6

I recently got Windows 10, and I am not overly thrilled at Microsoft having a copy of my password on their servers. I will also be forced to make a hotmail account, instead of just using a local account. I am forced to use Windows because of my job, so iOS and Linux are out of the question.

Is there a way of using Bitlocker full disk encryption with just a local account, and without sending Microsoft a copy of my key?

If I have to use VeraCrypt (without the plausible deniability) would I have problems because I am using a branded Samsung laptop with an SSD which likely uses TRIM.

I miss the old days of local Windows accounts, and mechanical hard drives, but I am forced to stick with my current setup.

questioner
  • 171
  • 2
  • 11
  • 5
    Why are you forced to make a Hotmail account to use Windows 10? Do you mean that you couldn't create a local account on your laptop? Do you have admin rights on the laptop? Also, is this a company-owned and managed device? – Marc Woodyard Mar 15 '21 at 02:24
  • 2
    @MarcWoodyard It's a personal device. When I bought it and went through the options there was no way to create a local account, so I disconnected the WiFi to trick it. The next problem is when I clicked "Enable Bitlocker" it said to continue I needed a hotmail account or something equally annoying. – questioner Mar 15 '21 at 03:04
  • 3
    I'm pretty sure Windows 10 still allows you to create local accounts. Here are some links you can look into https://support.microsoft.com/en-us/windows/create-a-local-user-or-administrator-account-in-windows-10-20de74e0-ac7f-3502-a866-32915af2a34d https://www.tomshardware.com/how-to/create-local-account-windows-10 – Marc Woodyard Mar 15 '21 at 03:07
  • 3
    Also, BitLocker shouldn't need a Microsoft account to be enabled. https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838 https://superuser.com/questions/1507217/how-does-a-microsoft-accountless-bitlocker-encryption-scheme-work – Marc Woodyard Mar 15 '21 at 03:08
  • 6
    @questioner I recall the setup screen. While it asks for a Hotmail account in bold large text, there should be a very tiny *Ignore this step* option at some corner of the screen. I had the same concern on my personal laptop and I double checked that my Live account does not `pwn` my BitLocker keys. – usr-local-ΕΨΗΕΛΩΝ Mar 15 '21 at 09:28
  • 1
    Indeed, I also have a recommendation. Since it's a freshly-formatted laptop, you could still try to perform setup, then go to https://account.microsoft.com, look for `My Devices` and check your device. With BL enabled, you should see an option `Manage your recovery key`, which either reveals your key or say "there is no key saved for this device". If the former occurs, you can just wipe your device once again until you get it to work in privacy by default mode – usr-local-ΕΨΗΕΛΩΝ Mar 15 '21 at 09:31
  • @questioner Just for confirmation: I have multiple Windows 10 computers with bitlocker enabled with local accounts. This should work even with Win10 Home (or whatever non-professional is called these days). – Voo Mar 15 '21 at 10:48
  • Upgrade to Windows 10 Pro. – Michael Hampton Mar 15 '21 at 16:42

2 Answers2

14

VeraCrypt (or any other full volume encryption) can be (and has been for many years) used with SSDs. An attacker with the tools to access the drive metadata will be able to determine some things about what blocks are used or not, but won't be able to actually decrypt anything or otherwise compromise your data.

As a side note: Win10 still supports both local and domain accounts (in addition to Microsoft accounts), and neither one sends your recovery key to MS. So, this entire question is based on a false premise. I also suspect it's possible to use BitLocker with a MS account but not send them the recovery key - worst case, you can remove the recovery key from the drive - but it sounds like you don't want to do that anyhow.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • When I tried to login, I clicked the "forgotten password" option and it asked me to sign into my hotmail account to recover it proving Microsoft must have the key... – questioner Mar 15 '21 at 03:05
  • 9
    That means your Windows account is a Microsoft account. You couldn't have *not done that*. They don't make it obvious - it's small text under the box where you're supposed to put your email address at account creation - but there's an option "Create a local account instead". It might be possible to convert an MS account to a local one, even (the other direction works). Also, at the login screen, you're past where BitLocker would matter anyhow. So it doesn't prove anythign at all about any encryption keys (using a MS account and BL without giving MS the recovery key might be possible? Unsure). – CBHacking Mar 15 '21 at 05:21
  • @CBHacking even if they don't get the _BitLocker_ key, I wouldn't let Microsoft decide whether I'm allowed to login into my private machine or not. – Haukinger Mar 15 '21 at 07:52
  • 1
    @Haukinger If you're running Windows, you are letting Microsoft decide whether you're allowed to login into your machine. – gronostaj Mar 15 '21 at 08:01
  • 2
    Microsoft accounts can be used fine offline, at least for a while (I'm not sure if there's an offline time limit but they definitely don't have to check with MS every time you log in). Regardless, though... like I said, just don't do that! Use a local account instead. It's a bit less convenient (mostly things like needing to separately sign in to OneDrive and no clipboard sync option) but it works fine, and the option is available on all editions of Windows 10. EDIT: Also, "couldn't" in previous comment should have been "could" but I can't re-edit it. – CBHacking Mar 15 '21 at 08:10
  • 3
    @gronostaj not on an individual case-by-case basis. Of course, does microsoft-created code decide whether I'm allowed to login on classic/offline windows, but using Windows 10 is different - Microsoft can selectively deny or allow each individual login attempt without me making any changes to my machine. Essentially, I'd be saying "this isn't my machine" - which one has been doing forever in the context of domains, but there, the machine actually _isn't_ my machine but the company's. – Haukinger Mar 15 '21 at 08:55
9

Disk encryption of an SSD is safe. If you do enable TRIM, the system will reveal which sectors have been erased, as described in this blog post (although this references dm-crypt, it applies equally to any disk encryption technology, including VeraCrypt). This may or may not be a big deal, depending on your threat model. However, even with TRIM, the confidentiality of encrypted data remains.

You can disable TRIM to reduce this metadata leakage even with disk encryption, but it will reduce drive performance and increase wear on the SSD. This happens because the SSD does not know which blocks are no longer in use and cannot optimize writes by erasing them.

forest
  • 64,616
  • 20
  • 206
  • 257