Make sure that she setup a PKI infrastructure to manage certificate revocation as well, wouldn't want a bad grandson to mess with it.

Why would you put Grandma on VeriCrypt in the first place? It's the more 'difficult' option for FDE.

What's easier, and bitlocker doesn't count. I want my FDE to be based on a password or a keyfile, not simply by some code in the motherboard. I want it encrypted until I, the operator, provide some data to unlock.

In my limited experience with bitlocker, the disk is decryptable automatically as long as it's in the original motherboard.

> and bitlocker doesn't count.

Wat? Bitlocker is the answer to your question.

> In my limited experience with bitlocker, the disk is decryptable automatically as long as it's in the original motherboard.

It's unlocked (not decrypted) when the OS boots, yes. You can optionally enforce (not on Home) other unlock methods, such as PIN before the OS boots.

> I want my FDE to be based on a password or a keyfile, not simply by some code in the motherboard.

That's less secure than TPM.

If someone steals my laptop, and there is no factor of decryption requiring something I possess or know, then the only use of that disk being encrypted is that I can throw it out more safely at end of life. Thieves/LEO has the data because they have the motherboard.

If bitlocker has a PIN/passphrase decrypt option, then I missed it.

While a thief or LEO could boot the OS, just having the motherboard doesn’t give them access to the underlying data. They would need to have a valid user account.

you should protect your account with a password of course. that will be used to decrypt your drive/data

It was not made clear to me that my username/password was the decryption method! I was expecting something like Linux where a separate password is needed.

Furthermore it wasn't intuitive to me that my user account would decrypt more than just my home directory.

your grandma is probably fine with BitLocker....