A recent report making the rounds is claiming that Windows 10 — an OS with a
significant number of privacy issues — automatically implements full disk encryption,
at least on new and compatible hardware, and then stores the recovery key in the cloud
unless specifically told not to do so. (Note that this only applies to consumers;
business and enterprise users that connect to a domain will have their keys uploaded
to that location instead.)
The Intercept strongly implies that this is a new feature, introduced in Windows 10.
In fact, this capability (Microsoft refers to it as “device encryption”), isn’t new.
Microsoft first introduced the capability with Windows RT and Windows Phone 8.
It jumped to desktops and laptops with the launch of Windows 8.1 and continues to
be offered with Windows 10. If your laptop or desktop contains a TPM module and meets
all of Microsoft’s specifications, the device will ship with full disk
encryption activated. Older hardware that’s been upgraded to Windows 8.1/10 will
not automatically enable full disk encryption.
If you have compatible hardware and you choose to log in with a Microsoft account
(as both Windows 8 and Windows 10 want you to do), a copy of your recovery key is stored
on Microsoft’s servers. While it’s possible to delete the key from Microsoft’s servers,
you can’t choose not to upload it in the first place (and you can’t use the basic level
of full disk encryption without a Microsoft account). Bitlocker is a somewhat different
matter, and we’ll touch on that momentarily.
Microsoft doesn’t capitalize the phrase “disk encryption” when it refers to the
Windows RT / Windows 8.1 / Windows 10 capability, but our usage of the term refers
specifically to the modern Windows implementation of the capability unless we state
How Windows disk encryption works
First, let’s cover some basics. Both disk encryption and BitLocker use the same
algorithms and mechanisms to perform what’s known as full disk encryption.
As the name implies, full disk encryption means that the entire drive is encrypted,
rather than specific files or folders. BitLocker relies on a hardware-based Trusted
Platform Module (TPM) to confirm that a hard drive is installed in the right computer.
If the system doesn’t authenticate properly, the drive won’t unlock.
Full disk encryption
A simplified diagram of full disk encryption. The recovery key that Microsoft saves
to a cloud server is meant to allow the company to assist users if something goes
wrong with their system, or if they lose/forget their own key.
As a Microsoft spokesperson told The Intercept:
“When a device goes into recovery mode, and the user doesn’t have access to
the recovery key, the data on the drive will become permanently inaccessible.
Based on the possibility of this outcome and a broad survey of customer feedback
we chose to automatically backup the user recovery key.
The recovery key requires physical access to the user device and is not useful
The only Windows devices that ship with full disk encryption enabled by default
are those that use a TPM, and the vast majority of TPM-equipped systems are laptops,
not desktops (business-class desktops may be an exception).
The entire point of full disk encryption is to protect so-called “data at rest.”
When the system is running, it’s as vulnerable to keyloggers, trojans, and remote
access exploits as a conventional box.
BitLocker offers features, services, and capabilities that the basic disk
encryption service doesn’t match, but it’s also aimed at business and professional
users who may have more specialized needs. Microsoft is clearly trying to anticipate
the needs of two very different groups of users, and to ensure that data is protected
across a range of devices, rather than apologetically telling users after the fact
that they ought to have purchased a different version of Windows if they wanted their
data to be encrypted by default.
The essence of security is compromise
Perfect security is a great idea, but a practical impossibility.
Every system, regardless of what it guards, has to balance between how secure
something is, how much functionality it exposes to the end user, and how easy the
system is to use. This is the nature of the so-called “security triangle,”
In this case, one of the principal goals of Microsoft’s disk encryption is to protect
a device in the event of physical theft. It wants to extend that protection to all users,
including users that aren’t technically proficient and who would be unlikely to
understand the importance of writing down and securing their own recovery keys.
Since the majority of users never change default settings, Microsoft knows it needs
to enable the option on compatible hardware if it wants to safeguard user data.
This, in turn, means making a copy of the recovery key. Uploading the key to
Microsoft’s own cloud and associating it with the users’ Microsoft account may not be
a perfect solution, but neither are the other options, like mailing a separate paper
copy or attempting to repeatedly warn the user to actually pay attention during the
Could Microsoft be forced to turn the key over to the FBI as part of an ongoing
investigation? Quite possibly, yes, though the key itself is only useful if the FBI
has actually seized the laptop. This at least implies that a standard search warrant
was approved and executed, as opposed to the extra-judicial nature of a National
Security Letter (NSL). But this only raises further questions related to how Redmond
should balance the risk of being forced to comply with an NSL letter against the value
of helping its customers secure their intellectual property and hardware.
Every security solution protects against some risks, but not others.
BitLocker may not offer automatic protection from government investigation,
but it’s a far more secure solution than the hardware-level encryption that’s
supposed to protect hard drives whether you use an OS-based solution or not.
Don’t blame Windows 10 here
I’ve spent the last six months cataloging the various problems with Windows 10’s
privacy, update, and upgrade policies. I’m happy to call Microsoft out when I think
the company has made a mistake, but I don’t think its decision to make a safe backup
of laptop recovery keys falls into the same category. Nor do I think the overwhelming
majority of Windows users need fear a late-night visit from the FBI.
While I don’t agree with blaming Windows 10 for the way BitLocker and drive encryption
function, I do agree with Micah that the entire situation could have been handled
differently. Rather than automatically saving a recovery key to the cloud,
Microsoft could have offered users’ the option of saving it elsewhere.
Power users with Bitlocker-equipped systems or who use software like VeraCrypt
still have the option of decrypting the drive and encrypting it with a secure key of
their own choosing, but this is a rather tedious process to go through when first
unboxing a PC. It would’ve been better for Microsoft to include the options by
default rather than making unilateral assumptions.
If you have a Windows 8.1 or Windows 10 system, and you want to disable recovery
key cloud storage but keep using the feature, Ars Technica has published a guide
to doing so.