Microsoft storing Windows disk encryption keys: a potential security nightmare?

The risks of not keeping an automatic backup key could be even greater…

Microsoft Windows

Microsoft is at the centre of a new dollop of controversy in the privacy and security stakes, with the revelation that the company automatically uploads a copy of the recovery key for its disk encryption on modern PCs to its own servers – apparently without informing the owner of the computer, or presenting a choice to opt out of said process.

What does this mean for the average user, exactly? If you've got a newer PC which supports TPM and you're running Windows 10 – and you've tied the OS into your Microsoft account for login – then you're automatically protected by Microsoft's device encryption, meaning the data on your disk is encrypted by default for security.

But as The Intercept reports, a copy of your encryption key is also uploaded to Microsoft's OneDrive cloud storage locker, and as the article notes, this is done with no choice to opt out, and probably without the user's knowledge.

Of course, built-in disk encryption is a very commendable security feature, but there are potential issues with it – and backing a recovery key up to Microsoft's servers is an understandable step to take given the sort of problems that could occur.

For example, some sort of hardware failure on your PC could mean the data on your hard drive ends up permanently lost if there's no recovery key backup accessible.

However, as The Intercept points out, there are potential security risks to Microsoft keeping a copy of your key – such as for example if a hacker breaches your Microsoft account, and can then access your encryption key (of course they'd still need physical access to your machine to make any use of it).

Relative risks

But the truth of the matter for the average user is that the risks of any such hacking are clearly outweighed by the potential risk of catastrophic data loss if something goes wrong with their PC and a backup of the recovery key isn't accessible. Which is why Microsoft made the decision to do this…

This is really more of an issue for a minority of users who have truly sensitive data (i.e. trade secrets and the like) on their machines, and, for example, if that PC was grabbed by a government, they wouldn't want said authorities to be able to strong-arm Microsoft for the decryption key to view the data.

But the overall thrust of the anti-Microsoft argument is that Redmond simply needs to make this process more transparent, and let the user know what's happening – or indeed give them a choice when it comes to uploading a recovery key to Microsoft's servers.

Note that it is possible to delete your recovery key from your Microsoft account – The Intercept details how to do this in its report. Bear in mind, though, that you'll need to keep a note of the key somewhere in case of a disaster in the future. The article suggests jotting it down on a piece of paper and keeping that somewhere safe, but that could come with obvious risks of its own.

Article continues below