Microsoft is Storing Your Encryption Keys in the Cloud – Here’s How to Remove Them


If you found a brand new Windows 10 PC under the tree this past week, or have upgraded your current machine to Windows 10, there is a high chance that your disk encryption key has been uploaded to Microsoft's servers already. While this has been long done by several technology companies, it essentially means that you are not in the complete control of the security of your data.

windows 10

We have discussed a lot about the need of encryption keys being locally stored on a user's machine instead of the companies keeping the copies. Tech giants do that to ease the process in case the disks get corrupted and users need to recover data. But, it also means that someone else has the keys to your house which means if a hacker manages to hack your Microsoft account, they will also have this key giving them access to your personal data. Last year, Google and Apple made the right move and possibly changed the dynamics by giving the end-user the keys to device encryption, something that the law enforcement agencies openly despised.

The Intercept's Micah Lee explains, "keeping a backup of your recovery key in your Microsoft account is genuinely useful for probably the majority of Windows users, which is why Microsoft designed the encryption scheme, known as “device encryption,” this way. If something goes wrong and your encrypted Windows computer breaks, you’re going to need this recovery key to gain access to any of your files."

The problem, however, is that the feature should be an opt-in instead of an opt-out. Even in cases, when a user decides to opt out of it, there is no guarantee if Microsoft isn't keeping a backup of this information, arguably undermining user's right to privacy. While a majority of Windows users might appreciate this feature as it gives them the assurance that they can recover data without having to store the encryption keys themselves, things get serious when users like political dissidents, researchers, journalists, and other similar minority groups are accounted in. These encryption keys could put them at a risk as they can be accessed by hackers, Microsoft's own employees gone rogue and the law enforcement officials. As mentioned by Lee, following Apple's footsteps, Windows could offer to uncheck a box before storing the keys to the cloud instead of never informing the user about this.

Remove Windows encryption keys from Microsoft's servers:

  1. Visit this site and log in with the Microsoft account associated with your computer.
  2. Here, you will see recovery keys for your account.
  3. Back up your encryption keys by writing them down or storing them in some safe application.
  4. Delete the keys.

Microsoft reportedly removes your keys from its servers immediately after you delete them. The Intercept recommends to generate a new encryption key that is never sent to Microsoft to be sure that the company doesn't have this key.

For more details, please visit the Intercept.