- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
You must log in or # to comment.
How can something “enable itself” while requiring a password?
It’s not strictly a password, it’s a recovery key for the encryption. The drive is unlocked automatically at boot by the key residing in the TPM, if the system “hasn’t been compromised”
Bitlocker is enabled by default on new Windows installations, and you can run into this situation by resizing partitions or messing around with your EFI partition. Disabling secure boot without disabling bitlocker first will result in this.
Make sure you have your recovery key, or completely disable bitlocker until you’re done provisioning your system (or uninstall windows altogether)
it was already enabled, he just tripped secureboot.
That explains why I was just trying to update my friend’s motherboard’s firmware and it locked him out. He had to reinstall his os.
This is probably my fault, big brother Microsoft saw me replace Win11 last month with Linux and don’t want real OS’s taking up their precious market share.
Real and fuck Microsoft
…and grounds for committing sudoku. 🤣
Ahh you mentioned the number puzzle sudoku. What you were looking for, was the word for japanese honour suicide: sirtaki.
You mean Sriracha.
No, Sriracha is a spicy sauce made from hot peppers and garlic. You’re thinking of Siddhartha.
No, Siddhartha is a novel by Hermann Hesse about spiritual discovery.
You’re thinking of Sebulba.
No, Sebulba was one of the positive influences Anakin Skywalker had in his early life.
You mean Sequin Pants.
Close but no, Siddhartha is the name of Buddha. You’re thinking of Sepultura.
No, Sepultura is a Brazilian metal band. You’re thinking of Sophocles.
Literally happened to me two days ago. Everything was fine until i installed gpu drivers and then it said “plz give secure boot password” and i had to abort mid install. Also was infront of a fresh linux recruit.
That secure boot password was probably from akmods preparing its key so that it can sign the kernel module of the driver. This key needs to be loaded into the UEFI to use the driver with secure boot enabled. It shouldn’t affect the bit locker key in theory, but you never know…
No bitlocker on that one but it still complained.
Set bios to disable secure boot (warning check if you have bitlocker active before you do that) and install Linux w/o secure boot.
Otherwise, with secureboot: akmod will generate a new key for you and prepare it to be loaded into you UEFI. That key is password protected, which was the password you were asked for. Depending on your distro it might even get loaded automatically on reboot (just follow the menu and enter the password when asked) or you might need to initiate the load with mokutil and a reboot.
Afterwards, akmods will make sure your graphics driver is signed with the corresponding key that is now known and trusted by the UEFI and you can boot with secure boot enabled while still using self compiled kernel modules.
Problem is that kernel modules are seen as part of the kernel and everything must be signed with a key your UEFI trusts when using secure boot. And initially it’s Microsoft’s key, which you will not have access to when using custom kernels/kernel modules/… so you just create your own.
Fuck, I’m gonna have to enable secure boot (and use windows) to play the BF6 open beta, am I gonna get the same buillshit ?
If it doesn’t affect my Linux drives I don’t care much tbh, I’ll probably just nuke windows and reinstall it
If you use Rufus to burn the ISO into the USB, there is an option to patch the ISO to not require secure boot.
It’s not a windows issue, BF6 has a some requirements for their anti cheat including secure boot and TPM
What the actual bloody fuck, I didn’t know. Well, back to my Factorio I guess.
I basically never boot into windows except to play these anti cheat games with friends anyway, so I’ll just bite the bullet and deal with rebooting twice just to change OS to play the beta, but yeah it’s a weird ass requirement especially since it is apparently quite easy to exploit some vulnerable signed drivers to inject shit into memory anyway.
Even if you enable Secure Boot, you can disable BitLocker, and that will prevent this from happening.
The only thing BitLocker really does is make it so that if somebody steals your computer and doesn’t have your password, all of your files will be encrypted, so they don’t get your files too.
Depending on your risk preference, it is okay to disable it.
Of course, if your computer does not have a password, or if the password is something really easy, then there’s no point in bitlocker in the first place.
I was going to try the BF6 open beta. It uses javelin anti cheat which is kernel level and requires secureboot on and active.
Complain about that in the steam forums though and ignorant troglodytes come out of the muck and filth to screech “cheater! Stupid boomer can’t figure it out!” and other drivel.
This happened to me when I booted a friend’s computer from a live USB Mint stick. It took well an hour to find the correct password for her account and get Windows running again.
Not too long ago Microsoft deleted my Linux ext2 directory when I booted to Windows and ran Windows Update.
At this point I’m convinced Microsoft’s primary business is selling malware.
This is partly Microsoft’s fault, for sure, but it’s also more of a function of how secureboot works. A Linux system using TPM backed FDE with secureboot enabled would have the same problem going the other way.
Secureboot prevents a lot of ways the TPM could be compromised, so as part of “securely” turning it off, it wipes the keys (otherwise those protections would be pointless, the first thing an attacker would do would be to turn off secureboot).
The main problem is it turning itself on with no input from or feedback to the user, and not giving the user access to the key without using a Microsoft account. I’ve heard of people getting screwed by this because they set up with a local account and thus never got their secureboot key (or did, but it was hidden somewhere and they were never told to save it).
