Today i took my first steps into the world of Linux by creating a bookable Mint Cinamon USB stick to fuck around on without wiping or portioning my laptop drive.

I realised windows has the biggest vulnerability for the average user.

While booting off of the usb I could access all the data on my laptop without having to input a password.

After some research it appears drives need to be encrypted to prevent this, so how is this not the default case in Windows?

I’m sure there are people aware but for the laymen this is such a massive vulnerability.

  • @[email protected]
    link
    fedilink
    12 months ago

    I think on laptops Windows i trying to encrypt the drives. Maybe online if you are logged in to a Microsoft account for bitlocker to save the encryption key. Encrypting the drives should be your decision to take.

    • @[email protected]
      link
      fedilink
      English
      12 months ago

      Yes, my sister bought a laptop it had windows and bitlocker installed.

      She doesn’t know what any of those things are nor does she have an encryption key.

      So she was not able to resize her partition to try to dual boot linux - she’d have to totally kill windows (which I suggested, of course, but you know. . . ).

      It stops her doing what she wants because she was given something she doesn’t understand by people who didn’t explain it. At least she is “safe” though according to someone else’s definition. I guess coud’ve just said “Basically, microsoft” for short.

      • @[email protected]
        link
        fedilink
        12 months ago

        Microsoft makes all the decisions for you.

        Try using a virtual machine before doing a full switch

    • @[email protected]
      link
      fedilink
      English
      82 months ago

      And people are pissed because they don’t realize, and when they don’t have the key any more, all their data is gone!

        • @[email protected]
          link
          fedilink
          English
          22 months ago

          That assumes they know which Microsoft account it was attached to, the password, and have another device to access that account and retrieve the recovery key. If they did the setup five years ago, they’ve probably forgotten all that info.

    • @[email protected]
      link
      fedilink
      English
      72 months ago

      IIRC, this is one of the reasons that Windows 11 requires TPM 2.0, so that the drive can be encrypted using the TPM as the key.

  • @[email protected]
    link
    fedilink
    English
    4
    edit-2
    2 months ago

    This is not that big of a deal most of the time, since you are the only person interacting with your computer, but it’s worth remembering when you decide to recycle or donate – you have to securely wipe in that case. Also bear in mind, if you do encrypt your drive, there are now more possibilities for total data loss.

    Oh, fun fact: you can change a users windows password inside Linux. Comes in handy for recovery, ie, user forgot their password.

  • @[email protected]
    link
    fedilink
    English
    42 months ago

    Modern windows machines will be installed with bitlocker (full disk encryption). With manual installs it might not be.

  • @[email protected]
    link
    fedilink
    2
    edit-2
    2 months ago

    I still remember years ago one time windows fucked itself and god knows why I couldn’t fix it even with USB recovery or stuff like that (long time ago, I don’t remember).

    Since I couldn’t boot into recovery mode the easiest way to backup my stuff to a connected external drive was “open notepad from the command line -> use the GUI send to… command to send the files to the external drive -> wait and profit” lol.

  • @[email protected]
    link
    fedilink
    112 months ago

    I’m happy that you’re on a journey of discovery. This is not an insult. The word is partition. Someone corrected me on the spelling of something last night. We all make mistakes.

    (especially with reference to a country with separate areas of government) the action or state of dividing or being divided into parts.

  • Mensh123
    link
    fedilink
    22 months ago

    Yup. You’ll need to tkinker with Linux too if you want disk encryption. At the very least, set a BIOS password.

  • @[email protected]
    link
    fedilink
    42 months ago

    Most Linux users run fully unencrypted drives as well. Its a vulnerability and a risk but its not a massive threat to the average person.

    Idk if the average person is a laptop user but laptop users would definitely place a higher value on disk encryption.

  • @[email protected]
    link
    fedilink
    English
    42 months ago

    It’s the same situation with Linux just a simple login only has very basic protection you need to encrypt your disk if you want to make sure no one can read it.

  • @[email protected]
    link
    fedilink
    English
    7
    edit-2
    2 months ago

    Yep! They don’t teach this stuff because consumer level cyber security is in the absolute pits of despair and moreover, they’re trying to do away with what little we have access to. Governments and police agencies like how easy it is to access files.

    Personally I don’t bother with full disk encryption (FDE) since I don’t really have anything private on my main computer. Just a bunch of game files, comics, movies, etc. Anything extremely important such as tax documents, personal data, etc. is honestly very small and I keep in a little Proton Drive folder, <1GB total. I think the best approach is to simply educate yourself and be aware of what’s worth protecting and how best to protect that. Just enabling FDE and thinking you’re safe ignores all the other avenues that personal data can be stolen.

