Bitlocker - oom-is/sedutil GitHub Wiki
Bitlocker is a useful tool for many folks, and I appreciate the work that Microsoft did in integrating it into Windows. However, there were also specific design choices made along the way with which I don't agree. One of the big design choices was lack of support for an OS-independent PBA, which means that Bitlocker usage implies Windows (and only) Windows usage on a Bitlocker-managed TCG OPAL-compliant drive.
More thoughts:
- Bitlocker still (as of Windows 10 1903) doesn't support encryption on dynamic drives and that feature is not expected to be added (dynamic drives appear to be getting phased out in favor of Storage Spaces, but Storage Spaces doesn't support RAID mirroring of boot drives).
- Bitlocker has an interesting "feature" where if it boots in UEFI mode to do an install and finds an OPAL-compliant SED with ISO 1667 support (pretty common) then Windows "takes crypto ownership" of the drive for Bitlocker and puts it into eDrive mode.
- Bitlocker can be...ornery? in its choices of whether to fully support full-disk encryption of an OPAL device using hardware functions. In particular, if the UEFI Compatibility Support Module is engaged, testing of Bitlocker on several different SATA (OPAL-compliant) SEDs kept resulting in software-only encryption.
- Bitlocker is Windows-only; as noted above that "platform lock-in" means it wouldn't be expected to satisfy the needs of folks who want to dual-boot.
- Bitlocker doesn't have the concept of a PBA but instead ties the decryption to some combination of the TPM chip, the system configuration, and optionally a printed passphrase. This means that if there's ever a need to use Bitlocker-managed disks in a different chassis, or when traveling, there are too many of what I'll call "failure scenarios" where the user suddenly may be unable to access their drives.