>Be Microsoft
>develop bitlocker boot drive encryption
>provide pre-boot environment to get keys from TPM and if setup request user PIN input
>even provide support for keyfile on external USB-drive
okay
>be me
>have yubikey
>already carry yubikey
>want to use yubikey with PIV certificate with because TPM is moronic
>want to use yubikey because carrying another USB-drive is moronic
>spend/waste hours on google
>should_be_possible.pfx
>spend/waste multiple weekends trying to set it up
>apparently impossible, Bitlocker+smartcards is only possible for for non-boot disks like a secondary partition/drive or external storage
>none of the tutorials, threads etc mention this anywhere
>commercial solutions are available but are so enterprise-oriented they don't even list their prices online
>have to resort to Veracrypt or some shit
I hate Microsoft so fricking bad. Please tell me it is actually possible. Or make it make sense.
why do you use windows if you are smart enough to figure out all this encyption stuff
Unironically Microsoft Office, among some other utilities that only run on Windows
>inb4 wine
I wish that worked for my utils
encrypted Linux system, microsoft VM. Problem solved
For me it's gaymen, but windows iso won't load on usb properly fron linux.
called pcie passthrough lad
Ok OP, I'll try:
Bitlocker is encryption. This is when your data is scrambled in a way that makes it harder to read. It's like if you mixed up all the pages in your favorite story, but in a way that it can be read in the correct order if you have the correct order to read those pages (in this case, a "key"). This is so data is harder to obtain if your device is lost or stolen.
I hope this helps.
kys
no
I'm trying to be helpful. Please don't be disrespectful.
don't reply to the tourist, thanks.
You should have never graduated from being an iToddler.
>iToddler
where did I mention apple?
>act like Black person
>be surprised when called out
>concise and relevant OP to the board
>clear goal and request
>clearly non-bait non-slide thread
>hurrr Black person
you are a sad human being, I hope you will be happy one day 🙂
funny thing is apple actually supports this right out of the box with filevault. too bad their hardware is gay as shit
is shit gay? my shit has never indicated its sexual preference.
>penis shaped object in your colon
Shit is gay. Take the piss pill.
douché
I swear to god this is some glowie op to prevent neets from having enterprise-grade information security measures
>setup bitlocker
>save recovery key in keepass database
>it just works
>2024
>zero reading comprehension
grim
You missed the part where the TPM only releases the decryption passphrase after boot measurements match expected values.
Unlike your Yubikey, which can't read those registers.
So your entire rant is the result of you not understanding the purpose of Bitlocker.
Perhaps I do and I just don't want to store the decryption key on the TPM since you can just sniff it from the system bus
PINs can easily be learned by (camera) observation so thats still not enough
If I'm not near my computer, I have the key on a smartcard in my wallet and the pin memorised
Say someone would gain access to my computer with the PIN they still wouldn't get anywhere
>you can just sniff it from the system bus
It is much easier to sniff it from the USBus, so your point is moot.
are you moronic?
Do you think USB traffic is encrypted or something?
since you are apparently moronic let me spell it out for you
>option one
>bitlocker + TPM
physical intrusion, just let computer boot, sniff system bus, extract keys, clone system disk
>bitlocker + TPM + PIN
observe PIN, physical intrusion, just let computer boot, sniff system bus, extract keys, clone system disk
>bitlocker + Token/SC + PIN
Then you'd also need to rob me from my token, which I'd carry on my person at all times
>you'd also need to rob me from my token
Step 1: insert USB sniffer inside PC
Step 2: moron (you) plugs token and enters his autistic PIN
Step 3: collect passphrase
How is this any different from TPM, dumbo?
IM NOT A FRICKING DUMBO! SHUT UP troony!
100% FRICK HEAD DICKHEAD troony c**t! GO DILATE YOUR MANGINA!
Who's a smart boy? You're a smart boy!
Nice try but that requires manipulation of my hardware whilst remaining undetected by me, which is an non-negligible extra level of difficulty that thwarts many bad actors. Otherwise just steal it and compromise to your hearts desire with only the TPM+PIN
You're not me, seek help
You're not me. I am me! I am me and you are I
I AM ME AND YOU ARE I
FRICK OF FRICK OF FRICKOFFFFRICKOFFFRICKOFCCC
THE VOICES WONT FRICKOFFF
FRICK OFF troony !FRICK OFF troony!!!
>compromise to your hearts desire with only the TPM+PIN
The TPM will erase itself after a few incorrect PINs.
Wipe it from where? How will you know what's shady?
I said your a dumb frick. Stop replying or else I gonna get mad.
Again, PIN is easily learnt through shoulder surfing
So someone can shoulder surf your ass enough to see the PIN despite your paranoia, but they won't be able to also get their hands on your key for a couple minutes to dump the key?
You're dreaming.
Oh no, I'm scared
Yeah that actually would be rather difficult since I have a habit of keeping my wallet actually on my person at all times. At night I keep it on my nightstand.
>he doesn't have something to wipe the fricking key if shady shit happens.
Dumb frick.
>How is this any different from TPM, dumbo?
NTA, but what you just described was an evil maid attack which is wildly different from what the OP is worried about. With TPM you can physically take the PC and unlock the drive later by abusing TPM's design flaws. With the hardware key, you'd have to install physical malware into the PC, let the user use the PC normally, then go back and collect the PC after it had been used and the data had been collected.
The defense against your attack is the same as any other evil maid attack -- use some sort of identifying markings or material on the PC's screws and inspect them before logging into the PC. The defense against the TPM attack is to not use the TPM.
been suffering over the same thing. afaik not possible.
best you can do is tpm + pin or disable tpm and just use a long password, then make the yubikey type it. both options suck
another thing i hate is that you can't RDP with yubikey without being AD joined
Bootlocker? More like bootlicker, am I right guys?
kek it do be like dat do
they dont want us to have physical security
encryption on Windows ecosystem is for enterprise use case
encryption on Linux ecosystem is for paranoid pedophilia use case
change my mind.
protip:
you cant.
>reddit spacing
>le epik 'change my mind' maymay
opinion discarded
>my boomer parents accidentally having their harddrive mined because they sold a laptop not realizing what that means isn't a use case
>paranoid pedophilia use case
>LUKS isn't even trying to obfuscate the header
>PIV certificate
>penis in vegana certificate
So it's true that you get an official certificate the first time you have sex?