Share this article

Latest news

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Your Windows 10 device encryption keys are stored on OneDrive

4 min. read

Published onDecember 29, 2015

published onDecember 29, 2015

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

In this article

Toggle

The Intercept – the government-busting news site funded by EBay founder Pierre Omidyar that popped up following Snowden –has dug up some not-exactly-new feature of Windows 10for probing, which is automatic device encryption and key storage on OneDrive. Since their article is gaining some steam, let’s talk about it.

What’s it all about?

First of all, a quick description for the unfamiliar. Users signing in to a new shiny device using a Microsoft account will have their devices automatically encrypted by Windows behind the scene, after which the encryption key will be stored automatically on OneDrive. Automatic is the keyword here: users don’t need to use an ounce of effort for all this. They also may not ever know about it happening, either.This is separate from BitLocker, which requires a user to open the Bitlocker service, start the encryption process manually, and choose where to store the key (in fact, we have ahandy guide availablethat you can give a look). Also, unlike BitLocker, the built-in encryption is not limited to the Pro and Business version of Windows, instead it’s available to Home users as well. As a matter of fact, the feature has been available since Windows 8, which makes The Intercept’s article a bit old hat.

Convenience versus potential risk – the age-old tech dilemma

How is encryption secure? The encrypted device will be inaccessible, period, in case of recovery, without the key. Conversely, the key by itself is useless without the actual physical device for it to unlock; it’s a two-way system not too dissimilar to a physical lock. It means, however, that if you lose your key, prepare to kiss all your data goodbye, since there will be no way for you to get to it. Ever. Which is why the automatic key backup is more convenient for, and actually preferred by, most layman users (or so the quoted Microsoft spokesperson claims).The security risk, the original article argues, starts the moment the key leaves your device, as it can then be intercepted by a third party, Microsoft or otherwise. Sure enough, the uploaded keys can be checked and deleted very easily by followingthis link, which Microsoft claimed would wipe them from existence, but at that point, it’s hard to be completely, absolutely sure that your key has not been tampered with. In the best world, according to the article, Microsoft would be doing the same as Apple with their built-in encryption FireVault, asking users whether they want the cloud backup during initial setup.Paranoia aside though, as mentioned before having the key means nothing without the physical device to unlock, so you should be reasonably safe. If you’re still having doubts, the original article suggests using BitLocker to decrypt and encrypt the device again, rendering the uploaded key useless, after which you can keep a new local key handy.

Conclusion

All in all, it is really up to the users to evaluate the trade-off for convenience and draw the line on what they see as compromising their privacy. All business operates on a certain degree of mutual trust with its customers, and with the increasing frequency of data breach in recent years, that trust may be getting eroded, which is why articles like what The Intercept wrote are getting attention.Nevertheless, given that Microsoft has always been a leader in cyber security, and that it, like most companies, want to stay in business, claiming that it actively tries to compromise customers’ data and trust is a bit far-fetched. We have reached out to Microsoft for comment regarding the original article, and will update you once more info comes.

Radu Tyrsina

Radu Tyrsina has been a Windows fan ever since he got his first PC, a Pentium III (a monster at that time).

For most of the kids of his age, the Internet was an amazing way to play and communicate with others, but he was deeply impressed by the flow of information and how easily you can find anything on the web.

Prior to founding Windows Report, this particular curiosity about digital content enabled him to grow a number of sites that helped hundreds of millions reach faster the answer they’re looking for.

User forum

0 messages

Sort by:LatestOldestMost Votes

Comment*

Name*

Email*

Commenting as.Not you?

Save information for future comments

Comment

Δ

Radu Tyrsina