Microsoft’s operating systems offer two kinds of encryption: device encryption, which encrypts an entire disk, and Bitlocker, which offers the user a chance to configure how the encryption should be done and where it should be applied. Unfortunately, as this article points out, both options require you to upload the key used to encrypt your data to Microsoft.
It’s not that Microsoft is just being snoopy. Rather, the maker of Windows 8 and Windows 10 wants to protect its users from that “wanna-get-away?” day when they lose their key and thus lose access to their data. In other words, by collecting your encryption key, Microsoft functions as a key escrow service, holding onto it for that rainy day when you need to recover it.
Key escrow is not a new concept. Organizations use key escrow services to retain the encryption keys their employees use so that they can recover employees’ data when they leave the company. And the United States government pursued a massive key escrow effort in the mid-1990s when it partnered with AT&T to build phones equipped with the so-called Clipper chip, which communicated the phone user’s key to a central database for each encrypted phone call he or she made. Governments around the world still push for either transparent escrow mechanisms or that intentional backdoors be included in encryption software so that they can investigate criminal and terrorist activity associated with suspicious communications. Key escrow certainly has valid application, and it has been used for quite some time.
But key escrow carries a lot of baggage. The Clipper campaign raised the ire of privacy advocates and gave rise to the Electronic Frontier Foundation, which continues to advocate for privacy protections today. Key escrow continues to spark significant controversy, because, by design, it runs counter to the “trust no one” ethos that most encryption and privacy rights advocates preach. A “trust no one” encryption solution is one in which only one person – the owner of the data – can decrypt it. With key escrow, both the owner of the data and the escrow provider can decrypt, since both hold the keys. If the escrow provider – which, in the case of Windows, is Microsoft – is compromised by a hacker, or if a government subpoenas it to gain access to your key, your data is no longer protected. It would be as if your data hadn’t been encrypted in the first place.
Microsoft did its users a disservice when it designed both device encryption and Bitlocker. By default, both services communicate your encryption key immediately to Microsoft. You can tell Microsoft afterwards that you want it to remove your key from its database, but there is no way to guarantee that Microsoft actually complies with your wishes, or that automatic backup systems didn’t already make a copy of your key to a database that could be restored as needed, perhaps in response to a government inquiry, or perhaps as the result of a data breach.
If your version of Windows has Bitlocker installed, there are ways around this problem which involve encrypting your data and broadcasting your key as usual, then decrypting it, and then re-encrypting it, at which point you’ll be asked whether you really want to back up your key to Microsoft. The article describes the steps in greater detail.
Still, this is too much work. Microsoft should have followed Apple’s lead and given its users of device encryption and Bitlocker the same choice users of Apple’s Filevault have: to keep encryption keys to themselves. Encryption that requires you to trust another party is only as good as that party’s trustworthiness.