> Having a built-in module that does the job has a lot of upsides.
And downsides, especially for corporate usage you don't want your data protected by device keys if they aren't set by yourself or replicated elsewhere. But it is a security risk to deploy such keys on local machines in the first place in many circumstances.
> If there isn't a safe place to store keys, it makes sense to dissuade storing them. Fairly obvious, isn't it?
The behavior is that you can only add keys if you already activated TPM. This is an implementation detail of Windows Hello. Perhaps they changed it but I can think of some reasons why they forgot to add the option.
> it would be less secure in a bunch of contexts
No, I disagree. Severely less secure depends on the security model. Applications cannot usually randomly access any memory, but yes, the system would need to ensure that and there can be attacks. If you assume your system is compromised on that level your device encryption will be bypassed via the same channel. TPM comes with its own suite of security flaws in regards of device identification (bug or feature?). That is a relevant threat model compared to many memory attacks regardless of the countless other fingerprinting problems we currently are subjected to. Plus the DRM issues around remote attestation and sealed storage.
> And downsides, especially for corporate usage you don't want your data protected by device keys if they aren't set by yourself or replicated elsewhere.
It's a solved problem in corporate environments.
> But it is a security risk to deploy such keys on local machines in the first place in many circumstances.
That's a massive stretch and no normal corporation agrees with that statement.
> No, I disagree.
Other people's threat models are not something you can disagree with.
> If you assume your system is compromised on that level your device encryption will be bypassed via the same channel.
Well not really, it's not a bypass. Continuous abuse of a compromised machine is significantly noisier than exfiltrating the keys needed and then abusing those. Plus you can't touch anything that would change TPM measurements, or you'll lock yourself out. It's much more cumbersome.
And downsides, especially for corporate usage you don't want your data protected by device keys if they aren't set by yourself or replicated elsewhere. But it is a security risk to deploy such keys on local machines in the first place in many circumstances.
> If there isn't a safe place to store keys, it makes sense to dissuade storing them. Fairly obvious, isn't it?
The behavior is that you can only add keys if you already activated TPM. This is an implementation detail of Windows Hello. Perhaps they changed it but I can think of some reasons why they forgot to add the option.
> it would be less secure in a bunch of contexts
No, I disagree. Severely less secure depends on the security model. Applications cannot usually randomly access any memory, but yes, the system would need to ensure that and there can be attacks. If you assume your system is compromised on that level your device encryption will be bypassed via the same channel. TPM comes with its own suite of security flaws in regards of device identification (bug or feature?). That is a relevant threat model compared to many memory attacks regardless of the countless other fingerprinting problems we currently are subjected to. Plus the DRM issues around remote attestation and sealed storage.