[Source]: Microsoft Gave FBI a Set of BitLocker Encryption Keys to Unlock Suspects' Laptops
Microsoft provided the FBI with the recovery keys to unlock encrypted data on the hard drives of three laptops as part of a federal investigation, Forbes reported on Friday.
Many modern Windows computers rely on full-disk encryption, called BitLocker, which is enabled by default. This type of technology should prevent anyone except the device owner from accessing the data if the computer is locked and powered off.
But, by default, BitLocker recovery keys are uploaded to Microsoft's cloud, allowing the tech giant — and by extension law enforcement — to access them and use them to decrypt drives encrypted with BitLocker, as with the case reported by Forbes.
[...] Microsoft told Forbes that the company sometimes provides BitLocker recovery keys to authorities, having received an average of 20 such requests per year.
[Also Covered By]: TechCrunch
« This May Be The Grossest Eye Pic Ever—but the Cause is What’s Truly Horrifying | UK MPs Call for AI Stress Testing in Financial Services »
Related Stories
You can determine "if you're at risk and take action today:
If you think your Windows computer is safe from prying eyes, think again. A new report reveals that Microsoft has the encryption keys to your hard drive, and it can even give them out to law enforcement, including the FBI. Here's what you need to know and what you can do to stop it from happening to you.
In a stunning breach of personal privacy and security, Microsoft admitted in January that it provided the FBI with the BitLocker recovery keys to three different Windows PCs that were linked to suspected COVID unemployment assistance fraud in Guam. With these keys, the FBI was able to access the files on those devices as part of its investigation.
[...] The Redmond tech giant received its first request from a government official during the Obama administration in 2013. Although the engineer who spoke with the official reportedly declined to build a back door into Windows that would give the government unbridled access to user files, Microsoft still admits to turning over BitLocker recovery keys to law enforcement as recently as 2025. According to the report, Microsoft receives approximately 20 access requests from the FBI per year.
[...] You are not at risk if ...
- You use a Windows PC without a Microsoft account. (You haven't logged into the system with your Outlook email address.)
- You use a Windows PC with a Microsoft account but you chose a local recovery key backup option at activation.
- You disabled BitLocker encryption when you set up your PC.
You are at risk if ...
- You use a Windows PC with a Microsoft Outlook account and you chose to back up your BitLocker recovery key to your account.
- Your PC is a work machine that's managed by your employer.
For those at risk, Microsoft promises that it only gives out encryption keys to lawful requests from the government. That said, if Microsoft can access your encryption keys, what's stopping a hacker from getting them? The problem with storing security keys on cloud servers is that anyone can reach them with the right password, login information, or exploit.
Previously: Microsoft Gave FBI a Set of BitLocker Encryption Keys to Unlock Suspects' Laptops
Related: Over Half a Million Windows Users are Switching to Linux
(Score: 5, Insightful) by sgleysti on Monday January 26, @12:24AM (15 children)
Full disk encryption is an excellent security measure.
At least in the US, the fifth amendment protects a right against self incrimination, which is intepreted to mean "revealing the contents of one's mind". Recovery keys stored in any medium are discoverable, and their production can be compelled.
It is best to use encryption that can only be unlocked by entering a password that is memorized and not recorded in any medium. Software providing such encryption includes Veracrypt on Windows and LUKS on Linux. Again, do not print, write down, or save in an unencrypted electronic medium the password or any recovery file that can unlock the volume.
(Score: 5, Informative) by sgleysti on Monday January 26, @12:58AM (7 children)
Whoever modded this funny, I'm not joking. What feels like a lifetime ago now, I briefly did some computer security work where these kinds of concerns were relevant. I'm not a lawyer though, so check my interpretation of the fifth for yourself. Clearly, given the article, full disk encryption that automatically stores recovery keys in Microsoft's cloud is of limited use if you care about your privacy in all situations.
(Score: 0) by Anonymous Coward on Monday January 26, @01:56AM (6 children)
I agree, and modded you "insightful" twice now.
It's possible that "funny" refers to the idea that anything Microsoft could be truly secure. My first reaction was "oh, the keys go to the Microsoft cloud? Well, so much for secure".
Some computers let you encrypt the HD through BIOS / UEFI. Is that secure, or are the keys seen by the OS (Windows) and can be also sent somewhere?
(Score: 5, Insightful) by sgleysti on Monday January 26, @02:10AM (4 children)
I'm not sure about the BIOS / UEFI thing. What you want is for all of the drive contents to be fully encrypted such that the computer won't boot until you enter a strong password that you have memorized. The encryption key should be derived from the password.
If the key is stored in a TPM or similar and all you're entering is a pin to open the TPM, that's not it. The device storing the key could have vulnerabilities or backdoors.
(Score: 1, Funny) by Anonymous Coward on Monday January 26, @02:49AM (3 children)
Thank you so much. Most of my computers are older, I doubt any have TPM (I have a few newer ones I'm not using (yet?)). If they do I'll disable it.
My plan is to set up a Linux machine to store stuff and it'll be encrypted with LUKS as you suggest. Frankly I'm not sure if I have anything that critical to worry about. I have a few important passwords in my head. More likely I'll encrypt one partition.
(Score: 4, Interesting) by sgleysti on Monday January 26, @03:26AM (2 children)
Well, TPM might be ok as far as it goes. If you care about privacy in the sorts of situations mentioned by this article, use encryption that relies on a memorized password only. Pretty sure it's possible to set up LUKS that way. You can still use the TPM for other stuff. Most LUKS guides I've seen either put the home folder in an encrypted partition or encrypt everything except the boot and EFI partitions. The latter is more secure.
