Can you get the data out of it? It would seem to be fairly pointless if you could (because then any malware you picked up could also do that), but at the same time how do you back your keys up? What if you move the drive to a new PC?
Am I missing something or is it just a case of "that's the neat part, you don't"?
The drive would not work on any other PC.
It is a de-phase of strategy. You see, TPM was devised by Microsoft along with Intel at a time when Windows wanted to tie down users to subscriptions. The idea was that an onboard TPM would allow an encrypted BIOS (UEFI secureboot) and a wholly encrypted disk. The upside for MS was that one Windows license would be tied to the hardware. So, you couldn't use a key, however valid, with another piece of hardware. And if anything in your hardware changed, your cryptographic keys would change, then you would have to buy an entirely new Windows license (or migrate your old one to the new one, that was never established) because MS wanted to make W10 the last version and it was all going neatly into a subscription. So you wouldn't be able to move drives to new hardware.
But then Azure happened.
MS got a new CEO and a new strategic vision were an OS wasn't their main driver but B2B cloud sales. That engendered the concept of “W10 is practically free”. At the tail of the 8.0 and 8.1 debacle, MS wanted people out of those versions as soon as possible, so they gave free licenses to anyone who upgraded, even if they upgraded from a pirated copy. So now TPM is everywhere and W11 uses it for encryption, but the main motivation isn't there anymore. And nobody sees the point of secureboot except for very specific use cases with laptops. And TPM can encrypt the whole thing but, as you quickly devised, if anything happens to it, you lose all your data, so why would you unless you work for the government or something.
Essentially the tech is here, but the use case for which it was devised doesn't exist anymore. It's a piece of tech that only few enduser wants. But now it's mandatory for everyone.
TLDR: it's vicious DRM that MS wanted to impose on everyone, but kinda got lax about after backlash and change of strategy.
OK, that would explains why a lot of it seems to make little sense.
I can see the point of it for a laptop that a government employee might leave on a train, where the data should remain secret and have many backups. But the average home user just wants all those photos, videos and game saves to survive going from one PC to another, and we all know most of them never keep backups.
Can't wait for the next relative to bring me their dead laptop and find that they've enabled Bitlocker and all the rest when prompted, and now that "secure" data is now gone.
I have a tablet I only use for surfing the internet. That's it. I don't even use it for email. I never enabled Bitlocker, but it was either enabled by the factory or MS enabled it with an upgrade without asking. One day the machine asked me for a password that I didn't remember ever setting. I was unable to use that machine until a full wipe, because Bitlocker had locked ever bit of data on the harddrive without a password I remember even being asked to set let alone remembering.
I was annoyed because I had to format and reinstall, but I didn't lose anything. If that had been my main machine, though.... holy shit would I have been furious.
You can't input the key to unlock it (assuming you saved the key somewhere)?
I think it uses something in the hardware itself. It does have a master key, but extracting it is something of a headache, it requires a sniffer or something. But if the hardware changes, then the keys change. It was a whole kerfuffle in tech circles when it was announced.
Can you get the data out of it? It would seem to be fairly pointless if you could (because then any malware you picked up could also do that), but at the same time how do you back your keys up? What if you move the drive to a new PC?
Am I missing something or is it just a case of "that's the neat part, you don't"?
The drive would not work on any other PC.
It is a de-phase of strategy. You see, TPM was devised by Microsoft along with Intel at a time when Windows wanted to tie down users to subscriptions. The idea was that an onboard TPM would allow an encrypted BIOS (UEFI secureboot) and a wholly encrypted disk. The upside for MS was that one Windows license would be tied to the hardware. So, you couldn't use a key, however valid, with another piece of hardware. And if anything in your hardware changed, your cryptographic keys would change, then you would have to buy an entirely new Windows license (or migrate your old one to the new one, that was never established) because MS wanted to make W10 the last version and it was all going neatly into a subscription. So you wouldn't be able to move drives to new hardware.
But then Azure happened.
MS got a new CEO and a new strategic vision were an OS wasn't their main driver but B2B cloud sales. That engendered the concept of “W10 is practically free”. At the tail of the 8.0 and 8.1 debacle, MS wanted people out of those versions as soon as possible, so they gave free licenses to anyone who upgraded, even if they upgraded from a pirated copy. So now TPM is everywhere and W11 uses it for encryption, but the main motivation isn't there anymore. And nobody sees the point of secureboot except for very specific use cases with laptops. And TPM can encrypt the whole thing but, as you quickly devised, if anything happens to it, you lose all your data, so why would you unless you work for the government or something.
Essentially the tech is here, but the use case for which it was devised doesn't exist anymore. It's a piece of tech that only few enduser wants. But now it's mandatory for everyone.
TLDR: it's vicious DRM that MS wanted to impose on everyone, but kinda got lax about after backlash and change of strategy.
OK, that would explains why a lot of it seems to make little sense.
I can see the point of it for a laptop that a government employee might leave on a train, where the data should remain secret and have many backups. But the average home user just wants all those photos, videos and game saves to survive going from one PC to another, and we all know most of them never keep backups.
Can't wait for the next relative to bring me their dead laptop and find that they've enabled Bitlocker and all the rest when prompted, and now that "secure" data is now gone.
I have a tablet I only use for surfing the internet. That's it. I don't even use it for email. I never enabled Bitlocker, but it was either enabled by the factory or MS enabled it with an upgrade without asking. One day the machine asked me for a password that I didn't remember ever setting. I was unable to use that machine until a full wipe, because Bitlocker had locked ever bit of data on the harddrive without a password I remember even being asked to set let alone remembering.
I was annoyed because I had to format and reinstall, but I didn't lose anything. If that had been my main machine, though.... holy shit would I have been furious.
You can't input the key to unlock it (assuming you saved the key somewhere)?
I think it uses something in the hardware itself. It does have a master key, but extracting it is something of a headache, it requires a sniffer or something. But if the hardware changes, then the keys change. It was a whole kerfuffle in tech circles when it was announced.
Good Lord...