..." because generally all info stated supports a recommendation.
    • Prominently state officially supported editions (pro, etc)
    • Tell where to actually manage and enable BitLocker
    • Information and guide on preboot authentication
    • Improved the BitLocker on Windows Home guide
  • Re-wrote FileVault card
    • Immediately mention it's for macOS and it's proprietary
    • Mention secure enclave
    • Tell where to manage and enable FileVault
    • New logo
  • Re-wrote LUKS card
    • Renamed it to LUKS, that's what it's known as
    • Mention it's open-source
    • State and elaborate on how it's a standard
    • Tell where/how it can be managed (also linking to a faq)
    • New logo

Up for discussion:

  • Maybe want to consider removing (or at least testing) the BitLocker on Home guide: update: Revamp full disk encryption section #2437 (comment)
  • It would be nice if someone more knowledgeable on LUKS could add some more context to encrypted containers — perhaps explaining what they are and what they do above the admonition.

  • I have disclosed any relevant conflicts of interest in my post.
  • I agree to grant Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform, relicense, and distribute my contribution as part of this project.
  • I am the sole author of this work.
  • I agree to the Community Code of Conduct.

Copy link

netlify bot commented Mar 15, 2024

Deploy Preview for privacyguides ready!

Name Link
🔨 Latest commit 848b373
🔍 Latest deploy log https://app.netlify.com/sites/privacyguides/deploys/65f5e043d7481e00088adf3f
😎 Deploy Preview https://deploy-preview-2437.preview.privacyguides.dev
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
Lighthouse
Lighthouse
4 paths audited
Performance: 78 (🟢 up 2 from production)
Accessibility: 91 (🔴 down 1 from production)
Best Practices: 98 (no change from production)
SEO: 90 (no change from production)
PWA: -
View the detailed breakdown and full score reports

To edit notification comments on pull requests, go to your Netlify site configuration.


</details>

While BitLocker is not officially supported on Windows Home, it can be enabled on Home editions with a few extra steps.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have we actually checked to see if this works? It did at one point but this indicates it might not #2407

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question, I did see that issue. To me it read as if it worked except they accidentally did the process on a non-boot drive since their drive letters were weird.

Which is why I added:

+ This guide assumes the drive letter of your operating system drive is "C". If it is not, replace `c:` with the correct drive letter in the following commands.

Though maybe I'm interpreting what they're saying wrong.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I went through the guide on a VM and it worked for me. I updated the instructions based on what I experienced (i.e., saving the recovery key to a .txt file didn't work for me).

Device encryption enabled in a Windows 11 Home virtual machine.

Copy link
Contributor

@IDON-TEXIST IDON-TEXIST Jul 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The guide worked, my problem was that the drive letters were switched in the troubleshooter command prompt. I think the addition should explicitly mention the possibility of this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or we could just point home users to MAS.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The guide worked, my problem was that the drive letters were switched in the troubleshooter command prompt. I think the addition should explicitly mention the possibility of this.

Where should this be mentioned? It's been a few months since I went through the guide, so I'm admittedly not too familiar with it anymore.

or we could just point home users to MAS.

MAS works well — there's no denying that. Though I think it's more of a iykyk thing rather than something to be recommend.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MAS works well — there's no denying that. Though I think it's more of a iykyk thing rather than something to be recommend.

Is what we're suggesting any less illegal?

@vandorsx vandorsx marked this pull request as ready for review March 15, 2024 06:03
@dngray dngray added c:software self-hosted/decentralized software and related topics c:enhancements new features or other enhancements to the website itself labels Mar 15, 2024
docs/encryption.md Outdated Show resolved Hide resolved
Copy link
Contributor

@rollsicecream rollsicecream left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here are some little things to add:

docs/encryption.md Outdated Show resolved Hide resolved
docs/encryption.md Outdated Show resolved Hide resolved
vandorsx and others added 2 commits July 15, 2024 14:48
Co-authored-by: rollsicecream <[email protected]>
Signed-off-by: Jade van Dorsten <[email protected]>
Co-authored-by: rollsicecream <[email protected]>
Signed-off-by: Jade van Dorsten <[email protected]>
@IDON-TEXIST
Copy link
Contributor

I'm not sure whether the comments I've made create notifications, so check this.


</details>

While BitLocker is not officially supported on Windows Home, it can be enabled on Home editions with a few extra steps.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MAS works well — there's no denying that. Though I think it's more of a iykyk thing rather than something to be recommend.

Is what we're suggesting any less illegal?

docs/encryption.md Outdated Show resolved Hide resolved
Co-authored-by: IDON-TEXIST <[email protected]>
Signed-off-by: Jade van Dorsten <[email protected]>
Copy link
Member

@redoomed1 redoomed1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the improvements on the BitLocker guide!

I notice that there are some steps to configure Group Policy settings in the guide. It might be better to point readers to the relevant section in the Group Policy page of the Windows Overview (specifically, https://www.privacyguides.org/en/os/windows/group-policies/#operating-system-drives) in order to avoid duplicating content across multiple pages. Any settings that are mentioned in the BitLocker guide that aren't already in the Group Policy page could be added to the latter. (Ideally, the Group Policy page is the central hub for all things related to LGPO on the Privacy Guides site.)

