Comment by fencepost 10 months ago
IIRC there were a lot more options by the time of the Truecrypt-Veracrypt shift. Truecrypt was around when drive encryption was otherwise an expensive enterprise software thing, but I think Bitlocker was included with Pro versions of Windows by the time of Veracrypt so that probably became the easiest free option - and probably with better compatibility as well.
Being able to sniff a key as it transits a local bus is a very different kind of compromise of "trust" than believing that something is preemptively backdoored by a threat actor. It is deeply mysterious that Microsoft don't simply use TPM encrypted sessions to prevent this, though.
No? Any modern disk encryption system with a strong passphrase (basically, anything but default-BitLocker) is very effective against "they have your physical machine and it's off" for any known, current adversary. And, the basic cryptography in use is common, robust, and proven enough that this is probably true even if your tinfoil hat is balled quite tightly.
Where modern research effort goes is into protecting against "they HAD your physical machine and they gave it back to you" or "they got your machine while it was on/running" - these are much more difficult problems to solve, and are where TEE, TPM, Secure Boot, memory encryption, DMA hardening, etc. come into play.
IIRC the Home editions of Windows now do have drive encryption at least if signed into with a Microsoft account, but they have almost no features for managing that encryption beyond turning it off or getting the recovery key from the MS account.
At the time I was talking about, Bitlocker drive encryption on Windows 7 required either Enterprise or Ultimate, and for a 2-5 person office with no domain and a couple laptops they wanted encrypted outside the office Truecrypt was a perfectly viable option.
this presumes that anyone would trust bitlocker.
https://pulsesecurity.co.nz/articles/TPM-sniffing