Full disk encryption



  • @accalia said in Full disk encryption:

    @remi said in Full disk encryption:

    @RaceProUK Well, given the behaviour when using a single computer, what makes you believe that this would work when using two different ones?

    because my work domain has the same rule, but i use that trick to keep the same password when i'm forced to change it every 90 days. :-)

    Oh. Does it also have the rule that your password mustn't be one of the last 6? 'cause that would be awesome if I could finally get rid of all this nonsense...


  • FoxDev

    @remi said in Full disk encryption:

    @accalia said in Full disk encryption:

    @remi said in Full disk encryption:

    @RaceProUK Well, given the behaviour when using a single computer, what makes you believe that this would work when using two different ones?

    because my work domain has the same rule, but i use that trick to keep the same password when i'm forced to change it every 90 days. :-)

    Oh. Does it also have the rule that your password mustn't be one of the last 6? 'cause that would be awesome if I could finally get rid of all this nonsense...

    we don't have that rule, no.

    but if science works you might be able to rustle up 6 machines i guess?


  • FoxDev

    @accalia said in Full disk encryption:

    but if science works you might be able to rustle up 6 machines i guess?

    TBH, at that point, I'd just do {password}{suffix} and call it a day 🤷🏼



  • @RaceProUK That's what I currently do. Still a PITA, though.


  • Java Dev

    @RaceProUK said in Full disk encryption:

    {password}{suffix}

    When I tried that on my linux VM a few weeks ago It served me 'your password is too similar'.

    Luckily, this place believes in shipping defaults instead of policies 😏


  • Impossible Mission - B

    @PleegWat That's a 🔴 right there. If they are capable of realizing that your password is too similar to the last one, it's not being stored in a properly hashed fashion.


  • Java Dev

    @masonwheeler Just one password back, which you need to enter in order to be able to change the password.


  • Winner of the 2016 Presidential Election

    @accalia said in Full disk encryption:

    @remi said in Full disk encryption:

    @accalia Isn't it going to refuse to change my password the second time (step 5)? I mean, when using a single computer, just after I change my password I can re-open the password dialog, I only get the error when I actually try to submit a new password for the second time.

    @remi said in About 5 minutes from now:

    0_1490186599310_science_pony_by_pixelkitties-d3fmqf1.jpg

    Why does (s)he have a Poké Ball on their ass?


  • Notification Spam Recipient

    @remi said in Full disk encryption:

    every time I get up from my desk

    @remi said in Full disk encryption:

    20 times a day

    Well, I congratulate you on keeping active at least...


  • Notification Spam Recipient

    @Dreikin said in Full disk encryption:

    @accalia said in Full disk encryption:

    @remi said in Full disk encryption:

    @accalia Isn't it going to refuse to change my password the second time (step 5)? I mean, when using a single computer, just after I change my password I can re-open the password dialog, I only get the error when I actually try to submit a new password for the second time.

    @remi said in About 5 minutes from now:

    0_1490186599310_science_pony_by_pixelkitties-d3fmqf1.jpg

    Why does (s)he have a Poké Ball on their ass?

    It's a button in the process of being smashed?

    0_1490241857339_upload-5f5c773c-ac1c-4121-97dd-c7ea90b49cb5

    I mean, I suppose it could look like a pokeball from afar...



  • @Tsaukpaetra said in Full disk encryption:

    Well, I congratulate you on keeping active at least...

    Unfortunately budget cuts means we don't have any interns, so I have to get up to fetch my coffee. And then get up to eliminate it (for which interns wouldn't help anyway... or I don't want to know how). And go to lunch (yay, canteen paid by the company!).

    And then there are pesky users who are unable to explain what's on their screen and want to show me ("I click on the thingy and then normally I get a wavy thing but now I get a boxy one, how do I finish my project in time?").

    And then the meetings, oh the endless meetings... At least most of our meeting rooms have some view outside, that's better than nothing.

    And then sometimes you just have to run away to avoid someone (one advantage of open spaces: you can see and hear the annoying person coming from some distance, and you normally have a few escape routes possible. In an individual office, you can get ambushed at the door with no way out!).


