[SOLVED] wich encryption for this ssd so that yubikey always works?

[anaturelover]

hi

i read that if someone has not bitlocker the ssd can be started without the yubikey login for win10. it is a problem.

i read that the ssd has to be encrypted to avoid the yubikey being by passed in safe mode.



i also read some use bitlocker and some say to rely on samsung encryption wich i have no clue what that means.



the ssd is Samsung 860 EVO 2.5 SATA III 500GB INTERNAL SSD MZ-76E500B/AM



what are the steps in order to acheive a win10 with yubikey always asked? tx

 

[avg9956]

Follow this official guide for Yubikey setup with Windows 10 from Yubico
PS: I haven't tried this myself, proceed at your own risk

What you are trying to accomplish is to make Windows 10 require Yubikey when logging in.
It is helpful in preventing physical unauthorized access to your PC, because you need the Yubikey (hardware) to login to your PC - essentially a hardware 2FA.
-Use case for this is if your PC is in a public place like an office or in the living room of your house, or if it's in your room but you cannot or prefer not to lock your door with a key.

Note: It is important take note of your recovery code

If an end-user’s account is configured for Yubico Login for Windows, and if a recovery code was generated, and a user loses their YubiKey(s), they can use their recovery code to authenticate. The end-user unlocks their computer with their username, recovery code, and password

I have a Yubikey myself, but I do not use it for Windows 10 login. I use it instead for websites and other services rather than encrypting with Windows 10.
-Always have 2 Yubikeys and associate them, so that if one breaks, you are not locked out of the website/service.

i also read some use bitlocker and some say to rely on samsung encryption wich i have no clue what that means.

Bitlocker is a Windows 10 tool that can encrypt your entire drive for protection
Samsung encryption is the same, but is made by Samsung.

They are both software, unlike Yubikey which is hardware.

When you encrypt something, It cannot be accessed UNLESS you open it. When it is in the opened state, and if there happens to be a trojan backdoor (Remote administration tool) that is connected to your PC and viewing what you're doing, then your data can be compromised. If however the attacker tries to steal your file but you encrypted it and did not open it, then he needs to break through that encryption which is challenging. That's where encryption comes in.

In the end, PC Security is still important. Avoid downloading and installing malicious programs, browser extensions, etc. Use a reliable anti-virus and anti-malware programs to thoroughly scan your PC to make sure there's nothing running in the background that's stealing your data. Be especially careful as well when installing browser extensions as some do some form of discrete data collection.

Encryption alone via Bitlocker, etc. isn't enough but it does make it a challenge for an attacker to try to crack that file if they do steal it from you.
Hardware 2FA like Yubikey also adds another layer of protection, but you must take note the recovery code or else you lose access to your PC.

If you're not using your PC and it is connected to the internet, I would recommend using a firewall to block all connection while you're away and then only re-enable it when you're using the PC.

 

[anaturelover]

Follow this official guide for Yubikey setup with Windows 10 from Yubico
PS: I haven't tried this myself, proceed at your own risk

What you are trying to accomplish is to make Windows 10 require Yubikey when logging in.
It is helpful in preventing physical unauthorized access to your PC, because you need the Yubikey (hardware) to login to your PC - essentially a hardware 2FA.
-Use case for this is if your PC is in a public place like an office or in the living room of your house, or if it's in your room but you cannot or prefer not to lock your door with a key.

Note: It is important take note of your recovery code



I have a Yubikey myself, but I do not use it for Windows 10 login. I use it instead for websites and other services rather than encrypting with Windows 10.
-Always have 2 Yubikeys and associate them, so that if one breaks, you are not locked out of the website/service.


Bitlocker is a Windows 10 tool that can encrypt your entire drive for protection
Samsung encryption is the same, but is made by Samsung.

They are both software, unlike Yubikey which is hardware.

When you encrypt something, It cannot be accessed UNLESS you open it. When it is in the opened state, and if there happens to be a trojan backdoor (Remote administration tool) that is connected to your PC and viewing what you're doing, then your data can be compromised. If however the attacker tries to steal your file but you encrypted it and did not open it, then he needs to break through that encryption which is challenging. That's where encryption comes in.

In the end, PC Security is still important. Avoid downloading and installing malicious programs, browser extensions, etc. Use a reliable anti-virus and anti-malware programs to thoroughly scan your PC to make sure there's nothing running in the background that's stealing your data. Be especially careful as well when installing browser extensions as some do some form of discrete data collection.

Encryption alone via Bitlocker, etc. isn't enough but it does make it a challenge for an attacker to try to crack that file if they do steal it from you.
Hardware 2FA like Yubikey also adds another layer of protection, but you must take note the recovery code or else you lose access to your PC.

If you're not using your PC and it is connected to the internet, I would recommend using a firewall to block all connection while you're away and then only re-enable it when you're using the PC.

i find it interesting that you tell to use a firewall when not at home but pc plugged on the net.
can windows native firewall do that? i read that in win 10 the firewall and antivirus is good enough. now to do what you tell is there a need for a second firewall?

- if we come back to the Op, should i use bitlocker or the samsung encryption? it is not clear
i read the link you pasted . that is what i followed to configure yubikey but they say
e: Enabling full disk encryption (FDE) using something like BitLocker is highly recommended when using Yubico Login for Windows. If you do not enable FDE, it is possible to disable the YubiKey requirement by starting Windows in safe mode.
so there seems to be some latitude about what FDE to use but at the same time i cant see the choices available and most importantly what they imply and if compatible with the ssd and such . Anybody has gone that road?
tx

 

[avg9956]

can windows native firewall do that

Yes it can, but I find it quite cumbersome to do because it's buried under a setting - hence I use another firewall to do that same function.
You can use the default Windows 10 firewall and anti virus if you want

For my firewall, I can do a block all and re-enable in just 1 click and its easily accessible from the taskbar.

if we come back to the Op, should i use bitlocker or the samsung encryption? it is not clear

It is up to you if you want to use FDE. Yubico says clearly:

is highly recommended when using Yubico Login for Windows

But it is not mandatory to do so or required when using Yubico Login for windows, it is just suggested.

Again, Yubikey is Hardware 2FA. Bitlocker/Samsung encryption is FDE. Both are 2 separate things, offer a different form of protection and are independent of each other. It is not required to have both, and it is up to you if want to do both.

There are also risks when using FDE
https://www.dell.com/community/Wind...-but-I-never-installed-it/td-p/6019486/page/2

https://answers.microsoft.com/en-us/windows/forum/all/locked-out-of-windows-10-after-encrypting-drive/71869504-ea00-4d95-87cd-30dfa98735c6

Understand them well before deciding to use FDE or not.

and if compatible with the ssd and such

All of these features are "compatible with your ssd". They are universal. Hardware 2FA and FDE are not hardware-restricted features, if they were then it would be quite limited to use them.

If you are not using a samsung ssd, use bitlocker instead for FDE because bitlocker is available in all Windows operating systems.