> or (the better solution) just enroll your own certificate in your TPM and sign the driver with that...

I'll tell Grandma that's what she needs to do.

pixel_popping 3 hours ago | parent | next [-]

Make sure that she setup a PKI infrastructure to manage certificate revocation as well, wouldn't want a bad grandson to mess with it.

▲

p_ing 2 hours ago | parent | prev | next [-]

Why would you put Grandma on VeriCrypt in the first place? It's the more 'difficult' option for FDE.

▲

unethical_ban 21 minutes ago | parent [-]

What's easier, and bitlocker doesn't count. I want my FDE to be based on a password or a keyfile, not simply by some code in the motherboard. I want it encrypted until I, the operator, provide some data to unlock.

In my limited experience with bitlocker, the disk is decryptable automatically as long as it's in the original motherboard.

	▲	p_ing 16 minutes ago \| parent [-]
		> and bitlocker doesn't count. Wat? Bitlocker is the answer to your question. > In my limited experience with bitlocker, the disk is decryptable automatically as long as it's in the original motherboard. It's unlocked (not decrypted) when the OS boots, yes. You can optionally enforce (not on Home) other unlock methods, such as PIN before the OS boots. > I want my FDE to be based on a password or a keyfile, not simply by some code in the motherboard. That's less secure than TPM.

▲

dark-star an hour ago | parent | prev [-]

your grandma is probably fine with BitLocker....