I’m using Linux and LUKS but have never been convinced Secure Boot adds anything for me. It does sometimes add extra steps though, or block a driver from loading.
> What does that do for me to stop malware? Bitlocker is only protecting an offline system
LUKS also only protects an online system. So why are you using it?
Oh, I think I know, if you are on Windows it's bad to use BitLocker because it's made by Microsoft and it doesn't protect against malware, but if you're on Linux of course you use LUKS, it's a sensible thing to do. Got it.
Back in my retail computer technician and sales days, it wasn’t uncommon for somebody to lose their Bitlocker keys, and encryption did what it was designed to do - make the data unreadable without them. Sometimes they didn’t even understand what they enabled.
To that customer, Bitlocker itself was a threat.
In my small sample size, I’ve seen that more often than lost laptops. I’ve also seen many more malware infections.
Tying encryption to the TPM, which is the default, makes it easier to lose those keys. With LUKS I choose my own password.
It’s an important implementation difference, especially if it is going to do it by default. Warning a person “you will lose all data if you don’t write this down” in big bold red text is sometimes not enough.
Does tying those keys to your MS account fix that failure method?
> Does tying those keys to your MS account fix that failure method?
Yes. Bitlocker recovery keys are escrowed to the Microsoft account. I've relied on this recover data from a family member's PC when it failed and they had unknowingly opted-in to Bitlocker (a Microsoft Surface Laptop running Windows 10 S Mode).
>As opposed to just not encrypting their data at all and letting everyone who ends up with the drive have their data.
You are presenting a false dilemma where either Bitlocker is in use or the drive is entirely unencrypted; there are other ways to ensure data integrity in the face of physical compromise.
1. It's not a false dilemma, it's more of a question of how to handle the "average Joe" user that doesn't know how to store encryption keys. I don't like how this automatic encryption is implemented, by the way, but sending the keys to MS servers is not the worst idea ever.
2. Bitlocker can totally be used without a MS account and without sending keys anywhere and without TPM... But seeing how most people fail to RTFM we're back to point 1.
I mention that only because it's one avenue. I figured obviously on a place like Hacker News that malicious agents aside from government could also compromise the security of 3rd party-held keys; as always security is a matter of difficult tradeoffs and anticipated threat categories.
Ah, thank you; I get it now: you don't need to worry about data theft because the drive was encrypted, so the only remaining problem is buying a replacement - a 'VISA' problem. I rather like that way of putting it; I might use it myself :)
Secure Boot makes persisting malware in the kernel fairly difficult.
Which IMHO made sense coming from Windows 7 where driver rootkits and boot kits where trivial. With today's main threat model being encryption malware I would agree that it doesn't add all that much for most people.
It really doesn't prevent anything like that, not even remotely. First, to do any type of persistence that would be detected by Secure Boot, you already require unencrypted, block-level access to the disk drive, possibly even to partitions outside the system drive. There are a gazillion other ways that malware can persist if you already have this level of access and none would be detected by Secure Boot. If you were able to tamper with the kernel enough to do this in the first place, you can likely do it on each boot even if launched from a "plain old" service.
