A recent report making the rounds is claiming that Windows 10 — an OS with a significant number of privacy issues — automatically implements full disk encryption, at least on new and compatible hardware, and then stores the recovery key in the cloud unless specifically told not to do so. (Note that this only applies to consumers; business and enterprise users that connect to a domain will have their keys uploaded to that location instead.)
The Intercept strongly implies that this is a new feature, introduced in Windows 10. In fact, this capability (Microsoft refers to it as “device encryption”), isn’t new. Microsoft first introduced the capability with Windows RT and Windows Phone 8. It jumped to desktops and laptops with the launch of Windows 8.1 and continues to be offered with Windows 10. If your laptop or desktop contains a TPM module and meets all of Microsoft’s specifications, the device will ship with full disk encryption activated. Older hardware that’s been upgraded to Windows 8.1/10 will not automatically enable full disk encryption.
If you have compatible hardware and you choose to log in with a Microsoft account (as both Windows 8 and Windows 10 want you to do), a copy of your recovery key is stored on Microsoft’s servers. While it’s possible to delete the key from Microsoft’s servers, you can’t choose not to upload it in the first place (and you can’t use the basic level of full disk encryption without a Microsoft account). Bitlocker is a somewhat different matter, and we’ll touch on that momentarily.
Microsoft doesn’t capitalize the phrase “disk encryption” when it refers to the Windows RT / Windows 8.1 / Windows 10 capability, but our usage of the term refers specifically to the modern Windows implementation of the capability unless we state otherwise.
How Windows disk encryption works
First, let’s cover some basics. Both disk encryption and BitLocker use the same algorithms and mechanisms to perform what’s known as full disk encryption. As the name implies, full disk encryption means that the entire drive is encrypted, rather than specific files or folders. BitLocker relies on a hardware-based Trusted Platform Module (TPM) to confirm that a hard drive is installed in the right computer. If the system doesn’t authenticate properly, the drive won’t unlock.
The recovery key that Microsoft saves to a cloud server is meant to allow the company to assist users if something goes wrong with their system, or if they lose/forget their own key. As a Microsoft spokesperson told The Intercept:
“When a device goes into recovery mode, and the user doesn’t have access to the recovery key, the data on the drive will become permanently inaccessible. Based on the possibility of this outcome and a broad survey of customer feedback we chose to automatically backup the user recovery key. The recovery key requires physical access to the user device and is not useful without it.”
The only Windows devices that ship with full disk encryption enabled by default are those that use a TPM, and the vast majority of TPM-equipped systems are laptops, not desktops (business-class desktops may be an exception). The entire point of full disk encryption is to protect so-called “data at rest.” When the system is running, it’s as vulnerable to keyloggers, trojans, and remote access exploits as a conventional box.
BitLocker offers features, services, and capabilities that the basic disk encryption service doesn’t match, but it’s also aimed at business and professional users who may have more specialized needs. Microsoft is clearly trying to anticipate the needs of two very different groups of users, and to ensure that data is protected across a range of devices, rather than apologetically telling users after the fact that they ought to have purchased a different version of Windows if they wanted their data to be encrypted by default.
The essence of security is compromise
Perfect security is a great idea, but a practical impossibility. Every system, regardless of what it guards, has to balance between how secure something is, how much functionality it exposes to the end user, and how easy the system is to use. This is the nature of the so-called “security triangle,” shown below:
In this case, one of the principal goals of Microsoft’s disk encryption is to protect a device in the event of physical theft. It wants to extend that protection to all users, including users that aren’t technically proficient and who would be unlikely to understand the importance of writing down and securing their own recovery keys.
Since the majority of users never change default settings, Microsoft knows it needs to enable the option on compatible hardware if it wants to safeguard user data. This, in turn, means making a copy of the recovery key. Uploading the key to Microsoft’s own cloud and associating it with the users’ Microsoft account may not be a perfect solution, but neither are the other options, like mailing a separate paper copy or attempting to repeatedly warn the user to actually pay attention during the setup process.
Could Microsoft be forced to turn the key over to the FBI as part of an ongoing investigation? Quite possibly, yes, though the key itself is only useful if the FBI has actually seized the laptop. This at least implies that a standard search warrant was approved and executed, as opposed to the extra-judicial nature of a National Security Letter (NSL). But this only raises further questions related to how Redmond should balance the risk of being forced to comply with an NSL letter against the value of helping its customers secure their intellectual property and hardware.
Every security solution protects against some risks, but not others. BitLocker may not offer automatic protection from government investigation, but it’s a far more secure solution than the hardware-level encryption that’s supposed to protect hard drives whether you use an OS-based solution or not.
Don’t blame Windows 10 here
I’ve spent the last six months cataloging the various problems with Windows 10’s privacy,update, and upgrade policies. I’m happy to call Microsoft out when I think the company has made a mistake, but I don’t think its decision to make a safe backup of laptop recovery keys falls into the same category. Nor do I think the overwhelming majority of Windows users need fear a late-night visit from the FBI.
While I don’t agree with blaming Windows 10 for the way BitLocker and drive encryption function, I do agree with Micah that the entire situation could have been handled differently. Rather than automatically saving a recovery key to the cloud, Microsoft could have offered users’ the option of saving it elsewhere. Power users with Bitlocker-equipped systems or who use software like VeraCrypt still have the option of decrypting the drive and encrypting it with a secure key of their own choosing, but this is a rather tedious process to go through when first unboxing a PC. It would’ve been better for Microsoft to include the options by default rather than making unilateral assumptions.