Find out if Microsoft stores encryption recovery keys in the cloud
A recent The Intercept article reveals that Microsoft is storing device encryption keys in the cloud under certain circumstances automatically.
Device Encryption is a built-in encryption feature that became first available with Microsoft's Windows 8 operating system. The core difference between Device Encryption and Bitlocker is that Bitlocker is configurable while Device Encryption is not.
Furthermore, full Bitlocker functionality is only available in Pro and Enterprise editions of Windows while Device Encryption is available in all.
Device encryption is enabled automatically if the computer has the required encryption chip and if a Microsoft account is used to sign-in to the computer. If that is the case, the encryption key is stored in the cloud automatically. If the computer is not connected to a Windows domain, it is sent to Microsoft, and if it is, will be stored on company servers instead.
Windows users who choose not to create Windows accounts during setup or afterwards, won't have device encryption enabled.
There is no way to prevent Windows from sending the encryption key to the cloud if the computer matches the requirements.
Why keys are backed up in the cloud
You are probably wondering why Microsoft backs up keys in the cloud automatically. The answer to that is convenience, as users can make use of the key backed up in the cloud to regain access to files on the system. This can be the only way if no local backup of the key exists.
Microsoft could however handle this differently. For instance, it could provide users with an option to back up the key locally or in the cloud, something that Apple does for instance.
Check up on cloud stored encryption keys
While you cannot prevent Windows from transferring keys to the cloud, you can check using your Microsoft Account to find out if keys are saved in the cloud, and delete them if that is the case.
- Load https://onedrive.live.com/recoverykey in your browser of choice.
- Log in to your Microsoft Account to access the service.
- Microsoft lists all recovery keys stored under that account on the page. If you get "You don't have any BitLocker recovery keys in your Microsoft account" it means that no keys are stored. This is the case for instance if the computer has no encryption chip, or if a local account is used to sign in on the PC.
- Otherwise, you may delete the recovery key on the site. It is suggested to back up the key before you do so.
To be on the safe side
Microsoft noted that the encryption key and backups are deleted when users deleted them on the Recovery Key page.
While that is reassuring, it is suggested to create a new encryption key locally instead and save it locally as well to make sure no one can decrypt data on the drive using the old encryption key.
While local access is needed for that, it is better to be safe than sorry later on.
- Tap on the Windows-key, type bitlocker and select the Manage BitLocker result to open the BitLocker Drive Encryption settings.
- Select "Turn off BitLocker" next to the operating system drive. This will decrypt the drive which may take a while depending on its size and performance.
- Once done, select "Turn on BitLocker".
- Windows will prompt you to back up the recovery key. You can select to save it to a file, or to print the recovery key. Don't select Microsoft Account as it will end up in the cloud again if you do.
- Select to encrypt the entire disk including empty space on the next page.
- Select yes when asked to run the BitLocker system check afterwards.
- Reboot your PC.
BitLocker will start to encrypt the drive in the background afterwards. It is suggested to check the Microsoft Account again when the process completes to make sure the new recovery key is not listed there.Advertisement