Microsoft’s BitLocker Will Boost Your Security and Take Your Data Hostage

Windows 11’s major annual upgrade for 2024, with the code “24H2”, is upon us, with many useful updates, nifty new features, and even improved gaming performance. What’s not to like?

How about Microsoft’s decision to force BitLocker encryption onto most users? This comes with many negatives, like:

• 💾 Increased chances of data loss.
• 🛠️ Complicated data recovery.
• 🐌 Decreased performance on some storage-related tasks.
• 🔒 Possibility to get permanently locked out of your own PC.
• 🧩 It’s harder to use multiple OSes on the same PC and share storage among multiple devices.

Let’s see how it can be helpful or become a significant headache.

The Good: BitLocker Keeps Your Files Private

With BitLocker enabled, the data stored on a drive is accessible only by its owner, making it impossible for malicious third parties to access anything on it.

Still, this increased privacy and data security comes with some major caveats.

How Does BitLocker Work?

Unlike software-only encryption solutions, BitLocker relies on specialized hardware to achieve higher security. The general idea is that software can be more easily “broken” compared to securely designed hardware. “Hardware” like the TPM module that’s part of all new(-ish) PCs, acting as a secure vault for encryption keys.

When BitLocker is enabled on a device, the PC encrypts the whole device using a unique signature for the particular hardware. A decryption key is stored in the specific TPM module in the PC. Without it, the storage device is useless, and all data is obscured and inaccessible.

However, it’s possible to use BitLocker even on older PCs without a TPM module – and even on older versions of Windows, like Windows Vista or 7. In such cases, the user can:

• 🌎 Log in using an online Microsoft account so Windows can “pull” the BitLocker key from Microsoft’s servers.
• 🗝️ “Recall” the decryption key from a USB flash drive.
• ⌨️ Type it manually.

Upgrading an existing installation of Windows 11 to version 24H2 won’t turn on BitLocker automatically, but will keep it enabled if it was already in use. However, up to now, the user had to turn on the feature when installing Windows. Version 24H2 is the first where the opposite is true, and BitLocker will be “on” by default when installing the OS. BitLocker may also turn on automatically if the user “Resets” an existing Windows 11 24H2 installation.

How Can BitLocker Help?

By being integrated into the OS and relying on securely designed hardware available on most modern PCs, BitLocker can be both highly secure and an easy set-it-and-forget-it solution for keeping all your data private. Unlike alternative encryption solutions, with BitLocker you don’t have to rely on third-party apps — everything is included on the PC and its OS. That is, if the OS is Windows.

This tight integration also means that BitLocker can encrypt the drive on which the OS itself resides. In contrast, typical software-only third-party encryption solutions, like AxCrypt, can usually only encrypt secondary storage devices or particular folders and files. In such cases, the PC has to boot an unencrypted version of the OS and then load the third-party app, which can encrypt and decrypt other devices.

A few solutions can encrypt the OS drive, too, but are more limited and complicated. For example, VeraCrypt (the evolution of the classic TrueCrypt) can encrypt the OS partition containing Windows files but not the hidden partition where the boot loader is stored. It requires a custom bootloader to enable disk decryption “outside” the OS.

Thus, BitLocker is a more transparent and effortless option than app-based encryption.

The Bad: BitLocker On for All, Hurting Performance, Compatibility, and Ease of Use.

BitLocker can be helpful, but Microsoft’s decision to force it as the default for Windows 24H2 is far from ideal. Especially for those who don’t know about its limitations and shortcomings.

A Significant Performance Drop

At the time of writing, Windows 11 24H2 has yet to be widely released in its final form and remains in testing. Microsoft might tweak BitLocker further, but according to initial tests, using it significantly affects storage-related performance.

Encrypting a drive with the software-based version of BitLocker can decrease its performance by up to 45%. Such a drop might not be felt when launching Notepad or browsing the web. However, as demanding professionals and gamers know, storage is the primary bottleneck in modern PCs. That’s why replacing an HDD with an SSD can make an old PC feel “snappier” as if brand-new. A 45% drop in performance (depending on usage) can have the opposite effect.

As noted by Tom’s Hardware, Windows 11 Pro chooses the software-based version of BitLocker by default, probably to maximize compatibility with older PCs that don’t come with a TPM module.

Although new PCs can use the hardware-based version that doesn’t have such an impact on performance, owners of older PCs are stuck with the low-performing version.

Forget About Physically Sharing Storage Devices

Sharing a BitLocker-encrypted drive between computers can be a chore. Since its decryption is “bound” to the TPM module in a specific PC, using the same drive on another computer means that the user should use an alternative way to decrypt it (online account, manual entry of decryption key, or use of USB flash drive).

Is this “another computer” running macOS or Linux? Then, BitLocker’s transparent ease of use flies out the window, requiring a third-party app to access the drive’s contents.

What’s worse is that newer versions of BitLocker’s encryption can also be incompatible with older ones. If a new PC “misbehaves”, it might not be possible to “migrate” its drive to a secondary, older PC, to access the data on it.

And, of course, one can forget about booting multiple OSes from the same drive.

Enabled By Default

Since BitLocker can practically prevent the user from accessing their own data, it should be their choice if they want to enable it. Before doing so, they should be informed about all its potential issues and limitations instead of being expected to research the topic online.

