[Cryptography] Microsoft likely has your Win10 encryption key

Dennis E. Hamilton dennis.hamilton at acm.org
Wed Dec 30 16:39:34 EST 2015

> -----Original Message-----
> From: cryptography [mailto:cryptography-
> bounces+dennis.hamilton=acm.org at metzdowd.com] On Behalf Of Dennis E.
> Hamilton
> Sent: Tuesday, December 29, 2015 14:40
> To: cryptography at metzdowd.com
> Cc: 'Henry Baker' <hbaker1 at pipeline.com>
> Subject: Re: [Cryptography] Microsoft likely has your Win10 encryption
> key
> The TL;DR
> For ordinary users, the on-line recovery key is protected under the
> OneDrive on-line account that is associated with the User account on the
> machine.
> I am having trouble factoring the hyperbole out of the quoted accounts,
> and distinct provisions may have been intermingled in some odd way.

I found the source of confusion.  There is such a thing as device encryption (not necessarily Bitlocker).  Device encryption requires a particular set of device hardware capabilities, typically found, if found at all, on mobile devices (i.e., phones) and other devices that have quick start-up capabilities.  

It is the case that when such a device is taken through its initial Windows 10 setup and an administrator (usually first) account is created using an existing or new Microsoft account, persistent encryption is established and, indeed, a recovery key is preserved online where the device encryption can be recovered in the same manner as a Bitlocker one.  I think for this kind of device, there might not be any other way to recover a failure to access the encrypted device.  (My latest computer, which arrived with Windows 10 Pro preinstalled, satisfies only one of the two prerequisites which is why this provision is not evident on that machine at all.)

Microsoft appears to be far too circumspect about all of this.  It is difficult to parse it out of the online pages about device encryption.  The authors of those seem to be as confused as the alarmists on this topic.

 - Dennis

> Here is my personal experience.
> All of my own computers had Windows 10 Pro as upgrades and only the
> Windows 8.1 laptop that had BitLocker enabled has a recovery key on-line
> as well as in all of the places I chose to keep one privately.  I gave
> permission for that.
[ ... ]

More information about the cryptography mailing list