Final on Nostr: BitLocker is fine, it's the best choice of OS disk encryption for Windows users since ...
BitLocker is fine, it's the best choice of OS disk encryption for Windows users since BitLocker has TPM support. TPMs suck compared to a proper secure element but they are better than nothing. fTPMs are more resistant to physical attacks documented with TPMs. Veracrypt refuses to have TPM support at all.
Claims of backdoors are unsubstantiated and a lot of weaknesses come from other problems universal to most desktop disk encryption and awful design choices, such as BitLocker being only available in Pro, Enterprise or Education editions of Windows and the default settings just using a TPM with no additional authentication needed. BitLocker is the best choice when certain settings are configured.
You'd need to configure group policies to allow BitLocker to have additional authentication such as a TPM + PIN or USB key (or all three through a hack job), force 256-bit AES encryption, and to make PINs alphanumeric instead of just numbers.
Do not use the Windows Device Encryption in the Home edition. It requires a Microsoft account and requires backing up your key to your account's OneDrive. MacOS has FileVault which users should enable if it hasn't been already. ChromeOS uses the same per-user filesystem encryption per user GrapheneOS uses but depends on a Google account to sue it. Macs provide the best OOTB disk encryption.
Both VeraCrypt and Picocrypt are fine apps and trustworthy. They're better overall for encrypting files or removable drives though, protect them with very secure passphrases. If the OS provides a disk encryption option then I'd believe you're better with using that.
Claims of backdoors are unsubstantiated and a lot of weaknesses come from other problems universal to most desktop disk encryption and awful design choices, such as BitLocker being only available in Pro, Enterprise or Education editions of Windows and the default settings just using a TPM with no additional authentication needed. BitLocker is the best choice when certain settings are configured.
You'd need to configure group policies to allow BitLocker to have additional authentication such as a TPM + PIN or USB key (or all three through a hack job), force 256-bit AES encryption, and to make PINs alphanumeric instead of just numbers.
Do not use the Windows Device Encryption in the Home edition. It requires a Microsoft account and requires backing up your key to your account's OneDrive. MacOS has FileVault which users should enable if it hasn't been already. ChromeOS uses the same per-user filesystem encryption per user GrapheneOS uses but depends on a Google account to sue it. Macs provide the best OOTB disk encryption.
Both VeraCrypt and Picocrypt are fine apps and trustworthy. They're better overall for encrypting files or removable drives though, protect them with very secure passphrases. If the OS provides a disk encryption option then I'd believe you're better with using that.