Upset Microsoft stashes hard drive encryption keys in OneDrive cloud?
Let's have a chat about that
Water cooler El Reg, some friends of mine have been showing me blog posts about Microsoft keeping secret copies of all our encryption keys. What's going on?
Since Windows 8, Microsoft has built drive encryption into its operating system, so none of this should really be a shock. And this encryption feature shouldn't be confused with Bitlocker, which is aimed at power users and businesses; think of this feature as a diet Bitlocker.
Whenever you first log into a new Windows 10 computer or device using a Microsoft account, the OS quietly and automatically encrypts the internal storage drive, and uploads a recovery key to Redmond's OneDrive servers. While you're logged into your machine, your data is decrypted and accessible. If someone steals your PC or tablet, and they don't know your password, they shouldn't be able to get at your files because they can't decrypt them.
Why does Microsoft want our recovery keys?
If you forget your password or somehow can't log into your PC or device any more, you won't be able to use your drive because it will remain encrypted. If you change your motherboard, you won't be able to decrypt your data either because the system ties the encryption to a crypto key stored in the chipset. The new board won't have that key.
This still doesn't explain why the recovery key is held in the cloud.
Imagine the tech support calls Microsoft and PC makers must get every day from people – people who think the caps lock key is cruise control FOR COOL. People who can't remember how to turn on Bluetooth. Now imagine the sheer hell of dealing with hundreds of thousands, if not millions, of people who wake up one morning and can't remember their passwords, only to be told: "Sorry, it's gone. All your data is gone."
It's not a hassle Microsoft wants to deal with, so it provides people a recovery key, stored on the corporation's servers, to sign back in. If you have recovery key for an encrypted drive, you can decrypt it.
It was the NSA, wasn't it?
Sure, mate, the NSA.
Can't I just print out my key? Or put it on a USB stick? And not give a copy to Redmond?
Yes – you can print it out or save it to a thumb drive in case you need it in future. You can download your key from here. If you can't see a key, and you're a Windows user, then your computer doesn't have the hardware – such as a suitable TPM module – to support the storage encryption, so you don't have to worry about any of this.
Why didn't Microsoft just tell me this was happening?
Well, here's the rub. Maybe if Microsoft was a little more upfront with people, and made it a clear option during installation or during the first boot, this wouldn't be such a shock. Just like its privacy settings in Windows 10 that are on by default and tucked away: some are useful, others not, but a little warning would have been appreciated.
Well, I don't like it. Whoever has my recovery key can decrypt my drive. I don't want Microsoft to have my key.
Fine. If you're a Windows Home user, click here, save a copy of the recovery key just in case, and then delete it from OneDrive. Microsoft promises to eventually scrub it from its cloud servers and backups.
Beware: if another person logs into your machine using a Microsoft account, the recovery key may be uploaded again. To put an end to this, follow these instructions (skip step four) to create a new recovery password that is just between you and your computer. Obviously, don't lose or forget this password.
Alternatively, switch off drive encryption by opening the Control Panel, and navigating to PC and devices, then PC info, then Device Encryption, and doing the deed there. Now you can use another disk encryption tool that doesn't send keys to off-site systems.
What if I'm using Windows 10 Pro or Enterprise?
Go to the Control Panel, open the Bitlocker settings screen, turn the feature off, then reenable it, and then when prompted, don't allow the recovery key to be sent to Microsoft's servers. Pro and Enterprise editions can also store recovery keys in an Active Directory service, which is an obvious thing to do in a corporate environment.
Look, this is a breach of my privacy – what if the Feds get hold of the recovery key? They have ways and means to do so.
Anyone with the recovery key needs physical access to your machine to use it, so that computer would have to be seized anyway for the key to be any use.
OK, so let's say I'm going through customs and a border officer confiscates my laptop...
If the Feds are in your threat model, shouldn't you try something a little stiffer than the default encryption tool?
I, er, didn't know Windows worked this way.
Sounds like you need to pick another adversary, mate. ®
Sponsored: DevOps and continuous delivery