I'd only bother to encrypt work machines -- I don't see why it wouldn't work. My gaming setup -- I'd definitely not bother.
Not every machine is a guaranteed boot. It depends on MBR/GPT etc and whether UEFI is disabled in the BIOS and other configurations. However generally yes, they will. I've even have setups where the SSD would would have macOS/Windows/Linux. Much older motherboard pre-2012 generally don't like this setup and it can be v.slow.
I have enough trouble dual-booting encrypted internal disks on the same machine... any changes to the TPM, or say booting one disk as a virtual machine from within the other disks OS running natively, breaks all AAD and windows hello authentication for me. Have to remove accounts and add them back in from settings on windows 10. So I’d be quite surprised if you’ve figured out a seamless way to boot an encrypted disk on multiple machines...
For example, with bitlocker, won’t you need to enter the recovery key when trying to boot from a new machine? And have to sign out and back in to all relevant OS level accounts? Even then I face authentication issues at times
I really would like this to work seamlessly because moving my internal SSD work disk to an external one would be far safer than lugging it around inside my personal laptop all the time. But the work disk has to be encrypted...
Also, for hardware compatibility’s sake, I’d think Linux would be a far superior daily driver OS to ‘multi-hardware boot’, considering relevant drivers are loaded from kernel on boot rather than selectively pre-installed at OS creation time for that one device, increasing plug and play compatibility
If you cannot have fully encrypted setup, then you can consider encrypting at least most of data.
At work due to remote work I cannot have fully encrypted disc with Windows as I have to reboot remotely. So I left a small enough partition for Windows, then created another partition for my data that I encrypted with strong password in Bitlocker. Then I symlinked my user directory from C:\Users\UserName to a directory on D: and created an extra account that I use after reboot to unlock the encrypted disc with my data.
This is not ideal, as Windows still may store my data on C:\, but if one disables virtual memory, it is a reasonably secure setup.
Yeah for unlocking it within a host OS as a data disk, not for booting from it... you can set auto unlock at boot or a pin to boot, both of which use the TPM
But try move a bootable bitlocker encrypted disk to new hardware and you’ll have to enter the recovery key
I would really like to be wrong about this since it would make my life much easier, but this understanding is based on experience using multiple work machines with encrypted boot drives every day :(
Ya, I ran for a long time with a passphrase in a system without a TPM. I recently got a TPM for it so I could have it restart without me being present.
I used the `manage-bde` command rather than powershell:
The GUI for bitlocker doesn't provide access to all the functionality that manage-bde provides (iirc: if a TPM is present, the passphrase options aren't presented in the GUI. And it used to talk about a "PIN" instead of a passphrase/password, but the "PIN" can (with some gpo tweaking) contain letters/space/punct as well as numbers.
Oh wow, thank you! Should’ve known to head straight to the docs instead of searching phrases online. Now to spend the next day backing everything up and configuring passphrase on boot...
Not every machine is a guaranteed boot. It depends on MBR/GPT etc and whether UEFI is disabled in the BIOS and other configurations. However generally yes, they will. I've even have setups where the SSD would would have macOS/Windows/Linux. Much older motherboard pre-2012 generally don't like this setup and it can be v.slow.