Commentary: No, yes, oh! BitLocker is insecure
The fact that Microsoft hands over recovery keys to the FBI is misunderstood by many, says Peter Siering. The problem is the expectation.
(Image: wk1003mike/Shutterstock.com/heise medien)
All those who are now panicking and looking for a BitLocker alternative: Calm down! Encryption with BitLocker is a good way to protect data on storage media. It works within its capabilities, but was never intended to turn every 0815 PC into a high-security data bunker. It primarily ensures that storage media are encrypted on a Windows system.
BitLocker alone is not enough
This is particularly good news if storage media fall into the wrong hands and under prying eyes, separated from the key (which is usually in the TPM) – they will then only find data garbage. However, BitLocker alone is not enough if you misplace a notebook or hand it in somewhere as a warranty case: As long as the TPM and the storage medium remain connected and the PC starts the regular Windows installation unchanged, automatisms are at play that are intended to hide the complexity of encryption from the user: Windows unlocks the storage media without user intervention.
For a notebook finder or thief not to be able to access the data, further prerequisites must be met: All local Windows accounts on the PC must be protected with a reasonable password. The protection can be perfected, if you use at least a Pro edition of Windows, by setting an additional PIN that must be entered at startup.
The fact that recovery keys are automatically collected in a Microsoft account to make encrypted drives accessible when normal procedures fail is more good than bad for many users. It is as useful as the spare key to your own apartment with the neighbor or janitor.
Those who don't trust Microsoft…
That you currently have to trust Microsoft not to misuse this key is part of the offer. The company does not offer end-to-end encryption for the recovery key, although it is technically possible. However, it would also contradict the simplicity of the neighbor's spare key principle. And anyone who doesn't trust the software giant should not use a Microsoft account, and especially not Windows.
Videos by heise
The news that Microsoft has handed over recovery keys to the FBI should be a warning to all those who are careless with their Microsoft account, because the spare keys are stored there. This should only be a reason to replace BitLocker for people who have to fear law enforcement agencies: Besides the key, physical access to the storage medium is required.
Recovery keys are not a magic wand to telepathically read data from storage media or to take over Windows installations remotely. What for: While Windows is running, all data is unlocked anyway; otherwise, neither Windows nor any program could start. The operating system can access everything that is not separately encrypted. This is the same for Linux, macOS, and Android, by the way.
What can be criticized is that Microsoft does not give users a choice: anyone using Windows Home and who has not bypassed the Microsoft account requirement hands over their spare key without being asked. On the other hand, one must also ask what these users gain if they deactivate the device encryption (BitLocker under the hood), which has been automatically activated for some time: Instead of potentially legitimate authorities, anyone could then read the data if they got their hands on the storage medium.
Anyone who wants to encrypt data with maximum security would do well not to trust third parties. This primarily includes not handing over the key. In the case of BitLocker, this is quite possible if a Pro edition or comparable version is available and you avoid the Microsoft account. The problem is not a flaw in BitLocker, but the expectation. High security is not free; it requires work and is never perfect, but BitLocker is good enough for most users.
(ps)
