Friday, July 31, 2015

I've upgraded to Windows 10...What are my full disk encryption options?

A good question that I've been seeing around twitter lately. What are my FDE options and how do I keep myself secure from getting my bitlocker keys uploaded to OneDrive?

There are a few issues to address here and no it does not involve paying Microsoft an extra $200. That would be a little silly. So lets start from the beginning because this is not new with Windows 10. It was actually introduced in Windows 8.1 with a very specific criteria that has to be met. 

Before Windows 8.1 automatically enables Device Encryption, the following must be true:
  • The Windows device “must support connected standby and meet the Windows Hardware Certification Kit (HCK) requirements for TPM and SecureBoot on ConnectedStandby systems.”  (Source) Older Windows PCs won’t support this feature, while new Windows 8.1 devices you pick up will have this feature enabled by default.
  • When Windows 8.1 installs cleanly and the computer is prepared, device encryption is “initialized” on the system drive and other internal drives. Windows uses a clear key at this point, which is removed later when the recovery key is successfully backed up.
  • The PC’s user must log in with a Microsoft account with administrator privileges or join the PC to a domain. If a Microsoft account is used, a recovery key will be backed up to Microsoft’s servers and encryption will be enabled. If a domain account is used, a recovery key will be backed up to Active Directory Domain Services and encryption will be enabled.

So if your pc does not meet these modern standards and you score and upgrade to Windows 10 home. No it won't self encrypt and you will be using a Windows 10 device that is unencrypted. If it does meet those standards then yes it will automatically encrypt and upload the recovery key to OneDrive assuming you logged into a Microsoft account. 

So lets get real for a second. If you are worried that now your secret "Golden Key" is out on OneDrive. You can easily enough remove it and regenerate a new recovery key. Also mind you the default for Bitlocker is AES128. I don't go less that AES256 on any of my systems. 

1. Go to this Microsoft FAQ and click on the question How can I get my Bitlocker recovery key. It will contain a direct link to take you to your recovery key. Once you are logged in. Just remove it. If you get a page saying no bitlocker key exists then you are good to go. 

2. Verify your computer is even encrypted. Open up a elevated command prompt and type in the following. 

manage-bde -status

This should pull back some info similar to this:

As you can see this drive is not encrypted. There is no bitlocker version and it is running Windows 10 home. I'll get to what I am going to do with my unencrypted laptop in a minute. 

If your drive is encrypted and you did have to do a removal of your key from OneDrive then do step 3. 

3. Regenerate your recovery key. No decryption necessary. 

Assume X: is the BitLocker protected drive you want to change recovery password for.
  1. Open an elevated cmd prompt
  2. Type manage-bde X: -protectors -get -type RecoveryPassword
  3. Locate the protector you want to cycle (probably the only one displayed) and copy its ID field (including the curly braces).
  4. Type manage-bde X: -protectors -delete -id [paste the ID you copied]
  5. Type manage-bde X: -protectors -add -rp [optionally specify the new 48-digit password or enter nothing to have it randomly generated for you]
Save your password somewhere safe. Encrypt the file with a password with a program such as 7zip. My favorite it to encrypt it with my own key. Then upload to OneDrive for backup purposes. 
Now lets talk about running Windows 10 home unencrypted. Microsoft is making the encryption market very narrow with the introduction of Secure Boot UEFI, GPT partitions and TPM chips. If you are running a GPT partition you will have a tough time finding a free FDE solution that supports GPT. Paid products typically do like Symantec PGP Encryption. I would suggest doing container based encryption using Veracrypt. Veracrypt developers seem to be fixing truecrypt audit items. I would stay clear of using truecrypt as it has not been updated in some time. 
Hopefully this will help those that seem to be confused about Windows 10 FDE. 


28 comments:

  1. Replies

    1. buy win 7 product key card , key windows 7 professional 64 bit , free windows anytime upgrade key for windows 7 home premium , windows multipoint server 2011 activation code , office 2016 product key , windows home server 2011 power pack 1 , windows 8.1 professional key , office 2010 key paypal , leTzX7

      Delete

    2. genuine windows 7 key wholesale , windows 7 home premium sp1 keygen , windows 10 serial key crack , office 2013 key sale , windows 10 product key free , windows 10 activation time limit , windows 7 keys sale , windows 10 product key lookup , lqXhXw

      buy office 2016 product key

      windows server 2012 r2 free

      rosetta stone french key sale

      Delete

    3. buying windows 7 product key , window xp pro sp3 original product key , windows 10 pro keys retail , windows 7 home premium anytime upgrade product key free , windows 10 activation expired , key win 7 pro , get windows server 2016 keys discount , windows 7 home basic genuine product key free download , loVJn7

      windows 7 ult key sale online

      buy windows 8.1 pro keys

      cheap windows 10 pro keys for sale

      windows server 2016 standard key and download

      get windows 7 product keys online

      Delete

    4. buying windows 7 product key , window xp pro sp3 original product key , windows 10 pro keys retail , windows 7 home premium anytime upgrade product key free , windows 10 activation expired , key win 7 pro , get windows server 2016 keys discount , windows 7 home basic genuine product key free download , loVJn7

      windows 7 ult key sale online

      buy windows 8.1 pro keys

      cheap windows 10 pro keys for sale

      windows server 2016 standard key and download

      get windows 7 product keys online

      Delete
  2. I literally have no idea what all that means. I am running Windows 10 home and I have to have FDE for my contracting business. How do I get this? Do I have to pay the extra money to Microsoft to upgrade to business?

