Should I disable/remove Bitlocker on my laptop?

In My Humble Opinion
1

I’ve had my Dell XPS-13 laptop for almost a year, and I’ve just realized that Bitlocker was turned on by default when I got it. This annoyed me because of a recent negative experience I had with the program.

My mother had an old computer that was running very, very slowly, so I bought her a new Dell All-in-One, which I assumed would perform much better, despite being a fairly basic machine. For her purposes, mostly Web browsing, it should have been fine.

To my dismay, it was practically as slow at everything as the old machine. Long story short, we finally found out that it was because of Bitlocker. Once it was turned off, the computer performed as expected.

Because this was during COVID and I was a thousand miles away, I didn’t actually do the job; a computer guy she knew discovered and handled the problem.

So having been through this, I should have been on the lookout for Bitlocker when I got this new laptop in early 2021. I don’t recall seeing it mentioned in the startup procedures when I got the computer out of the box, but I’ve recently discovered that it is, in fact, active.

This machine’s performance is just fine, so it apparently isn’t having as much of an effect as it did on the All-In-One, but I’m still skeptical of Bitlocker, and I probably don’t really need it. And who knows how much faster this machine would be with it off?

What do you see as the pros and cons of Bitlocker?

And what do you think I should do: leave well enough alone, or disable/remove Bitlocker? If the latter, do you have any experience doing it? Presumably if I do a proper backup, I won’t lose any data, but are there risks? Could I brick the machine?

Thanks.

2

With an SSD, BitLocker should have no perceptible effect on performance. The only real downside is if you do not have access to the recovery key and also have no external/offsite backup.

3

My work computer has Bitlocker. I haven’t noticed any problems with performance, although to be fair I’ve never run it without Bitlocker. Since I use it every working day, I’m not going to forget the password. (You could store that in an encrypted folder on another computer, if you really want to.)

Bitlocker is pretty decent commercially available encryption software. If the police need your files they can get them, but it should deter a lot of potential hackers or other thieves.

4

If you are using a Microsoft account to login, you can backup your Bitlocker key to your account for future use.

5

How do I find the recovery key? I don’t login with my MS account, and the only security I have on login is the 4-digit PIN.

I do maintain good backups.

6

From start just type Bitlocker and you will be able to backup the key or print it.

7

Thanks, all.

Does anyone have experience disabling or removing Bitlocker? Easy? Nightmare?

8

From the same window where you can backup your key, just click on Turn off Bitlocker. It will transparently decrypt everything and you are done.

9

Have you done it yourself without any problems?

10

I’ve done it several hundred times. Turning it off causes no issues.

11

Many, many times.

12

Microsoft has provided a backdoor into Bitlocker protected data for law enforcement? Not too sure about that…

If it were me and I cared about protecting my data, I would leave encryption/Bitlocker enabled. That should be the default for all devices these days.

13

So I was having a problem with Bitlocker, and decided to search SDMB for previous threads about it. Lo and behold, I completely forgot that I had created a thread myself four years ago!

My wife and I have nearly identical Dell XPS-13 laptops which were delivered with Windows 10 Pro about five years ago. About a year ago I upgraded hers to Win 11 Pro. It’s been running fine, but lately she’s had a couple of incidents where she opened the computer and got the blue screen demanding the Bitlocker recovery key.

At first it seemed that it happened because she was using the power button to shut down, instead of doing a soft shutdown. I explained why she shouldn’t and showed her how to to a safe shutdown with a shortcut I had installed on the task bar.

Then today it happened again, and she says she didn’t power down with the power button, but just closed it and left it in sleep mode (connected to power) while we were away over the weekend.

In every case I was able to get around it just by telling it to start Windows normally, without having to actually enter the 48-digit key (which is stored in my MS account), but the fact that it keeps happening is troubling. I don’t know if it’s a problem with the hardware, with Windows, or with my wife, but I want to be rid of it. (The problem, not the wife!)

Although we do occasionally travel with our computers, I’m not overly concerned about someone stealing/hacking our machines (although perhaps I should be worried about the government these days), so I don’t think I absolutely need to have Bitlocker activated. And if I wanted to encrypt the drive, I understand there are third-party apps that I could use.

Then there’s this guy, I came across while researching Bitlocker, who claims that MS is using Bitlocker, Windows Recall, and AI to track and report everything you’re doing on your computer. (The video should be cued to the point where he starts talking about it.) Here’s a brief quote:

It’s always back to AI. You see the spy genie that is Windows Recall takes a
screenshot every 3 seconds and records everything you do. Then the AI analyzes these screenshots and then stores the observations in a database on your computer. Because of this Spock-like mind meld between you and your computer, the computer will now know everything you know.

Is there anything to what he’s claiming?

Finally, is there any strong reason I shouldn’t disable Bitlocker on both our laptops? And if I decide I want encryption, what alternative would you recommend? That guy recommends VeraCrypt.

What say you?

14

I didn’t read the whole zombie thread, but:

If you’re getting random BSODs, that probably isn’t a Bitlocker issue per se (maybe drivers? failing battery?)… Bitlocker just shows up after it reboots.

