*Microsoft is storing users’ sensitive encryption keys in the cloud

by Rob Price   …..

Microsoft backs up users’ encryption keys to its servers, The Intercept’s Micah Lee reports — arguably undermining security protections.

Like other tech companies, Microsoft now automatically encrypts devices with Windows 10 installed. This makes it (in theory) impossible for someone to access your data if they don’t have your password.

But if you want to use encryption on Windows 10 Home Edition, the cheapest version of the operating system, it uploads your key to Microsoft’s servers.

Now, this probably isn’t going to bother ordinary users. In fact — having a backup on their encryption key in the cloud in case they get locked out is likely a benefit for many people.

But users who work in more sensitive roles (journalists, activists, researchers, and so on) could be concerned by the fact that a key that grants access to their devices is on another company’s servers, where it could — theoretically — be accessed by law enforcement or malicious hackers.

More expensive versions of Windows 10 — Pro and Enterprise — have software installed called BitLocker, which allows the user to encrypt their device without sending the key to Microsoft. (They have the options to print it or save it to an external drive instead.) But this isn’t available to Windows Home users.

It’s also possible for a user to delete their key from Microsoft’s servers once it has been uploaded. But there’s no way to avoid uploading it in the first place, which may put off the most security-conscious users.

Business Insider has reached out to Microsoft for comment. A company spokesperson told The Intercept that “when a device goes into recovery mode, and the user doesn’t have access to the recovery key, the data on the drive will become permanently inaccessible. Based on the possibility of this outcome and a broad survey of customer feedback we chose to automatically backup the user recovery key … The recovery key requires physical access to the user device and is not useful without it.”

Of course, even if your keys aren’t backed up elsewhere, that doesn’t mean your data is completely safe from adversaries.

Multiple countries — including Britain, France, and Australia — have “key disclosure” laws, that force users to surrender passwords to authorities in certain circumstances under threat of criminal punishments, including fines and jail time.

And as freelance journalist Joseph Cox pointed out in September 2015, there’s another risk: “Thuggish threats. When a police officer discovers a journalist has an encrypted phone, they may just beat up the reporter until the password is revealed.”


Please “subscribe via email” to receive updates as soon as they are published.

And please feel free to comment below, or visit our “Comments and Discussion” page and tell us what you think.

For data source please write the editor



  1. Any webservice that requires you to give up your email address just to sign in is collecting data. In a decade ago Microsoft called it your Passport. Now they have it spread through all their services like a spider web.


  2. With all we know about Win-10 spying and data collection that is nothing surprising. I am still amazed how people think that something free doesn’t come with a catch.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s