  • FoxDev

    @Dreikin said in Full disk encryption:

    @accalia said in Full disk encryption:

    @remi said in Full disk encryption:

    @accalia Isn't it going to refuse to change my password the second time (step 5)? I mean, when using a single computer, just after I change my password I can re-open the password dialog, I only get the error when I actually try to submit a new password for the second time.

    @remi said in About 5 minutes from now:

    0_1490186599310_science_pony_by_pixelkitties-d3fmqf1.jpg

    Why does (s)he have a Poké Ball on their ass?

    i always saw it as a "big red button"(tm) but.......

    What has been seen

    0_1490269057055_what_has_been_seen____by_theurbanwerewolf-d6av0d0.gif

    Cannot be unseen


  • Garbage Person

    @remi said in Full disk encryption:

    Ooo-kaay... I guess confidentiality and security is only an issue for managers, not for actual devs that, you know, do actual work.

    Around here they occasionally bring the media into our developers' open-space office to film a news piece. They got a bit pissy when a line manager hurriedly put up some (ugly) paper to block visibility to a developer diagnosing a production problem involving sensitive customer information.

    Last time I was tempted to hang up a sheet of paper with large letters:

    Production password:
    hunter2



  • @RaceProUK said in Full disk encryption:

    I've been in this game long enough to know that nothing is ever quite as you expect it

    In theory, there's no difference between "in theory" and "in practice".



  • @remi said in Full disk encryption:

    one advantage of open spaces: you can see and hear the annoying person coming from some distance, and you normally have a few escape routes possible

    Office Space - Working Tomorrow – 00:46
    — ResoluteProductions



  • All that for nothing... I am disappointed.

    I brought in my laptop today, watched the guy ask me for my password while handing me a post-it... and then I casually (well, I had planned to do that from the start!) mentioned that my laptop is dual-boot. There was a mix of laughter and panic in the room, which quickly ended with me and my laptop thrown out with a "we'll call you later..."

    So on the plus side, I've escaped one more hurdle on my laptop and in my work for the moment. On the minus side, my laptop is not encrypted and I've missed an opportunity to mess up with them. Meh.



  • @remi
    Did they at least throw your laptop out hard enough that you'll qualify for an early upgrade?



  • @izzion No, but they first looked at it strangely seeing it wasn't a standard one (well duh, I need to do more than open a ppt on that thing!), so I guess they were quite relieved to be unable to process it.

    The fact that the make and model of the laptop seems to have been an important point to them makes me even more wary of this encryption thing.



  • @remi
    Make and model matters for whether or not the encryption is going to require you to put in an unlock passphrase every time you boot your computer. Full disk encryption is designed assuming that your hardware has a Trusted Platform Module (TPM) chip in the motherboard, so that the encryption software can retrieve the decrypt key from the TPM chip and boot up without bothering you further. If that TPM chip is missing (or gets damaged/tampered with or the hard drive gets booted in a system without that TPM chip), then the boot process requires you to insert the decrypt key before the system can boot up.

    The BitLocker decrypt key is like 30 or 40 numeric digits, a serious pain if you're going to inflict that on an end user on every startup, so most shops that enforce BitLocker try to do so only on TPM-enabled hardware (or make sure they only have TPM-enabled hardware)



  • @izzion I see, that makes sense. Thanks!


  • Garbage Person

    The problem with TPM-only encryption on portable, theft-prone devices is EXACTLY that it unlocks itself. Shit ain't no fucking good if physical access to both disk and machine gets you the data. It's fine for datacenters where walking off with a server would be difficult to say the least and it's utterly impractical to expect a human to do anything on boot.

    Our laptops use SEE, which is username/password locked.



  • @Weng
    My understanding with BitLocker is that the drive may unlock itself to boot but you're going to have a hard time getting data from the drive unless you have credentials to an account that has cached credentials on the box (local admin, the usual user of the machine). And that you can't use the normal Windows boot disk methods to reset the local admin password, since the drive won't unlock for Windows setup without the recovery key.

