| ▲ | raincole 5 hours ago | |
For something as widely adopted as Windows, the only sensible alternative is to not encrypt the disk by default. The default behavior will never ever be to "encrypt the disk by a key and encrypt the key with the user's password." It just doesn't work in real life. You'll have thousands of users who lost access to their disks every week. | ||
| ▲ | winstonwinston an hour ago | parent | next [-] | |
It works for macOS. Filevault key is encrypted by user password. User login screen is shown early in boot process, so that Filevault is able to decrypt data and continue boot process. It sure works fine for a about a decade. No TPM nonsense required. Imo, the TPM based key only makes sense for unattended systems such as servers. | ||
| ▲ | mjevans 3 hours ago | parent | prev [-] | |
While this is true, why even bother turning on encryption and making it harder on disk data recovery services in that case? Inform, and Empower with real choices. Make it easy for end users to select an alternate key backup method. Some potential alternatives: Allow their bank to offer such a service. Allow friends and family to self host such a service. Etc. | ||