Check the event viewer to (hopefully) see what actually crashed: How to Use Event Viewer to Troubleshoot Windows Problems

It’s really up to you. I leave full-disk encryption enabled on my laptops (Macs) but disabled on my desktop (Windows). (To be clear, FDE is a lot more seamless on Macs, since Apple owns the full stack and doesn’t have to worry about TPM incompatibilities. However, I’ve also left Bitlocker enabled with FDE on previous Windows computers, laptops and desktops, without issue.)

And I’m just an ordinary nobody. If the government wants to snoop on me, well, they probably already have.

Bitlocker would help deter casual snoops. It would probably not prevent a determined state actor, especially if you put the laptop to sleep instead of turning it off altogether: BitLocker countermeasures | Microsoft Learn

Besides, if a 3-letter agency is after you, you have bigger problems than Bitlocker…

I’m not going to watch a conspiratorial YouTube video (god knows my recommendations have enough crap in them already), but Windows Recall was actually that bad when it was first announced. My understanding is that Microsoft has since backpedaled… for the time being.

Also, probably not a newsflash, but pretty all much all software and browsers are phoning home all the time and reporting on you now, hopefully pseudonymously, but not necessarily. You can usually disable some or most of the tracking, but probably not all. You’d have to go full Linux and probably never go on the internet again to altogether avoid tracking.

You just lose some incremental security. But if — IF:

  • You don’t store sensitive data on your computer to begin with (it’s in the cloud)
  • You have an otherwise good Windows password that’s set to show as soon as the laptop wakes

Then IMHO you’re not under a lot of threat. A would-be laptop snoop would have to physically steal your laptop, extract and connect its hard drive to another machine, and then read your cached session data (cookies, etc.) and hope that they’re still good for logging back in as you.

Unless you’re a particularly juicy target, I just don’t think that happens much in the real world. More likely they’d just try to resell the laptop or part it out.

I do not think adding third-party full-disk encryption would be worth the hassle. VeraCrypt is legit AFAIK but if you’re tired of Bitlocker issues, using a non-Windows-integrated full-disk encryption system would be even more troublesome. That is, if you’re just a regular person with not much to hide.

On the other hand, if you’re a journalist working with the next Snowden or Epstein… there’s probably nothing secure enough to save your ass.

15

Well this is quite a coincidence. I was about to start a thread asking about Bitlocker too, because I have also been getting the blue “enter your recovery key” screen on startup. Note that this is not the BSOD, it’s the same screen that commasense provided a screenshot of. In my case, I have not shut down the computer at all. I leave the computer running and in the morning it’s dead (no video output) and when I power cycle I get the recovery key screen. It has happened to me 4 times in the last month. I’m very tempted to disable bitlocker but I’m concerned about what might be causing the problem (memory issues?) and whether disabling bitlocker would just be masking the problem. This is a Dell desktop, about 10 months old, running Windows 11.

16

If you want someone to give you permission to disable bitlocker, I’m not going to do that. Whether you use it or not is your choice, but you should do it knowing the tradeoffs.

By disabling it, anyone who is in possession of your laptop or the SSD installed in it will be able to read your data. If that lets them access your email without a password, then they now own everything that uses that email address to reset passwords. Full disk encryption is a lot of security for essentially no cost on any CPU made in the last 10-15 years.

However, if something causes the TPM to invalidate it’s stored key, then you need to enter the big 48-bit number. The question is, what on your wife’s computer is causing the TPM to invalidate its key? Something on the computer could be changing a state that triggers it. Sometimes it can be as stupid as changing a connected USB device, but it generally should be more significant than that.

On a 5 year old computers one thing I would suspect is the real time clock battery. I’m not saying that is what causes it, but I’ve recently had to chang several…

On the XPS you should be able to press F12 (or fn-F12) during boot to bring up the one-time boot menu. Go into the diagnostics page, and let that run. It is unlikely to find a problem, but it is easy to run, and it might find a problem.

Also, Bitlocker and Recall are different things. Recall is dystopian scary, but Bitlocker is actually worthwhile. Maybe Microsoft hands out backdoors to Bitlocker, but I’ve not heard of one (except when they used the hardware encryption on some SSDs, which did have exploitable backdoors).

17

My employer uses bitlocker. Every time i turn on the laptop, i need to enter the key. The key is only about a dozen characters, and not all that hard to type. (Although i have messed up).

If you never turn off the computer, and never have to enter the key, it’s not giving you all the much security, is it? A bad party doesn’t need to enter it if you don’t need to enter it.

18

Having to enter the Bitlocker key every boot is weird. Something is busted on that laptop.

Bitlocker is just drive encryption. It’s to prevent people from stealing the laptop (or just the drive) and loading it on another system to scan the drive’s data. But yeah, if you leave your PC unlocked constantly that’s not very secure. That isn’t a Bitlocker flaw though.

19

I have never in my life had my security compromised by a bad actor. I have, however – dozens of times – been locked out of my own accounts because of excessive paranoia by designers about “security”. Google is threatening to close my Google account because I refuse to give them two different 2FA authentications!

Guess which side of this “Bitlocker” fence I’m on?

20

That you know of.

Don’t you have a Windows password that you must enter as well?

This. Modern computers should not require Bitlocker recovery keys at every boot. But you should still have to enter your Windows password. If someone didn’t know that password, the data is gone. If they pull the storage and put it into another device, the data is encrypted and useless. Before Bitlocker, it was trivial to get that data without any sort of passsword.

Account compromises are happening more and more. It is a complete arms race to keep ahead of the bad actors.