[Cryptography] Microsoft likely has your Win10 encryption key

Dennis E. Hamilton dennis.hamilton at acm.org
Tue Dec 29 17:40:16 EST 2015


For ordinary users, the on-line recovery key is protected under the OneDrive on-line account that is associated with the User account on the machine.

I am having trouble factoring the hyperbole out of the quoted accounts, and distinct provisions may have been intermingled in some odd way.  Here is my personal experience.


All of my own computers had Windows 10 Pro as upgrades and only the Windows 8.1 laptop that had BitLocker enabled has a recovery key on-line as well as in all of the places I chose to keep one privately.  I gave permission for that.  

We have one household desktop machine that arrived with Windows 10 Pro pre-installed.  Bitlocker was not enabled for it.  There is no automatic drive encryption and, furthermore, there is no recovery key registered at Microsoft for the device.  I took the machine through its first-use setup and there was never anything about that.  I declined any option to introduce Bitlocker at that time.

It may be that this is being done automatically for laptops/tablets and/or Windows 10 Home, something I can't verify easily.  

However, with Bitlocker enabled, it is necessary to have created some form of startup key arrangement, usually with a USB thumb drive that has a generated startup key recorded on it.  That must be inserted to be able to boot up the computer.  This seems an unlikely arrangement to have by default on Windows 10 Home, so I can't see what the articles are talking about concerning encryption by default.  

The startup key that Bitlocker uses at boot time is not the same as the recovery key.  The startup key on the USB-drive is conveyed in a 124-byte binary file identified as a hidden system file.  There is also some sort of connection with a number of system parameters of the given machine and an apparent GUID/fingerprint that is generated at the time of the original encryption and creation of the recorded key and the recovery key.  It appears to be only the recovery key, 4-byte fingerprint (or the entire 16-byte value), and computer name that is held at Microsoft via the OneDrive account.  There can be such information for several machines there.

See this <http://windows.microsoft.com/en-US/windows-8/bitlocker-recovery-keys-faq>.  If you have any recovery keys under such an account (and this goes back to Windows 8.1 Bitlocker, with no changes offered specific to Windows 10), you can find them by following this link: <http://go.microsoft.com/fwlink/?LinkId=237614>, signing in as required.  The recovery key CANNOT be found by opening the OneDrive account directly, not from a synchronized machine and not via the web.  One must access the URL above to get a browser page showing the recovery key.

What is balanced here is (1) someone must have physical access to your machine for it to even start up and (2) they must find a way to use the above URL to obtain the recovery key for your specific machine.  And if two-factor Windows account authentication is enabled, that may have to be overcome as well.  Whether the recovery keys are stored in a form that is independently retrievable by Microsoft (e.g., in response to a court order or other lawful request) is unclear, assuming the request knows what specifics to provide. 

There is a distinct and cumbersome manual ceremony for supplying a recovery key at startup when USB drive with recorded key is unavailable or unusable.  This also does not log onto any machine account, it just allows it to boot up and have decrypted access to the Bitlocker-encrypted drive(s), although success at (2) *might* take care of that.  

Once a recovery and account access have occurred, the startup key can be recorded on a USB drive to avoid having to manually enter the 48-digit recovery key from then on.

 - Dennis

> -----Original Message-----
> From: cryptography [mailto:cryptography-
> bounces+dennis.hamilton=acm.org at metzdowd.com] On Behalf Of Henry Baker
> Sent: Tuesday, December 29, 2015 06:31
> To: cryptography at metzdowd.com
> Subject: [Cryptography] Microsoft likely has your Win10 encryption key
> FYI --
> 'there is no way to prevent a new Windows device from uploading your
> recovery key the first time you log in to to your Microsoft account'
> 'Windows Home users don't get the choice to not upload their recovery
> key at all'
> "The recovery key requires physical access to the user device and is not
> useful without it."
> 'When you delete your recovery key from your account on this website,
> Microsoft promises that it gets deleted immediately, and that copies
> stored on their backup drives get deleted shortly thereafter as well.'
> https://theintercept.com/2015/12/28/recently-bought-a-windows-computer-
> microsoft-probably-has-your-encryption-key/
> Recently Bought a Windows Computer?  Microsoft Probably Has Your
> Encryption Key
[ ... ]

More information about the cryptography mailing list