What's easier, and bitlocker doesn't count. I want my FDE to be based on a password or a keyfile, not simply by some code in the motherboard. I want it encrypted until I, the operator, provide some data to unlock.
In my limited experience with bitlocker, the disk is decryptable automatically as long as it's in the original motherboard.
If someone steals my laptop, and there is no factor of decryption requiring something I possess or know, then the only use of that disk being encrypted is that I can throw it out more safely at end of life. Thieves/LEO has the data because they have the motherboard.
If bitlocker has a PIN/passphrase decrypt option, then I missed it.
While a thief or LEO could boot the OS, just having the motherboard doesn’t give them access to the underlying data. They would need to have a valid user account.
What's easier, and bitlocker doesn't count. I want my FDE to be based on a password or a keyfile, not simply by some code in the motherboard. I want it encrypted until I, the operator, provide some data to unlock.
In my limited experience with bitlocker, the disk is decryptable automatically as long as it's in the original motherboard.
> and bitlocker doesn't count.
Wat? Bitlocker is the answer to your question.
> In my limited experience with bitlocker, the disk is decryptable automatically as long as it's in the original motherboard.
It's unlocked (not decrypted) when the OS boots, yes. You can optionally enforce (not on Home) other unlock methods, such as PIN before the OS boots.
> I want my FDE to be based on a password or a keyfile, not simply by some code in the motherboard.
That's less secure than TPM.
If someone steals my laptop, and there is no factor of decryption requiring something I possess or know, then the only use of that disk being encrypted is that I can throw it out more safely at end of life. Thieves/LEO has the data because they have the motherboard.
If bitlocker has a PIN/passphrase decrypt option, then I missed it.
While a thief or LEO could boot the OS, just having the motherboard doesn’t give them access to the underlying data. They would need to have a valid user account.