Setting the feature to “on” during Windows 11 24H2’s installation or after an OS reset doesn’t help those it can impact the most: the “casual” users who don’t know that you can fully skip BitLocker by using an offline “local” account, or a customized Windows installation through a tool like Rufus.

Microsoft’s attempts to prevent the use of local accounts during Windows’ installation don’t help with that.

Always-On, Even Where You Don’t Want It

Dedicating a drive to Windows and encrypting it with BitLocker while leaving all the other storage devices as they are sounds like the optimal solution for those who want the best of both worlds. This approach combines security, compatibility, and ease of use.

And yet Microsoft, in their infinite wisdom, decided to have BitLocker encryption automatically turned on for all drives connected to a computer, not only the primary one.

It’s also worth noting how average users are gravely afraid of an OS installation, considering it the equivalent of rocket science. They’re worried that choosing the wrong option may break their PC, and they already find it hard even to select the correct drive to install Windows. For those unfamiliar with terms like “partitions” and “storage drivers”, it’s also easy to miss or skip any option related to another term they know nothing about: “BitLocker”. And even those who’d turned it off manually may not realize it was re-enabled automatically after an OS reset.

The Ugly: BitLocker Can Keep Your Data Hostage

Although BitLocker’s shortcomings might feel like minor annoyances for many people, it might become the reason a select few lose access to their data forever.

Limited Data Recovery

Did a drive encrypted with BitLocker malfunction, was its file system corrupted, or were some files accidentally deleted? Pulling off a successful data recovery might require jumping through some hoops, and in some cases be outright impossible.

Most data recovery solutions, especially the more affordable or free ones, don’t support BitLocker. The ones that do cannot bypass it and require the user to provide their decryption key. If, for whatever reason, it’s unavailable, it’s impossible to get back any data off the drive.

Password Adventures

Despite how Microsoft makes sure to remind the importance of backing up the encryption key used with BitLocker, that doesn’t mean everyone will do it. Even if they do, it’s easy to lose a printout or misplace a tiny USB flash drive.

With BitLocker enabled, getting locked out of the Microsoft account that automatically decrypts a PC’s storage or losing the decryption key means losing access to all encrypted data.

Not Really Secure

BitLocker can prevent the average malicious user from gaining access to another one’s data, but that doesn’t include ingenious and dedicated security researchers. As proven by YouTuber stacksmashing in their video, Breaking Bitlocker, on older PCs where the TPM module is a separate device, it’s possible to “sniff” the decryption keys stored in it. All it takes is a cheaper-than-$10 Raspberry Pi Pico and less than a minute.

IMAGE CREDIT: WIKIPEDIA

Thankfully, this exploit only applies to very old hardware, and there’s no public knowledge of others for newer PCs. Still, that doesn’t mean they don’t exist or that nobody will eventually find a similar loophole for bypassing BitLocker’s encryption.

To put things into perspective, at the time of release, Microsoft’s Xbox 360 and Sony’s PlayStation 3 consoles also came with hardware-based security measures to ensure their OS would remain secure and prevent piracy. The executables for their games were encrypted for the same reasons. Today, both the Xbox 360 and the PS3 can be “jailbroken” with various methods, and their games are playable on PCs through the RPCS3 and Xenia emulators.

Other Issues

Despite one’s opinion about Kaspersky, nobody would deny that they’re experts and an established name in the field of PC security. Thus, their discovery of “ShrinkLocker” shouldn’t be taken lightly.

ShrinkLocker is a piece of ransomware that uses the BitLocker functionality in a user’s OS and PC hardware to “take their data hostage“.

After “rearranging” the PC’s storage and modifying the Windows Registry to suit its needs, ShrinkLocker eliminates all existing recovery solutions for BitLocker’s keys. It encrypts the storage using new keys and sends them to its “handlers” with information about the system.

With all storage encrypted and deprived of options to decrypt it, the user is practically locked out of their own PC and data.

Maybe It’s Time for Another OS?

Sticking with Windows used to be reasonable since that’s what most major apps were made for. Most users don’t realize that isn’t true anymore and that Linux might be a better alternative.

Being at the core of Android and Valve’s revolutionary Steam Deck sped up the development of user-friendly software and compatibility with games. Plus, you don’t have to be an IT professional to use it anymore. Many modern Linux distributions, like Zorin OS and Deepin, are designed for a more “casual” audience. Some are even easier for daily use than Windows 11’s convoluted interface (as revealed by user’s opinions in Capterra’s direct comparison), which hides old remnants of apps (like the Character Map) and menus (like the whole Control Panel) behind its modern UI.

Hundreds of posts online by people state they’re fed up with Windows’ annoying updates and frequent restarts. Or by the heavy promotion of Microsoft’s apps and inclusion of non-removable advertisements on their PC’s desktop. For many of them, those latest BitLocker “adventures” might be the final straw before they also jump ship to Linux. And for those who don’t mind the increased cost and even more restricted “ecosystem”, there’s always the option of a Mac.

Most users, though, will probably be informed about BitLocker through articles like this. Then, just like with User Account Control back in the Windows Vista era, they’ll either embrace and take control of BitLocker or turn it off and call it a day.