    My current pet conspiracy theory is that FDE with BitLocker isn’t even worth it on Windows due to the TPM requirement. Why is that a bad thing? Your system probably has fTPM supported by the BIOS, why not just enable that?

    https://techcommunity.microsoft.com/blog/windows-itpro-blog/tpm-2-0-–-a-necessity-for-a-secure-and-future-proof-windows-11/4339066

    Integrating with features like Secure Boot and Windows Hello for Business, TPM 2.0 enhances security by ensuring that only verified software is executed and protecting confidential details.

    https://ieeexplore.ieee.org/document/5283799 (I don’t believe we’ll see this EXACT implementation of DRM, I’m just providing an example of TPM being used for DRM and that these ideas have been in consideration since at least 2009).

    Now, if I were Microsoft and I wanted to exert an excessive amount of control over your system by making sure you couldn’t run any inauthentic or “pirated” software to bring it more inline with the walled garden Apple approach they’ve been salivating over for the past decade+, you’d first need to ensure you had a good baseline enabled. You know, kind of like the thing you’d do by forcing everyone into an OS upgrade and trashing a lot of old hardware.

    It won’t be instantaneous, I don’t know exactly how or what it’s going to look like when they start tightening their grip. Again, this is all speculation, but it’s not hard to connect the dots and their behavior over the past couple years does not give them the benefit of the doubt. Microsoft is no longer a company that can be assumed to be acting in the best interest of the average consumer, they’re not doing this for your security. They want to know that your computer is a “trusted platform”.

    EDIT: Further lunatic conspiracy theories: BitLocker is/will be backdoored so Microsoft forcing you into that ecosystem further guarantees they have access to your system. This all stinks to me, like your landlord telling you how you can arrange the furniture in your own apartment.

    • @[email protected]
      link
      fedilink
      English
      32 months ago

      they’re not doing this for your security. They want to know that your computer is a “trusted platform”.

      security in terms of Trusted Computing is never about your security, and neither about your trust

      EDIT: Further lunatic conspiracy theories: BitLocker is/will be backdoored so Microsoft forcing you into that ecosystem further guarantees they have access to your system. This all stinks to me, like your landlord telling you how you can arrange the furniture in your own apartment.

      a backup of your bitlocker key is in your Microsoft account, and normally nowhere else. It’s pretty easy for Microsoft to lock you out of your ow computer and data completely, if they wanted. Because you supposedly violated a license, or the terms of use or anything. just sayin’, Microsoft already has (and had for a few years now) a scandal about extorting for your personal phone number by locking down your account a few days after registration, until you hand it over. and even there they justify it with a ToS violation, which is just a lie

      • @[email protected]
        link
        fedilink
        English
        32 months ago

        For those not in the know, “Trusted Computing” is a very specific THING and maybe not what you’d expect, https://en.wikipedia.org/wiki/Trusted_Computing

        TC is controversial as the hardware is not only secured for its owner, but also against its owner, leading opponents of the technology like free software activist Richard Stallman to deride it as “treacherous computing”,[3][4] and certain scholarly articles to use scare quotes when referring to the technology.[5][6]

        You can pretty much guess where I land.

        a backup of your bitlocker key is in your Microsoft account, and normally nowhere else. It’s pretty easy for Microsoft to lock you out of your ow computer and data completely, if they wanted.

        You make a good point, I’m missing the forest for the trees. Why even bother theorizing that BitLocker may be compromised when they’re removing local accounts for consumers and forcing the key to be uploaded to their servers anyway?

        • @[email protected]
          link
          fedilink
          English
          12 months ago

          Why even bother theorizing that BitLocker may be compromised when they’re removing local accounts for consumers and forcing the key to be uploaded to their servers anyway?

          yeah, with that, it’s basically compromised, but maybe not bitlocker itself but the key storage

        • @[email protected]
          link
          fedilink
          English
          12 months ago

          They’re not forcing it. You can still create local accounts (though it takes some work) and it doesn’t require you to upload any keys. I have bitlocker enabled with a local account and no Microsoft account connection.

          • @[email protected]
            link
            fedilink
            English
            12 months ago

            they are forcing it. if you are not determined, you won’t be able to get an offline account. many are not determined. many don’t even realize that it’s not for their benefit, even after onedrive starts announcing it daily that their drive is full

  • @[email protected]
    link
    fedilink
    152 months ago

    This is a case where Windows-bashing is hypocritical. Almost no Linux distro has disk encryption turned on by default (PopOS being the major exception).

    It’s dumb and inexcusable IMO. Whatever the out-of-touch techies around here seem to think, normies do not have lumbering desktop computers any more. They have have mobile devices - at best laptops, mostly not even that.

    If an unencrypted computer is now unacceptable on Android, then it should be on Linux too. No excuses.