    But that's an academic understanding, not something I've field tested.


  • sekret PM club

    @izzion said in Full disk encryption:

    @remi
    Make and model matters for whether or not the encryption is going to require you to put in an unlock passphrase every time you boot your computer. Full disk encryption is designed assuming that your hardware has a Trusted Platform Module (TPM) chip in the motherboard, so that the encryption software can retrieve the decrypt key from the TPM chip and boot up without bothering you further. If that TPM chip is missing (or gets damaged/tampered with or the hard drive gets booted in a system without that TPM chip), then the boot process requires you to insert the decrypt key before the system can boot up.

    The BitLocker decrypt key is like 30 or 40 numeric digits, a serious pain if you're going to inflict that on an end user on every startup, so most shops that enforce BitLocker try to do so only on TPM-enabled hardware (or make sure they only have TPM-enabled hardware)

    We ran into this problem a bit with some of our field users' machines. The client company bought a couple (around 400) of a new model laptop for the field and shipped them to field users before somebody realized that the model they had bought (the first-gen Lenovo 11e) didn't have a TPM chip in it. They have since bought 11es WITH TPM chips in them, but you'd think for someone in a field like ours that would've been something they would've looked into during the vetting process (oh wait...)



  • @izzion I have Bitlocker on one of my work machines. It requires a PIN (I don't know the restrictions on that but 7 digits is valid) on boot, before login. If you enter the PIN wrong twice (or three times, I don't remember and am disinclined to test) it locks you out and you have to enter the full recovery key.

    Then you get a certain number of wrong login attempts (which does not seem to reset on the first correct entry, I haven't yet deduced the formula) before it locks and demands the recovery key.

    If you've entered your password wrongly, then unlocking with the recovery key once is sufficient. If you've entered the Bitlocker PIN wrongly, it will continue to demand the recovery key every boot until you log in as a local administrator and do a thing to unlock or reset the PIN.


  • Winner of the 2016 Presidential Election

    @izzion said in Full disk encryption:

    The BitLocker decrypt key is like 30 or 40 numeric digits, a serious pain if you're going to inflict that on an end user on every startup

    The last time I tried to set up my Surface for dual-boot via UEFI, Windows asked for the decryption key on every startup because "someone tampered with the system settings". :angry:



  • @CarrieVS said in Full disk encryption:

    I have Bitlocker on one of my work machines.

    I do too. Mine's setup so I have to have a USB stick in one of the ports. It has the encryption key.


  • Discourse touched me in a no-no place

    @izzion said in Full disk encryption:

    My understanding with BitLocker is that the drive may unlock itself to boot

    May. You can have TPM hardware and still give Bitlocker a password IIRC.

    @Weng said in Full disk encryption:

    The problem with TPM-only encryption on portable, theft-prone devices is EXACTLY that it unlocks itself. Shit ain't no fucking good if physical access to both disk and machine gets you the data.

    Exactly this.



  • @accalia said in Full disk encryption:

    @remi said in Full disk encryption:

    @accalia said in Full disk encryption:

    @remi said in Full disk encryption:

    @RaceProUK Well, given the behaviour when using a single computer, what makes you believe that this would work when using two different ones?

    because my work domain has the same rule, but i use that trick to keep the same password when i'm forced to change it every 90 days. :-)

    Oh. Does it also have the rule that your password mustn't be one of the last 6? 'cause that would be awesome if I could finally get rid of all this nonsense...

    we don't have that rule, no.

    but if science works you might be able to rustle up 6 machines i guess?

    I did try your method (logged in 2 computers, open change password on both and change on both) and it doesn't allow me to reset the original password immediately. But that's probably because of the last-6 rule, and I was stupid and forgot to try a different one (instead of restoring the original one), so I still don't know for sure if the 24-hours rule was bypassed.

    So I can say that it doesn't work around all rules, but it may still work around some rules...

    (also, while getting 2 computers at the same time is fairly easy, I would have to enlist some cow-orkers to get 6, which I'm not motivated enough to do...)

    Some preliminary science failed, more investigations needed!