This is probably not in the scope of this PR, but just mentioning it as a passing suggestion.

docs/encryption.md Outdated Show resolved Hide resolved
vandorsx and others added 2 commits July 30, 2024 13:17
Co-authored-by: redoomed1 <[email protected]>
Signed-off-by: Jade van Dorsten <[email protected]>
Signed-off-by: Jade van Dorsten <[email protected]>
@IDON-TEXIST
Copy link
Contributor

IDON-TEXIST commented Jul 31, 2024

I think it might make more sense to move the group policy stuff to this page. We wouldn't want readers to gloss over it and then decide to unencrypt and reencrypt their drives later because they realize they want AES-256. Those policies don't make much sense to enable unless you're using or planning to use Bitlocker, anyway.

@jonaharagon jonaharagon changed the title Revamp full disk encryption section update: Revamp full disk encryption section Aug 1, 2024
@redoomed1

This comment was marked as off-topic.

Copy link
Contributor

@rollsicecream rollsicecream left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some things to fix.

docs/encryption.md Outdated Show resolved Hide resolved
docs/encryption.md Outdated Show resolved Hide resolved
docs/encryption.md Outdated Show resolved Hide resolved
docs/encryption.md Outdated Show resolved Hide resolved
docs/encryption.md Outdated Show resolved Hide resolved
vandorsx and others added 2 commits August 8, 2024 19:18
Copy link
Contributor

@rollsicecream rollsicecream left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other things to fix...

docs/encryption.md Outdated Show resolved Hide resolved
docs/encryption.md Outdated Show resolved Hide resolved
docs/encryption.md Outdated Show resolved Hide resolved
vandorsx and others added 2 commits August 9, 2024 10:30
docs/encryption.md Show resolved Hide resolved
For encrypting the drive your operating system boots from, we generally recommend enabling the encryption software that comes with your operating system rather than using a third-party tool. This is because your operating system's native encryption tools often make use of OS and hardware-specific features like the [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor) in your device to protect your computer against more advanced physical attacks. For secondary drives and external drives which you *don't* boot from, we still recommend using open-source tools like [VeraCrypt](#veracrypt-disk) over the tools below, because they offer additional flexibility and let you avoid vendor lock-in.
Full disk encryption (FDE) is a comprehensive data encryption solution, encompassing the operating system and system files. FDE principally leverages hardware security features, such as a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor) (e.g., a [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module)). Therefore, we recommend using the built-in FDE solutions for your operating system. For external drives, however, we still recommend [cross-platform tools](#multi-platform) for additional flexibility and to avoid vendor lock-in.

Note the terms full *disk* encryption and full *volume* encryption are often used interchangeably.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These aren't the same though. Full disk implies the entire disk is encrypted and Full Volume encryption just means a volume on the disk is encrypted. I think we should probably avoid using either of these terms and just call it encryption.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The one you deleted still shows up in Apple's marketing materials so I think we can leave it.

@@ -102,63 +102,118 @@ Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/Tru

## OS Full Disk Encryption

For encrypting the drive your operating system boots from, we generally recommend enabling the encryption software that comes with your operating system rather than using a third-party tool. This is because your operating system's native encryption tools often make use of OS and hardware-specific features like the [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor) in your device to protect your computer against more advanced physical attacks. For secondary drives and external drives which you *don't* boot from, we still recommend using open-source tools like [VeraCrypt](#veracrypt-disk) over the tools below, because they offer additional flexibility and let you avoid vendor lock-in.
Full disk encryption (FDE) is a comprehensive data encryption solution, encompassing the operating system and system files. FDE principally leverages hardware security features, such as a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor) (e.g., a [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module)). Therefore, we recommend using the built-in FDE solutions for your operating system. For external drives, however, we still recommend [cross-platform tools](#multi-platform) for additional flexibility and to avoid vendor lock-in.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Full disk encryption (FDE) is a comprehensive data encryption solution, encompassing the operating system and system files. FDE principally leverages hardware security features, such as a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor) (e.g., a [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module)). Therefore, we recommend using the built-in FDE solutions for your operating system. For external drives, however, we still recommend [cross-platform tools](#multi-platform) for additional flexibility and to avoid vendor lock-in.
Built-in OS encryption solutions generally leverage hardware security features, such as a [secure cryptoprocessor](https://en.wikipedia.org/wiki/Secure_cryptoprocessor). Therefore, we recommend using the built-in encryption solutions for your operating system. For cross-platform encryption, we still recommend [cross-platform tools](#multi-platform) for additional flexibility and to avoid vendor lock-in.

@@ -102,63 +102,118 @@ Truecrypt has been [audited a number of times](https://en.wikipedia.org/wiki/Tru

## OS Full Disk Encryption
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## OS Full Disk Encryption
## OS Encryption


[:octicons-info-16:](https://learn.microsoft.com/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation}

</details>

</div>

BitLocker is [only supported](https://support.microsoft.com/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites.
To learn more about BitLocker and TPM, see "[Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection)" by ElcomSoft, a forensics company.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
To learn more about BitLocker and TPM, see "[Understanding BitLocker TPM Protection](https://blog.elcomsoft.com/2021/01/understanding-BitLocker-tpm-protection)" by ElcomSoft, a forensics company.

@vandorsx
Copy link
Author

vandorsx commented Nov 7, 2024

Thanks to those who provided feedback and changes to this PR. I’m closing it as the scope of these changes is too large, making it difficult to review and merge. If anyone more active in contributing to Privacy Guides would like to carry forward parts of these changes in a new PR, feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c:enhancements new features or other enhancements to the website itself c:software self-hosted/decentralized software and related topics
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

7 participants