I’m a big fan of XKCD but, in reality, what most people (and employers) worry about is unauthorised third-party access to private data in the event a laptop is lost or stolen (most often by opportunist theft). Bitlocker — and other Full Disk Encryption technology — provide an effective mitigation for this situation.

lproven 4 days ago | parent [-]

Well, yes, we know that. I mean, that is the reason for doing it.

But what is much more rarely discussed are the costs. There are multiple penalties.

It hurts performance.

It impedes dual-boot.

It impedes setup in general; you lose most of the nice friendly GUI tools, replaced by clunky harder CLI tools.

It makes data recovery vastly harder, which is one of those things people discount until they need it and then realise how critical it is.

It makes troubleshooting OS problems vastly harder. Many it simply prevents: the answer becomes, reinstall your OS and restore from backup. If you have no backups, tough.

It's inconvenient, unless you use modern TPM-backed systems, in which case it dramatically reduces the security benefits, while also severely reducing OS compatibility.

It adds a new vital credential people don't know they have and don't know they need to keep secure backups of.

It generally makes everything worse, to fix a threat that most people simply do not have.

The 2 employers I personally had who insisted on it published all the company info on my machines to Github anyway, making it not even security theatre. More like security pantomime: an act of pretending to pretend to do something.

The answer to all this is, in my experience as tech support type: don't do it. Conduct a proper analysis of who has what secrets and what they need to keep, and use other better-targeted tools just for them.

Because without that, it causes problems for no good reason. It's treated as a panacea but it isn't -- it fixes nothing for 99% of users -- and the very real problems and issues it causes are ignored.

This _may_ be worth it for some companies and organisations but it's not for anyone else. I can see its worth for governments and military forces but few others.

▲

Anthony-G 4 days ago | parent [-]

Fair points. Thankfully, I haven't had any of those issues.

I run GNU/Linux on all my personal computers but the Windows 10 laptop from work came with Bitlocker installed and other than entering the PIN on start-up, it stays out of my way. Granted, I'm not dual-booting, saving important documents or running any backup tools; I mostly use it for browsing, Teams calls and SSHing into my Fedora workstation and other servers after connecting via VPN.

Also, in my case, performance was only noticeably affected when the IT contractors installed Symantec anti-virus which resulted in the laptop becoming a noisy heater every so often.

For what it's worth, I bought my wife a laptop for her birthday when she needed a new one and I never considered enabling Bitlocker on it. She wouldn't have any sensitive data on it so I figured there's no need.

▲

lproven 3 days ago | parent [-]

Thanks for that!

If it's a Win11 machine with Secure Boot then there is a high chance it has Bitlocker on by default. You should probably check and disable it if you don't want it. It'll be a little faster, and easier to recover if anything goes wrong.

	▲	Anthony-G 3 days ago \| parent [-]
		I bought her the laptop a few years ago from a local, independent retailer who also specialise repairs as I try to support local trade and retailers as much as possible. It came with Windows 10 and the retailers had configured it with local user account authentication (no microsoft.com account), removed the advertising and other annoyances and without Bitlocker. She has since upgraded to Windows 11 but it works mostly the same (without obnoxious advertising and distractions).