Also, the whole point of the TPM (when I looked it up) was to not tell anyone, including Microsoft your decryption key. It’s so the user has ten chances to enter a short PIN or password and then it unlocks the device. That way not even Microsoft or the police can unlock the device without a tunnelling electron microscope with which to crack the TPM.
That way, you see, getting into a device is expensive and something law enforcement would not be tempted to do without an ironclad warrant and maybe a national security reason.
That Microsoft can ask TPMs to break their T makes them not T-worthy enough to be called a TPM. More like a Microsoft Obedience Chip.
TPM is meant to enforce DRM, not protect your data. They advertise it as a feature to protect users because it wouldn’t be very popular if they outright said that the whole point was so that your computer could process data without giving you access to it.
And now Google wants to use it to remove user control of browsers because users like to block ads.
You don’t have to give Microsoft the key (unless you want the “backup” option) but the OS has to have the key locally while it’s running in order to be able to read the data on the drive (and also write new data).
In typical usage The TPM holds the key, but it’s the OS that generated the key and encrypted the drive in the first place. I don’t know the technical details but the TPM recognises the OS install that programmed it and will only automatically unlock and provide the key for that. If you change it by swapping the drive or booting to a different device it remains locked and any alternative OS requires the key to be entered manually.
That’s what bitlocker is supposed to do. It’s kind of the whole point of bitlocker.
Bitlocker is supposed to lock out people that should not have access to the data on that PC not lock the owner out.
Yeah but how would it know?
Passwords and/or keys? Ya know, just encryption things.
Well if you have the key, you’re not locked out.
Huh. I do not have a bitlocker account.
Also, the whole point of the TPM (when I looked it up) was to not tell anyone, including Microsoft your decryption key. It’s so the user has ten chances to enter a short PIN or password and then it unlocks the device. That way not even Microsoft or the police can unlock the device without a tunnelling electron microscope with which to crack the TPM.
That way, you see, getting into a device is expensive and something law enforcement would not be tempted to do without an ironclad warrant and maybe a national security reason.
That Microsoft can ask TPMs to break their T makes them not T-worthy enough to be called a TPM. More like a Microsoft Obedience Chip.
TPM is meant to enforce DRM, not protect your data. They advertise it as a feature to protect users because it wouldn’t be very popular if they outright said that the whole point was so that your computer could process data without giving you access to it.
And now Google wants to use it to remove user control of browsers because users like to block ads.
You don’t have to give Microsoft the key (unless you want the “backup” option) but the OS has to have the key locally while it’s running in order to be able to read the data on the drive (and also write new data).
In typical usage The TPM holds the key, but it’s the OS that generated the key and encrypted the drive in the first place. I don’t know the technical details but the TPM recognises the OS install that programmed it and will only automatically unlock and provide the key for that. If you change it by swapping the drive or booting to a different device it remains locked and any alternative OS requires the key to be entered manually.