(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
4 min. read
By
Kaj-Sören Mossdorf
Anyone who encrypts their hard drive or SSD should actually be able to assume that only they can decrypt it. With Microsoft's BitLocker encryption technology, this doesn't seem to be necessarily the case, as the company automatically saves the key in the user's online account in the Home Edition of Windows. This prevents the key from being forgotten, but also gives Microsoft access to it. Depending on the configuration, this also affects customers of the Enterprise and Education versions of Windows.
Continue after ad
According to the company, Microsoft receives 20 requests per year from investigative authorities wanting BitLocker keys. According to research by the US news magazine Forbes, the Redmond-based company handed over recovery keys to the FBI last year. This is the first known handover. The background is criminal investigations into the theft of money as part of a Covid unemployment benefit program on the island of Guam.
Backup in the online account: Convenient, but not secure
Microsoft spokesman Charles Chamberlayne told Forbes: "While key recovery offers convenience, it also carries the risk of unwanted access. Microsoft therefore believes that customers can best decide how they want to manage their keys." However, it is questionable whether customers know that they are exposing themselves to this risk. However, considering that Microsoft has made it increasingly difficult in recent years to use a Windows PC at all without an online account, the number of recovery keys stored in the online account is likely to be relatively high.
Jennifer Granick, a surveillance and cybersecurity advisor at the American Civil Liberties Union, pointed out to Forbes that this data is likely to be of great interest to many governments. According to the Law Enforcement Request Report, which Microsoft publishes twice a year, the company also received 5296 requests from Germany between July and December 2024 as part of criminal investigations. In total, this concerned 9835 accounts or users. Not every request automatically results in the disclosure of data.
How users can protect themselves
Users can delete the key from their online account. However, it should be strongly emphasized at this point that the management of the key is entirely the responsibility of the user from this moment on. The key should by no means be stored only on the device secured with it. Because if recovery is needed, access to the data stored on the device is not possible. A password manager on another device, for example, is a suitable storage location. After actively removing the key from the online account, it can theoretically still be found in Microsoft's systems for up to 30 days.
For those who prefer to use open-source tools like Veracrypt or want to remove the encryption for another reason, there are two ways to disable BitLocker, depending on the Windows version. The first leads via the classic Control Panel. This can be accessed, for example, via the search bar in the Start menu. Then, you need to navigate to "System and Security" and "Device Encryption." In the "Operating System Drive" section, you should now find the "Disable BitLocker" button next to "Windows (C:)."
Continue after ad
If this is not the case, BitLocker can also be disabled via the modern settings menu. This can also be accessed via the search bar under "Settings" in the Start menu. There, select "Privacy and Security" and then "Device Encryption." In the following window, you will find the entry of the same name with a checkbox next to it. However, switching it off without alternative security measures is not recommended. The data will then be very easily accessible, for example, in the event of loss or theft of the device.
