(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
4 min. read
By
Kaj-Sören Mossdorf
Anyone who encrypts their hard drive or SSD can actually assume that only they can decrypt it again. However, with Microsoft's BitLocker encryption technology, this doesn't seem to be necessarily the case, as the company automatically saves the key in the user's online account in the Home edition of Windows. This protects against forgetting the key, but also grants Microsoft access to it. Depending on the configuration, this also affects customers of the Enterprise and Education versions of Windows.
Continue after ad
According to the company, Microsoft receives 20 requests per year from investigative authorities who want BitLocker keys. According to research by the US news magazine Forbes, the Redmond-based company handed over recovery keys to the FBI last year. This is the first known disclosure. The background is criminal investigations into the theft of funds as part of a Covid unemployment aid program on the island of Guam.
Backup in the online account: Convenient, but not secure
Microsoft spokesman Charles Chamberlayne told Forbes: "While key recovery offers convenience, it also carries the risk of unwanted access. Microsoft therefore believes that customers are best able to decide how they want to manage their keys." Whether customers know that they are exposing themselves to this risk is questionable, however. However, considering that Microsoft has made it increasingly difficult in recent years to use a Windows PC at all without an online account, the number of recovery keys stored in the online account is likely to be relatively high.
Jennifer Granick, director of surveillance and cybersecurity at the American Civil Liberties Union, pointed out to Forbes that this data is likely of great interest to many governments. According to the Law Enforcement Request Report, which Microsoft publishes twice a year, the company also received 5296 requests from Germany between July and December 2024 in connection with criminal investigations. In total, this concerned 9835 accounts or users. Not every request automatically results in the disclosure of data.
How users can protect themselves
Users can delete the key from their online account. However, it should be strongly emphasized at this point that the management of the key is entirely the responsibility of the user from this moment on. The key should by no means be stored only on the device secured with it. Because if recovery is needed, access to the data stored on the device is not possible. A password manager on another device, for example, is a suitable storage location. After actively removing the key from the online account, it can theoretically still be found in Microsoft's systems for up to 30 days.
For those who prefer to use open-source tools like Veracrypt or want to remove the encryption for another reason, there are two ways to disable BitLocker, depending on the Windows version. The first is via the classic Control Panel. This can be accessed, for example, via the search bar in the Start menu. Then, you need to navigate to "System and Security" and "Device Encryption". In the "Operating System Drive" section, you should now find the "Turn off BitLocker" button next to "Windows (C:)".
Continue after ad
If this is not the case, BitLocker can also be disabled via the modern settings menu. This can also be accessed via the search bar under "Settings" in the Start menu. There, select "Privacy and Security" and then "Device Encryption". In the following window, you will find the entry of the same name with a checkbox next to it. However, turning it off without alternative security is not recommended. The data will then be very easily accessible, for example, in the event of loss or theft of the device.
