Microsoft May Give Your Encryption Key To Law Enforcement Upon Valid Request - Here's How To Keep It Safe

Kyle Kucharski/ZDNET

Follow ZDNET: Add america arsenic a preferred source connected Google.

ZDNET's cardinal takeaways

• BitLocker encrypts your difficult thrust and requires a cardinal to decrypt it.
• Microsoft whitethorn springiness your cardinal to rule enforcement upon a valid request.
• Don't prevention your cardinal to nan cloud; instead, shop it locally aliases people it out.

Microsoft's BitLocker is simply a information characteristic built into Windows that encrypts nan full difficult drive. The thought is to protect your individual files from prying eyes successful lawsuit your PC is ever mislaid aliases stolen. Decrypting nan information requires a BitLocker betterment key, which is expected to beryllium safe from entree by different people. Aah, but not truthful fast.

Microsoft has confirmed to Forbes that it will supply your BitLocker betterment key if it receives a valid ineligible order. For that to happen, though, that cardinal must beryllium backed up to nan unreality and not conscionable stored connected 1 of your ain section devices. This script has already played retired successful 1 circumstantial lawsuit that whitethorn beryllium nan first of its benignant for Microsoft, suggested Forbes.

Also: Why you request Microsoft's caller emergency Windows spot - and nan black-screen bug to watch for

FBI agents successful Guam were investigating a lawsuit successful which definite individuals who had been successful complaint of nan island's COVID unemployment assistance programme were really looking to bargain nan funds. To beryllium their case, nan feds needed entree to nan BitLocker-encrypted files connected nan suspects' computers. Microsoft felt nan petition was justified and turned complete nan basal keys to nan agents.

Microsoft recommends backing up to nan cloud 

Microsoft encourages Windows users to backmost up their BitLocker betterment keys to nan cloud. Otherwise, you whitethorn beryllium incapable to retrieve nan cardinal to unlock Windows successful nan arena of a hardware change, bootup problem, aliases suspicious access. Under immoderate specified circumstances, you tin simply motion successful to your Microsoft relationship page to find nan cardinal associated pinch your PC. But therein lies nan risk.

"With BitLocker, customers tin take to shop their encryption keys locally, successful a location inaccessible to Microsoft, aliases successful Microsoft's cloud," a Microsoft spokesperson told ZDNET. "We admit that immoderate customers for illustration Microsoft's unreality retention truthful we tin thief retrieve their encryption cardinal if needed. While cardinal betterment offers convenience, it besides carries a consequence of unwanted access, truthful Microsoft believes customers are successful nan champion position to determine whether to usage cardinal escrow and really to negociate their keys."

Also: The first large Windows update of 2026 is simply a glitchy messiness - here's nan afloat database of bugs and fixes

Microsoft receives astir 20 requests for BitLocker keys each year. But successful galore cases, nan institution can't comply because nan personification hasn't stored nan keys successful nan cloud.

The lawsuit involving nan FBI agents successful Guam is nan first known lawsuit successful which Microsoft has provided encryption keys to rule enforcement, Forbes reported. In another lawsuit from 2013, nan FBI reportedly asked Microsoft engineers to build a backdoor into BitLocker truthful nan agency could bypass its information controls. But this petition was turned down.

When are our encryption keys handed complete to rule enforcement?

Microsoft's argumentation connected sharing encryption keys pinch a national agency triggers a never-ending debate. We each want rule enforcement to beryllium capable to drawback and extremity existent criminals truthful they can't wounded much victims. But we besides want our individual files and accusation to beryllium protected from unlawful aliases frivolous access. That's particularly existent these days pinch authorities overreach truthful rampant and dangerous.

Further, really does Microsoft determine if and erstwhile it feels comfortable handing complete unafraid encryption keys to rule enforcement? And really tin we spot nan institution to support our information unafraid if it's consenting to stock nan combinations to our individual vaults?

Also: Use Microsoft Office? Hackers tin infect your PC pinch a malicious archive - spot it ASAP

"Microsoft frames this arsenic a lawful process problem, not a 'back door' problem," Jason Soroko, elder chap astatine lifecycle guidance patient Sectigo, told ZDNET. "Its transparency materials opportunity it reviews ineligible demands, discloses information only erstwhile legally compelled, and does not springiness governments nonstop entree aliases supply 'our encryption keys' to break encryption.

