update: Revamp full disk encryption section

[vandorsx]

Changes in the order they appear:

• Re-wrote the introduction to the FDE section.
  • The information is the same, it just reads a bit better now.
  • Added a note that FDE and FVE are generally used interchangeably. Previously, the term "full volume encryption" was used without a precursor.
• Re-wrote the BitLocker card
  • Immediately mention it's for Windows and it's proprietary.
  • Make explicit mention of the hardware security TPM.
  • Remove "The main reason we recommend it..." because generally all info stated supports a recommendation.
  • Prominently state officially supported editions (pro, etc)
  • Tell where to actually manage and enable BitLocker
  • Information and guide on preboot authentication
    • I assume this will eventually be moved to update!: Windows guide #1659, but it's important so might as well get the info out now
  • Improved the BitLocker on Windows Home guide
• Re-wrote FileVault card
  • Immediately mention it's for macOS and it's proprietary
  • Mention secure enclave
  • Tell where to manage and enable FileVault
  • New logo
• Re-wrote LUKS card
  • Renamed it to LUKS, that's what it's known as
  • Mention it's open-source
  • State and elaborate on how it's a standard
  • Tell where/how it can be managed (also linking to a faq)
  • New logo

Up for discussion:

• Maybe want to consider removing (or at least testing) the BitLocker on Home guide: update: Revamp full disk encryption section #2437 (comment)
• It would be nice if someone more knowledgeable on LUKS could add some more context to encrypted containers — perhaps explaining what they are and what they do above the admonition.

---

• I have disclosed any relevant conflicts of interest in my post.
• I agree to grant Privacy Guides a perpetual, worldwide, non-exclusive, transferable, royalty-free, irrevocable license with the right to sublicense such rights through multiple tiers of sublicensees, to reproduce, modify, display, perform, relicense, and distribute my contribution as part of this project.
• I am the sole author of this work.
• I agree to the Community Code of Conduct.

[netlify]

✅ Deploy Preview for privacyguides ready!

Name	Link
🔨 Latest commit	848b373
🔍 Latest deploy log	https://app.netlify.com/sites/privacyguides/deploys/65f5e043d7481e00088adf3f
😎 Deploy Preview	https://deploy-preview-2437.preview.privacyguides.dev
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	4 paths audited Performance: 78 (🟢 up 2 from production) Accessibility: 91 (🔴 down 1 from production) Best Practices: 98 (no change from production) SEO: 90 (no change from production) PWA: - View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[dngray]

Have we actually checked to see if this works? It did at one point but this indicates it might not #2407

[vandorsx]

Good question, I did see that issue. To me it read as if it worked except they accidentally did the process on a non-boot drive since their drive letters were weird.

Which is why I added:

+ This guide assumes the drive letter of your operating system drive is "C". If it is not, replace `c:` with the correct drive letter in the following commands.

Though maybe I'm interpreting what they're saying wrong.

[dngray]

There was also a thread https://discuss.privacyguides.net/t/enabling-bitlocker-on-the-windows-11-home-edition/13303/ about it. could just check in a VM

[vandorsx]

I went through the guide on a VM and it worked for me. I updated the instructions based on what I experienced (i.e., saving the recovery key to a .txt file didn't work for me).

[IDON-TEXIST]

The guide worked, my problem was that the drive letters were switched in the troubleshooter command prompt. I think the addition should explicitly mention the possibility of this.

[IDON-TEXIST]

or we could just point home users to MAS.

[vandorsx]

The guide worked, my problem was that the drive letters were switched in the troubleshooter command prompt. I think the addition should explicitly mention the possibility of this.

Where should this be mentioned? It's been a few months since I went through the guide, so I'm admittedly not too familiar with it anymore.

or we could just point home users to MAS.

MAS works well — there's no denying that. Though I think it's more of a iykyk thing rather than something to be recommend.

[IDON-TEXIST]

MAS works well — there's no denying that. Though I think it's more of a iykyk thing rather than something to be recommend.

Is what we're suggesting any less illegal?

[rollsicecream]

Here are some little things to add:

[IDON-TEXIST]

I'm not sure whether the comments I've made create notifications, so check this.

[IDON-TEXIST]

MAS works well — there's no denying that. Though I think it's more of a iykyk thing rather than something to be recommend.

Is what we're suggesting any less illegal?

[redoomed1]

Thanks for the improvements on the BitLocker guide!

I notice that there are some steps to configure Group Policy settings in the guide. It might be better to point readers to the relevant section in the Group Policy page of the Windows Overview (specifically, https://www.privacyguides.org/en/os/windows/group-policies/#operating-system-drives) in order to avoid duplicating content across multiple pages. Any settings that are mentioned in the BitLocker guide that aren't already in the Group Policy page could be added to the latter. (Ideally, the Group Policy page is the central hub for all things related to LGPO on the Privacy Guides site.)

This is probably not in the scope of this PR, but just mentioning it as a passing suggestion.

[IDON-TEXIST]

I think it might make more sense to move the group policy stuff to this page. We wouldn't want readers to gloss over it and then decide to unencrypt and reencrypt their drives later because they realize they want AES-256. Those policies don't make much sense to enable unless you're using or planning to use Bitlocker, anyway.

[rollsicecream]

Some things to fix.

[rollsicecream]

Other things to fix...

[kimg45]

Nothing about FDE inherently has anything to do with using a TPM, the original point was to use built-in solutions instead of third party ones since those more likely take advantage of hardware security features. Also I don't like how this implies that encrypting the operating system necessarily makes it more secure, this isn't always the case especially when the operating system is protected by a good secure boot or verified boot.

[kimg45]

These aren't the same though. Full disk implies the entire disk is encrypted and Full Volume encryption just means a volume on the disk is encrypted. I think we should probably avoid using either of these terms and just call it encryption.

[kimg45]

The one you deleted still shows up in Apple's marketing materials so I think we can leave it.