A recent The Intercept article reveals that Microsoft is storing device encryption keys in the cloud under certain circumstances automatically.
Device Encryption is a built-in encryption feature that became first available with Microsoft's Windows 8 operating system. The core difference between Device Encryption and Bitlocker is that Bitlocker is configurable while Device Encryption is not.
Furthermore, full Bitlocker functionality is only available in Pro and Enterprise editions of Windows while Device Encryption is available in all.
Device encryption is enabled automatically if the computer has the required encryption chip and if a Microsoft account is used to sign-in to the computer. If that is the case, the encryption key is stored in the cloud automatically. If the computer is not connected to a Windows domain, it is sent to Microsoft, and if it is, will be stored on company servers instead.
Windows users who choose not to create Windows accounts during setup or afterwards, won't have device encryption enabled.
There is no way to prevent Windows from sending the encryption key to the cloud if the computer matches the requirements.
Why keys are backed up in the cloud
You are probably wondering why Microsoft backs up keys in the cloud automatically. The answer to that is convenience, as users can make use of the key backed up in the cloud to regain access to files on the system. This can be the only way if no local backup of the key exists.
Microsoft could however handle this differently. For instance, it could provide users with an option to back up the key locally or in the cloud, something that Apple does for instance.
Check up on cloud stored encryption keys
While you cannot prevent Windows from transferring keys to the cloud, you can check using your Microsoft Account to find out if keys are saved in the cloud, and delete them if that is the case.
To be on the safe side
Microsoft noted that the encryption key and backups are deleted when users deleted them on the Recovery Key page.
While that is reassuring, it is suggested to create a new encryption key locally instead and save it locally as well to make sure no one can decrypt data on the drive using the old encryption key.
While local access is needed for that, it is better to be safe than sorry later on.
BitLocker will start to encrypt the drive in the background afterwards. It is suggested to check the Microsoft Account again when the process completes to make sure the new recovery key is not listed there.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.