On Tue, Jul 26, 2022, at 9:15 PM, Kevin Kofler via devel wrote:
Chris Murphy wrote:
> Summary: Windows 10/11 increasingly enables Bitlocker (full disk
> encryption) out of the box with the encryption key sealed in the TPM.
[…]
> The Bitlocker encryption key is unsealed only if the boot chain
> measurement by the TPM matches the expected values in a TPM PCR.
So, basically, they set up things without the user's knowledge so that the
user's data can only be decrypted from Windows, only when booted directly,
and only with Restricted Boot enabled. Does that not fit the definition of
ransomware? Treacherous Computing at its finest… Does anyone still believe
that all this is about security?
cryptsetup does have Bitlocker support, so long as you have the recovery key you can
unlock and get access to your data, I've tested this.
Bitlocker has nothing to do with Secure Boot.
This is entirely beside the point though, which is to try and make dual boot as useful for
users as possible. We want users to be confident about both OS's remain accessible in
a discoverable way, without having to jump through hoops.
--
Chris Murphy