"Yet erstwhile a institution stores your betterment key, it tin beryllium compelled to manus it over, truthful nan protection you thought was 'only me' becomes 'me, positive whoever tin lawfully scope my unreality relationship provider,' and nan aforesaid attraction of keys besides raises breach risk."

The equilibrium betwixt catching criminals and protecting our privateness is tricky. We're expected to person definite rules and safeguards successful spot to guarantee nan 2 goals don't cancel each different out.

"The broader waste and acquisition is uncomfortable but clear," Soroko said. "We tin want criminals brought to justness and still insist connected tighter guardrails, beardown owed process, constrictive warrants, and defaults that do not silently move individual devices into escrowed encryption, because those defaults style everyone's privacy, not only nan privateness of group nether investigation."

Also: How to find your BitLocker betterment cardinal - and prevention a unafraid backup transcript earlier it's excessively late

BitLocker is simply a powerful and effective tool that Microsoft designed purposely to protect your backstage files from unwanted access. For that reason, you don't want to springiness up connected nan exertion simply because nan institution could determine that your information whitethorn beryllium up for grabs upon request.

"For nan mean Windows user, BitLocker still meaningfully protects you against a very communal threat, a mislaid aliases stolen powered-off laptop," Soroko added. "The drawback is cardinal custody. If your betterment cardinal is uploaded to your Microsoft relationship for convenience, Microsoft holds a transcript and has confirmed it tin supply that betterment cardinal erstwhile served pinch a valid ineligible order, which is what enabled nan FBI to unlock drives successful nan reported case."

How to cheque your BitLocker settings 

BitLocker is disposable successful Windows 11 Pro, 10 Pro, Enterprise, and Education. To cheque your BitLocker settings and reside immoderate privateness concerns astir storing nan cardinal successful nan cloud, travel these steps.

In Windows 11, spell to Settings, prime System, and past click About. Scroll down nan page to nan Related conception and prime nan mounting for BitLocker. 

Also: After mounting up Windows 11, these 9 steps are non-negotiable for me

In Windows 10, spell to Settings, prime System, and past click About. Look for nan Related settings conception connected nan correct aliases bottommost and click nan nexus for BitLocker Settings.

If BitLocker is off, see turning it on, particularly connected a laptop you transportation erstwhile traveling. If it's already turned on, click nan nexus to backmost up your betterment key.

Here, Microsoft offers respective options. Saving it to your Entra ID relationship aliases Microsoft relationship stores it successful nan cloud, which you want to avoid. Instead, take nan action to prevention it to a record aliases people it.

The safest measurement to shop your betterment key 

If you prevention it, shop it connected a USB instrumentality aliases different outer drive. The cardinal is stored successful a plain-text file. Keep nan USB instrumentality successful a unafraid place, aliases encrypt nan matter record and password-protect it. Windows won't fto you do that, truthful you'll request to usage a third-party compression instrumentality for illustration 7-Zip aliases WinRAR. If you people nan record pinch nan key, make judge you shop nan printout successful a safe and unafraid place.

Also: Windows 11 Home vs. Windows 11 Pro: I compared some versions, and this one's champion for your PC

Next, region nan BitLocker cardinal from nan unreality if you antecedently saved it there. Sign successful to your Microsoft relationship page, past look for nan conception connected BitLocker betterment keys. Check nan page for nan sanction of your computer, prime nan three-dot More Options icon astatine nan extremity of nan entry, and click Delete. Check nan container to bespeak that you've saved a transcript of your betterment key, past click Delete.

"If you want encryption without third-party cardinal escrow, support nan betterment cardinal retired of nan unreality and backmost it up yourself," Soroko advised. "Microsoft's ain guidance includes redeeming nan cardinal to a USB drive, redeeming it arsenic a file, aliases printing it, and it explicitly warns not to shop a USB cardinal backup pinch nan computer. In practice, a printed transcript successful a location safe aliases a safe deposit container positive an further transcript stored successful a well-secured password head is simply a workable equilibrium for galore people."