Out of curiosity, wouldn't the open-source TrueCrypt be better than the closed BitLocker? (assuming, of course, that TrueCrypt was not already compromised)
"There are several locations in which your BitLocker recovery key might have been saved" - emphasis mine - doesn't this mean they'll store the key if you log into "Your Microsoft account"? I have to admit I don't use Windows 8 so I don't know if this is mandatory or not? What about Windows 7?
Previous poster's confirmation is misleading -- it does not appear to be mandatory. I just went through the process on my Windows 8 machine, and you can choose to save to the recovery key to a file or print it out in lieu of storing it with your Microsoft Account (http://imgur.com/J0zk6I5).
Two caveats:
(1) It's possible Microsoft could choose to store the keys online regardless of what the user picks, but it's certainly not their official stance.
(2) Microsoft does automatically store keys online if you're using "Device Encryption" in Windows 8.1 (http://arstechnica.com/information-technology/2013/10/window...). This uses Bitlocker code but is distinct from using Bitlocker itself though -- i.e. if you do a vanilla Bitlocker encryption, your system should not send the keys to MS without a user (or admin) explicitly telling it to.
It's not mandatory to use a Microsoft account for login, but they've been hiding the option not to in increasingly obscure locations in the installer. At one point, the easiest way to do it was apparently to just unplug your internet connection!
Maybe Microsoft asks or somehow prompts the user to back up their encryption keys? I mean, a user-focused OS certainly wouldn't include such a feature, right?
The question was not whether or not they might do it but whether or not they always did it. If a user is required to submit their encryption key to a third party for storage then the encryption solution is limited by their trust in the third party.
There are pros and cons to both closed source and open source. Open source is nice because the community can audit the code and see for themselves, but closed-source is nice because a company generally has the resources to maintain and build software correctly.
Both of these are hypothetical, however. We've seen tons of vulnerabilities from both. IMHO Open Source works a lot better on paper but once projects get very large auditing them is really hard...which definitely cuts down on the amount of eyes looking at them.
Well implement one. While getting the encryption right is possible. There comes the pesky problems with presenting stuff to windows as a volume that works as well.
Well peer reviewed encryption libraries would take care of a huge proportion of that.
http://dokan-dev.net/en/ might work on windows for implementing something you might otherwise do via FUSE. Can't speak for windows as ive not used it for a decade or more.
I do believe that open-source solutions are better when concerned about privacy and security. But why would a user of a mostly closed-source OS bother about the open-source nature of one component of that OS?
