Readers like you keep news free for everyone.

More than 5,000 readers have already pitched in to keep free access to The Journal.

For the price of one cup of coffee each week you can help keep paywalls away.

Support us today
Not now
Tuesday 5 December 2023 Dublin: 2°C
Simon Cocks/Flickr
potential issues

Microsoft is storing users' sensitive encryption keys in the cloud

The action could make it possible for malicious hackers to gain access to a person’s Windows 10 device.

MICROSOFT BACKS UP users’ encryption keys to its servers, The Intercept’s Micah Lee reports — arguably undermining security protections.

Like other tech companies, Microsoft now automatically encrypts devices with Windows 10 installed. This makes it (in theory) impossible for someone to access your data if they don’t have your password.

But if you want to use encryption on Windows 10 Home Edition, the cheapest version of the operating system, it uploads your key to Microsoft’s servers.

Now, this probably isn’t going to bother ordinary users. In fact, having a backup on their encryption key in the cloud in case they get locked out is likely a benefit for many people.

But users who work in more sensitive roles (journalists, activists, researchers, and so on) could be concerned by the fact that a key that grants access to their devices is on another company’s servers, where it could – theoretically – be accessed by law enforcement or malicious hackers.

More expensive versions of Windows 10 – Pro and Enterprise – have software installed called BitLocker, which allows the user to encrypt their device without sending the key to Microsoft (They have the options to print it or save it to an external drive instead). But this isn’t available to Windows Home users.

Windows / YouTube

It’s also possible for a user to delete their key from Microsoft’s servers once it has been uploaded. But there’s no way to avoid uploading it in the first place, which may put off the most security-conscious users.

Business Insider has reached out to Microsoft for comment. A company spokesperson told The Intercept that ”when a device goes into recovery mode, and the user doesn’t have access to the recovery key, the data on the drive will become permanently inaccessible”.

Based on the possibility of this outcome and a broad survey of customer feedback we chose to automatically backup the user recovery key … The recovery key requires physical access to the user device and is not useful without it.

Of course, even if your keys aren’t backed up elsewhere, that doesn’t mean your data is completely safe from adversaries.

Multiple countries – including Britain, France, and Australia – have “key disclosure” laws, that force users to surrender passwords to authorities in certain circumstances under threat of criminal punishments, including fines and jail time.

And as freelance journalist Joseph Cox pointed out in September 2015, there’s another risk: “Thuggish threats. When a police officer discovers a journalist has an encrypted phone, they may just beat up the reporter until the password is revealed.”

Read: The next Google Glass is taking shape, and it’s aiming for the workplace >

Read:The new year might bring with it a much better way to track your fitness >

Published with permission from
Business Insider
Your Voice
Readers Comments
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.