Microsoft’s BitLocker, an integral security feature embedded within Windows, serves as a robust guardian of your hard drive, encrypting personal files to shield them from unauthorized access in the unfortunate event of loss or theft. The crux of this protection lies in the BitLocker recovery key, a critical component required for decrypting data. However, recent developments have raised eyebrows regarding the safety of this key.
In a notable revelation, Microsoft confirmed to Forbes that it will comply with valid legal requests from law enforcement for access to BitLocker recovery keys, provided these keys are stored in the cloud. This situation came to light during an investigation by FBI agents in Guam, who sought access to encrypted files related to a COVID unemployment assistance fraud case. Microsoft deemed the request justified and subsequently provided the necessary keys to the authorities.
Microsoft recommends backing up to the cloud
While Microsoft advocates for users to back up their BitLocker recovery keys to the cloud for convenience, this practice introduces a layer of risk. Users may find themselves unable to retrieve their keys during hardware changes, boot issues, or suspicious access attempts. In such instances, signing into a Microsoft account allows users to access their associated keys. Yet, this reliance on cloud storage raises concerns about potential unauthorized access.
A Microsoft spokesperson articulated the duality of choice: “With BitLocker, customers can choose to store their encryption keys locally, in a location inaccessible to Microsoft, or in Microsoft’s cloud. We recognize that some customers prefer Microsoft’s cloud storage so we can help recover their encryption key if needed. While key recovery offers convenience, it also carries a risk of unwanted access.”
Interestingly, Microsoft receives approximately 20 requests for BitLocker keys annually, but many cannot be fulfilled due to users not having their keys stored in the cloud. The Guam case marks a significant milestone, being the first known instance where Microsoft provided encryption keys to law enforcement. In contrast, a previous request from the FBI in 2013 for a backdoor into BitLocker was declined.
When are our encryption keys handed over to law enforcement?
The policy surrounding the sharing of encryption keys with federal agencies ignites a complex debate. On one hand, there is a collective desire for law enforcement to apprehend criminals; on the other, there is a pressing need to safeguard personal information from unwarranted access. This dichotomy raises questions about how Microsoft determines the appropriateness of sharing secure encryption keys and the trustworthiness of a company that holds the keys to our digital vaults.
Jason Soroko, a senior fellow at lifecycle management firm Sectigo, noted, “Microsoft frames this as a lawful process problem, not a ‘back door’ problem. Its transparency materials say it reviews legal demands, discloses data only when legally compelled, and does not give governments direct access or provide ‘our encryption keys’ to break encryption.” However, the reality remains that storing recovery keys in the cloud exposes them to potential legal compulsion, transforming personal security into a shared responsibility with cloud service providers.
Despite these concerns, BitLocker continues to be a formidable tool for protecting sensitive files, particularly against the common threat of a lost or stolen laptop. Soroko emphasized, “For the average Windows user, BitLocker still meaningfully protects you against a very common threat, a lost or stolen powered-off laptop.” The caveat, however, lies in key custody; if the recovery key is uploaded to a Microsoft account, the company retains a copy, which can be disclosed under legal orders.
How to check your BitLocker settings
For those utilizing Windows 11 Pro, 10 Pro, Enterprise, or Education, checking your BitLocker settings is essential for addressing any privacy concerns regarding cloud storage of your recovery key. In Windows 11, navigate to Settings, select System, and click About. Scroll to the Related section to access BitLocker settings. For Windows 10, follow a similar path through Settings and System to find the BitLocker link.
If BitLocker is disabled, consider enabling it, especially on portable devices. If it is already active, take the opportunity to back up your recovery key. Microsoft provides various options, but caution is advised against saving it to a cloud account. Instead, opt for local storage methods such as saving to a file or printing the key.
The safest way to store your recovery key
For optimal security, consider saving the recovery key on a USB stick or external drive, ensuring it is stored in a secure location. The key is saved in a plain-text file, so encrypting this file and password-protecting it is advisable. Since Windows does not offer built-in encryption for this purpose, utilizing third-party tools like 7-Zip or WinRAR is recommended. If opting to print the key, ensure the physical copy is kept in a secure environment.
Should you have previously stored your BitLocker key in the cloud, it is prudent to remove it. Log into your Microsoft account, locate the BitLocker recovery keys section, and delete the entry for your computer after confirming you have saved a copy of the key elsewhere. Soroko advises, “If you want encryption without third-party key escrow, keep the recovery key out of the cloud and back it up yourself.” A combination of a printed copy in a safe and a backup in a secure password manager strikes a balance between accessibility and security for many users.