  • Discourse touched me in a no-no place

    @Weng said in Full disk encryption:

    The problem with TPM-only encryption on portable, theft-prone devices is EXACTLY that it unlocks itself.

    The UX of Macs is fairly good; you have to type in the password of someone with an account on the machine to get the disk to unlock (there appears to be a small boot area unlocked first, with the critical information in the TPM) but once you've done that, it will boot and automatically log you in.


  • FoxDev

    @remi said in Full disk encryption:

    @accalia said in Full disk encryption:

    @remi said in Full disk encryption:

    @accalia said in Full disk encryption:

    @remi said in Full disk encryption:

    @RaceProUK Well, given the behaviour when using a single computer, what makes you believe that this would work when using two different ones?

    because my work domain has the same rule, but i use that trick to keep the same password when i'm forced to change it every 90 days. :-)

    Oh. Does it also have the rule that your password mustn't be one of the last 6? 'cause that would be awesome if I could finally get rid of all this nonsense...

    we don't have that rule, no.

    but if science works you might be able to rustle up 6 machines i guess?

    I did try your method (logged in 2 computers, open change password on both and change on both) and it doesn't allow me to reset the original password immediately. But that's probably because of the last-6 rule, and I was stupid and forgot to try a different one (instead of restoring the original one), so I still don't know for sure if the 24-hours rule was bypassed.

    So I can say that it doesn't work around all rules, but it may still work around some rules...

    (also, while getting 2 computers at the same time is fairly easy, I would have to enlist some cow-orkers to get 6, which I'm not motivated enough to do...)

    Some preliminary science failed, more investigations needed!

    when sciencing it's important to not give up just because an experiment failedto get results. :-)



  • @accalia said in Full disk encryption:

    when sciencing it's important to not give up just because an experiment failedto get results. :-)

    Side-experiment: we have (at least) one tool on the intranet to change our password. Do you think there is any chance I could use that tool as a substitute for Windows session with the password dialog open? If so, it would be easy to get the 6 sessions simultaneously, but somehow I don't think that will work.

    (what bothers me now is that because of the last-6 rule, I'm stuck with the "wrong" password for a bit more time... assuming with 2 computers I can change it twice a day, that's still 3 days before I can again rely on muscle memory to type it instead of having to think about it...)




  • Discourse touched me in a no-no place

    @dkf said in Full disk encryption:

    The UX of Macs is fairly good; you have to type in the password of someone with an account on the machine to get the disk to unlock (there appears to be a small boot area unlocked first, with the critical information in the TPM) but once you've done that, it will boot and automatically log you in.

    Mostly. If the account is an AD account rather than a local account, it's inconsistent IME about whether it automatically logs in or whether you get the OS logon screen.


  • Discourse touched me in a no-no place

    @remi said in Full disk encryption:

    Side-experiment: we have (at least) one tool on the intranet to change our password. Do you think there is any chance I could use that tool as a substitute for Windows session with the password dialog open? If so, it would be easy to get the 6 sessions simultaneously, but somehow I don't think that will work.
    (what bothers me now is that because of the last-6 rule, I'm stuck with the "wrong" password for a bit more time... assuming with 2 computers I can change it twice a day, that's still 3 days before I can again rely on muscle memory to type it instead of having to think about it...)

    Maybe rather than wasting time trying to keep the same password and circumvent your employer's policy, you just change it.



  • @loopback0 essentially, I just want to keep my muscle memory and avoid having to remember several password since there are some internal systems that are not connected to the same account. Most of the time changing back is just a minor annoyance, some kind of background thing that takes me a few seconds, it's only really because someone suggested Science that I'm still talking about that (I can't resist an easy opportunity to learn stuff!).

    (also, note that at no point I'm suggesting seriously weakening the passwords I'm using, they still all respect whatever unformulated password complexity rules are in place)


  • ♿ (Parody)

    @loopback0 said in Full disk encryption:

    Maybe rather than wasting time trying to keep the same password and circumvent your employer's policy, you just change it.

    And live with the knowledge that he's a quitter?


Log in to reply