Microsoft did well to make disk encryption built-in and default for new Windows devices, which helps protect data if a laptop or tablet is lost or stolen, but in many cases the recovery key is transmitted to Microsoft servers which could provide backdoor access for government agencies or even malicious hackers if they get their hands on the recovery key.
According to a report from The Intercept, users logging into Windows 10 Home Edition with their Microsoft account have a copy of their recovery key automatically uploaded to Microsoft’s servers when logging in. And if logging into Windows using a corporate or university account, the recovery key is sent to a server controlled by the company or university rather than Microsoft.
Some worry that this could put the data of journalists, activists, informants, and others at risk.
This encryption differs from Windows Server and Windows 10 Pro and Enterprise editions which use the BitLocker disk encryption service that requires a backup recovery key be kept by the user. But new Windows devices running Windows Pro or Enterprise also upload the recovery key the first time the user logs into their Microsoft account.
In a message to The Intercept that a company spokesperson explained that this is meant to make it easier for users to recover data, and would not allow remote access to user data. The spokesperson stated, “[W]hen a device goes into recovery mode, and the user doesn’t have access to the recovery key, the data on the drive will become permanently inaccessible. Based on the possibility of this outcome and a broad survey of customer feedback we chose to automatically backup the user recovery key … The recovery key requires physical access to the user device and is not useful without it.”
One can log into OneDrive using their Microsoft account to view and delete recovery keys stored by Microsoft.
If using Windows Pro or Enterprise, The Intercept recommends generating a new disk encryption key by decrypting your whole hard disk and then re-encrypting it using BitLocker while being sure not to select “Save to Your Microsoft Account” when asked how to save the recovery key.
If using Windows Home, non-Microsoft disk encryption software such as BestCrypt can be used.