Oh yeah sorry I should have elaborated when I said it’s partly Microsoft’s fault. ATEOTD, this mostly happened because neither of them expected the FDE to be enabled which is on Microsoft for silently enabling it
Yep, happened with my wife’s laptop. Fortunately you just follow the instructions and we had a second laptop but I was still sweating bullets.
- The average user has no need to use Bitlocker
- The average user should be using a local account instead of a Microsoft Account.
- Using a Microsoft Account causes Bitlocker to auto-enable.
- Loss of access to your Microsoft Account when Bitlocker is enabled can cause loss of all your data.
- Microsoft can and will roundly ignore you if you lose access to your Microsoft Account.
Microsoft has painted users into a very dangerous corner. Security is vitally important, but not when it’s almost maliciously implemented.
Even as a security professional I understand that most people will be ill served by having their computer locked down like Fort Knox. There are ways of ensuring security without having all personal content go permanently poof with the slightest wrong move.
100% agree with the sentiment. Working in IT makes you realize how incapable some people can be with even the simplest computer tasks at times. What would you recommend as an alternative for secure data in the case of the average person? File level encryption instead of disk level? Wondering what would be the best way to go about getting my family to secure their private info.
For safety, backups are much better than encryption.
The only thing encryption does is prevent others from reading your data if the machine gets physically lost or stolen. And ironically, that might prevent a stolen machine from ever making it back into your hands.
For desktops, encryption of a machine that doesn’t have critically private/sensitive content is even dumber. I mean, if you have terabytes of CP or are a terrorist, then sure, lock that down to make the police earn their wages. Or do it even if you don’t, but you just want to give authorities the middle finger.
But not much on the average computer needs encryption so long as you keep good physical and network security. And the problem with that is much of it is behavioural - they will need to learn how to not do dangerous things online and off.
In order to protect data is a good backup system - something that just works, is dummy proof, can be administered remotely, and which can restore content easily and reliably.
On a Mac, nothing beats iCloud. It’s encrypted before it even gets uploaded, and Apple has repeatedly shown it cannot retrieve the content… it needs to be forcibly cracked.
On the PC (both Windows and Linux) I prefer Duplicati backing up to BackBlaze B2.
I’m using hardware encryption, i.e. my data is too heavy to be stolen. The manual actually recommends two people lift it.
Oh hey, another T7500 owner! You have the second-CPU caddy installed in that thing?
What do you use yours for?
One is light hosting using VMs. It boots normally.
The other is for experimenting on various OS’ in VMs. It does not boot normally. Even before the 2nd CPU caddy, it always POSTed 10 times - no more, no less - with a memory error code before booting into the hypervisor. And yet, no issues with memory, no issues with RAM slots themselves. Or, at least, it’s affecting all 4 of the on-mobo slots equally.
Microsoft’s SSO is an absolute train wreck. I’d rather pound my pecker flat with a mallet than deal with another Microsoft account.
Bitlocker works as intended and is actually a good tool
It installs and activates itself stealthily, slows down the computer, and eventually makes it unusable.
If it looks like a duck and walks like a duck…
Bitlocker works as intended
Oh, definitely. If it was intended to be malware.
Explain how breaking their ability to boot into the OS because they booted from a USB is a good thing.
Ah yes, after the attacker has gotten everything they need upon next boot up the owner is locked out. Perfect!
I work in IT and understand that the tradeoff for good security is a reduction in convenience. But this really reads like deliberate punishment. I get the same sense on Apple’s platforms. Wanna change your cloud password? Prove you know the unlock code to a device that you no longer own and haven’t had in a year. This is especially awesome when your employer makes you change passcodes on a regular basis and you have no idea what you used back then.
Ran into this issue literally yesterday. The wife went back to iOS after giving Android a try for four years (I don’t get why, but I try not to judge).
Anyway, she couldn’t remember her Apple ID and had to pull out the phone she hasn’t used in years to recover her account. Thankfully she was smart enough to charge the battery to 50% every few months. Otherwise it would have gone bad and she would have been fucked; literally would have had to pay a tech hundreds to replace a battery for a phone she no longer uses, just to reset a simple password.
I understand and appreciate the need for good security, but this is beyond ridiculous.
My password manager keeps a history, and it has saved my bacon twice now.
Which one are you using?
Onenote
Nice
Yeah, they VIP that I was helping when I encountered the above issue was not using a pw manager and the device in question had been replaced (by the org) a bit more than a year ago. We also had an insane pw policy at the time that made users change them every three months, so good luck remembering. So grateful that madness is over.
Cold spare production floor machines. I’m sure there’s a better way, but you build the machine and put it on a shelf maybe 2 years before you need it.
That doesn’t help them recover their cloud account for which they forgot their password. They still need the unlock code of the device that was replaced >1y ago.
Weaponized security. These fuckers booby-trapped usb boot.
I really don’t miss windows. I’m happy with almost everything else but windows. Fischer price macOS is perfectly acceptable to me at this point.
Fuck Liquid Glass though.