    • @[email protected]
      link
      fedilink
      22 months ago

      If an unencrypted computer is now unacceptable on Android, then it should be on Linux too. No excuses.

      When is the last time you carried your desktop outside? Forgot it somewhere?

    • SayCyberOnceMore
      link
      fedilink
      English
      92 months ago

      It’s dumb and inexcusable IMO

      No, it’s a choice, because:

      1. History… encryption didn’t exist in the beginning. Upgrades won’t enable it.

      2. Recovery… try telling the people that didn’t backup the encryption key - outside of the encrypted vault - that their data’s gone.

      3. Performance… not such an issue these days, but it does slow your system down (and then everyone complains)

      So, please continue to encrypt your data as you choose and be less judgemental on others, esp. anyone new

      No excuses.

      • @[email protected]
        link
        fedilink
        32 months ago

        Blah blah blah. Unencrypted data is the wrong default in 2025 for any OS. Linux should not be a poor man’s OS.

        • SayCyberOnceMore
          link
          fedilink
          English
          22 months ago

          It depends on your use-case.

          Encryption of data at rest (this discussion) is mostly helpful for physical theft, so a device that never leaves the house, there’s little reason for encryption.

          Similarly, on a lower powered mobile device, maybe you only want / need user data to be encrypted, and there’s no need to encrypt the OS, which keeps the performance up.

          Maybe you want the whole thing encrypted on your high performance laptop.

          So, it’s difficult to define a sane default for everyone, thus making it an option for the end user to decide on.

          Linux has more choice than Windows - and the encryption algorithm(s) can be verified - so it’s definitely the better choice.

      • @[email protected]
        link
        fedilink
        22 months ago

        I will definitely say I wish encryption setup was a lot easier in Linux. Windows is like “wanna Bitlocker?” Done.

        With most Linux installers, if you’re not installing in a very default way, and clicking that box to encrypt the drive, it’s time to go seriously digging. For a while.

        I managed to encrypt a secondary drive with the same password on my EndeavourOS laptop, but I still need to enter the same password 2 times before getting into the OS.

        I consider that a feat, and I’m not touching it for fear of losing everything lol.

        • SayCyberOnceMore
          link
          fedilink
          English
          22 months ago

          Yes, I feel your pain.

          Encryption drives sound like a good idea until the subject of unlocking them comes up… and automatically unlocking the drive for the OS isn’t really helping.

          But, for user data, it can be unlocked automatically during login. The Arch wiki covers this.

          But backup your data 😉

    • @[email protected]
      link
      fedilink
      English
      22 months ago

      I always turn on LUKS during install. The only exceptions are when I’m doing tests of different distros on my machine that I lovingly call “FuckAround”.

      It really is the best way to find out.

    • @[email protected]
      link
      fedilink
      62 months ago

      Almost no Linux distro has disk encryption turned on by default (PopOS being the major exception).

      it’s usually an option in the guided disk partition

      If an unencrypted computer is now unacceptable on Android, then it should be on Linux too. No excuses.

      Linux is about choice, not whatever someone else thinks it’s acceptable

      • @[email protected]
        link
        fedilink
        English
        22 months ago

        Echoing Jubilant Jaguar’s sentiment about defaults mattering, I think that sometimes an excess amount of choice can be overwhelming such that a user is less empowered to make choices about things they do care about (Leading to a less steep learning curve). Sensible defaults need not remove anyone’s choice

        • @[email protected]
          link
          fedilink
          22 months ago

          I don’t disagree with the premise. I may disagree encrypted hard drive by default a sensible choice

        • @[email protected]
          link
          fedilink
          22 months ago

          Defaults are generally who do not want to understand in depth what they are doing (no offence). Example from other sphere: in R-Cran (used to write statistical models), some functions have defaults to either choose a particular algorithm or an optimisation value. I have heard almost about nobody among students, PhDs and even higher up the ladder, who took the time to understand what is happening below the shell. Instead these people took just the defaults, it worked (result was significant), done. However, if they may have chosen another algorithm, things may have turned differently, which would open up a box with many questions concerning modelling adequacy and understanding of data. It is the same with defaults in Linux.

  • @[email protected]
    link
    fedilink
    English
    12 months ago

    Previous versions of Windows only permitted drive encryption in their premium tiers, and it seems like the current one possibly requires a TPM chip for it, so a lot of hardware won’t even support it. So basically greed or greed.

    For what it’s worth it’s not always a default with Linux installations either. There’s a usually minor performance hit, though I can’t say it ever bothered me. Personally I have less fear of bad actors obtaining physical access than I do myself breaking something catastrophically and losing my access, so I don’t use it now.

  • nanook
    link
    fedilink
    62 months ago

    A secure future proof Whenblows 11 is akin to a healthy wealthy fentynal addict.