    ReplyDelete
  3. Recommend you guys a good site to get cheap and genuine product keys for windows: www.vinhugo.com, all versions of windows keys can be found there.

    ReplyDelete
  4. I'd like to introduce something good to you, my dear friend. As you mentioned above, I want to tell you how you can get a valid and legal key. The answer is in www.funkinyes.com, you can buy what you want and it's 100% genuine. Pirated versions never exist in this place

    ReplyDelete
  5. Guys who was not successful with these keys can also try this site: www.acyberkey.com I saw it by chance, hope it maybe helpful.

    ReplyDelete
  6. if you need genuine office you can try this link, my office got here and works well,strongly recommend you, it is brilliant www.aakeys.com

    ReplyDelete

  7. office2013keysale.com
    Just wanted to recommend windows 10 product key
    I have helped people "who cannot afford" computing, refurbish old systems donated by schools and http://www.office2013keysale.com/ has really enabled me to give these people good software that would normally be out of their reach ( I don't charge for my service,) just thought I would pass the word on

    ReplyDelete

  8. Windows 10 Key Sale Store (http://www.windows10keysale.com)

    You are looking for a product key? Then, you can't miss the site Windows 10 Key Sale Store (http://www.windows10keysale.com) . This is the professional vendor of Microsoft and provides product key for the windows 7, windows 8 and so on. Just click the link and have a look. You must love it.

    Windows 10 Key Sale Store (http://www.windows10keysale.com)

    ReplyDelete
  9. Its rally very nice and informative article. thanks for shearing with us.
    Plot for Sale in Lahore

    ReplyDelete
  10. Dear guys, if you want to buy 8.1 Product key online in best quality and best cheap price,so i recommend you to the online store www.hafizlab.com , here you can buy windows 8.1 key in only $35 with lifetime waranty...

    ReplyDelete
  11. Windows 10 Key Sale Store (http://www.windows10keysale.com)

    You can buy the product key from the Microsoft office site and its partner vendor. If you don't want to pay in high price, then I recommend you to buy it from the partner vendor Windows 10 Key Sale Store (http://www.windows10keysale.com) . The same genuine product key but with a much lower price. What's more, the customer service is extremely good and considerate.

    Windows 10 Key Sale Store (http://www.windows10keysale.com)

    ReplyDelete
  12. Windows 10 Key Sale Store (http://www.windows10keysale.com)


    You could download the software and buy the key in Microsoft official site.
    But I think the price is too expensive, more than $200. I found a MS partner online shop with low price about $35 after discounts.
    I forget the Partner site, maybe you could Google.
    Their service email is customerservice.key@gmail.com

    Windows 10 Key Sale Store (http://www.windows10keysale.com)

    ReplyDelete
  13. Windows 10 Key Sale Store (http://www.windows10keysale.com)


    I recommend you to visit Windows 10 Key Sale Store (http://www.windows10keysale.com) . Yesterday was my 5th purchase from their site.
    Everytime I am amazed at the prices and customer service.
    I have recommended this site to many friends. the fact will prove my words.

    Windows 10 Key Sale Store (http://www.windows10keysale.com)

    ReplyDelete

  14. Microsoftkeysales.com
    Go to http://www.Microsoftkeysales.com/. I must thank them for their great product key and warm customer service as well as quick delivery of email. This is the best online purchasing experience Ihad ever! You also can buy the product key here and activate you operating system in a short time.

    ReplyDelete
  15. Windows 7 support is over, but there's no doubt, As Windows 7 is the most recommended OS, Which through user can do almost all work without any problem, Where I recommend you to activate your OS being purchased its license code from ODosta Store
    After OS activation, You can easily get windows 10 remote tech support to run all old programs and get windows 10 updates.
    You can upgrade your OS to windows 10, But you can face some technical issues, So I recommend you to have clean installation of windows 10 and activate it using legal license.

    ReplyDelete
  16. Share with you a good site that you can get cheap product keys from there: www.vanskeys.com, all versions of windows keys and office keys can be found in that site.

    ReplyDelete

  17. OFFICE 2016 PRODUCT KEY

    Aha, same question as what I raised several days ago. I bought a new computer and the new operating system is Windows 10 Enterprise Product Key. When I tried to activate the system, it prompted me that I need to have a product key. I asked friends and one of them recommended me the site http://www.Gastonfiore.com/ from which I could easily order a product key. Then, I just followed his advice and really activated my system with the purchased product key. It didn't cost much and bought me a convenience service.

    ReplyDelete
  18. Share with you a good site that you can get cheap product keys from there: www.vanskeys.com, all versions of windows keys and office keys can be found in that site.

    ReplyDelete