(Score: 1, Funny) by Anonymous Coward on Monday January 26, @05:02AM (1 child)
I wish we could know who modded you "funny". Sigh. At least it's a positive.
Thank you again for the info.
I thought I've read of TPM hacks, including hacks into TPM-like stuff baked into CPUs. Which is why I'm hanging on to older hardware, and so far I'm just fine, even running Windows 7. 10 is far too vulnerable, and I don't have high bandwidth Internet to be able to support all the horrendous bug fixes with 10 or 11.
(Score: 1, Interesting) by Anonymous Coward on Tuesday January 27, @12:08AM
I stopped at WIN7 too, although my stable of workhorses still has several old DOS machines.
If I am designing something, it's the XP or WIN7 machine, they have the fastest graphics and run Spice, EAGLE, MathCAD, and several other programs. Programs that are mature, stable, and run independent with no dependencies on external permissions. I consider the modern stuff to be too constrained by DRM to be of any practical use. All Hat, no Cattle. Just decorative swag to present to demonstrate sufficient wealth to have expensive, impractical things. Fancy sports cars. Expensive impractical clothing, jewelry,
When I sit before my machine, I have all sorts of technical motions to explore: maybe some math algorithms ( Mathcad ), maybe some interface that I wanna bit-bang on an LPT port first ( old DOS machine ). Or, most often, it's nothing more than a text file ( XP - specifically - as my XP machine is REALLY good at finding things! ) . I am in no mood to negotiate with some script demanding I agree to terms and conditions before it will work for me.
Those are business-grade machines. Useless for me. Those are for highly paid people who tell everyone else what to do. It's not for people who do it. Two completely different mindsets here, and we often clash - with the loser being me - but I walk away, layoff in hand, but knowing I am not the author of the likely result had I have been obedient.
My motivational poster is not that fine home with a four car garage filled with exotic cars. I have my own motivational posters. One is a picture of a plane stuck in a tree, another is the other is a photo of the result of an old steam locomotive that experienced rupture and explosive decompression of its main boiler. Reminds me that the Laws of Physics do not take orders from anyone, regardless of rank. Investors can always come up with more money to flush down the toilet, just as they can finance follies at Vegas and expensive toys. Leadership skills. Marketing skills. I am not all that good at that. I understand machines far better than I understand people. My conscience is not at peace when I have to kiss ass being an expendable minion to the hiring class. I'd rather work low level and avoid taking on responsibility for things I cannot control. I am extremely deterministic; I simply don't have a gambling mindset, nor the trust that others will act in what I perceive to be a rational manner. This is not engineering. It is the political science of how much you can get away with.
(Score: 4, Interesting) by Bentonite on Monday January 26, @04:38AM
Truly secure? Microsoft and secure do not belong in the same sentence, unless preceded by not.
In most cases, setting a BIOS/UEFI password for bootup, does not encrypt the drive - the computer just refuses to boot without the password.
Some HDD's and SSD's have the option of built-in encryption, which is dependent on BIOS/UEFI support for boot-drive support, but I wouldn't trust it, as it's easiest to implement a password system without any encryption, or if encryption is used, to store the encryption keys unencrypted - which would mean that anyone who knows the right low-level commands could read the contents of the drive.
In the controller-encrypted storage case, the windows isn't interested in the encryption keys, as the universal backdoor built into windows can just read the data off the drive normally (even if there wasn't a backdoor, microsoft could trivially install one out via an automatic update); https://www.gnu.org/proprietary/malware-microsoft.html [gnu.org]
(Score: 4, Touché) by Anonymous Coward on Monday January 26, @01:09AM (3 children)
I refer you to https://xkcd.com/538/ [xkcd.com]
'any medium' includes your wetware, in fact it's easier to extract passwords from your wetware than it is to locate a physical device containing recovery keys 'buried' in a forest.
Legality, when it comes to TLAs, is a somewhat elastic concept.
(Score: 4, Insightful) by sgleysti on Monday January 26, @07:32AM (1 child)
There are strong constitutional protections against such behavior. Although shitting on the constitution is apparently becoming more prevalent these days.
(Score: 2) by aafcac on Monday January 26, @04:18PM
There WERE strong constitutional prohibitions on that 30 years ago. SCOTUS decided that as long as it isn't happening on literal US soil. But, they can always take people to GITMO or to anywhere that's sufficiently close to the border so as to qualify to be in one of the constitution-free zones or use any number of other exceptions like claiming that the person is a terrorist and count on the cowards running the courts to OK it as usual. The US court system is only somewhat less corrupted than much of the rest of the government these days and I wouldn't assume that it being "unconstitutional" is any sort of guarantee that SCOTUS won't invent a reason why it's OK in this case.
(Score: 4, Informative) by Thexalon on Monday January 26, @12:58PM
But relevant here is that they can skip the "beat them with this $5 wrench" if they can instead go to the company that sells the proprietary tool and say "Here's a $0.05 piece of paper, open it up for us", and the company both can and does.
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 3, Informative) by Username on Monday January 26, @03:38PM
Sounds like a good way to lock yourself out of your own data. Is my mp3 and pdf collection really worth encrypting? OS gets corrupted, reinstall, now i need to install the software, remember the name of it, the encryption method, the key, and hope it all works, but it probably won't. If the os got corrupted that bad, the encrypt files probably are too, and it's in a container of some kind, so if it's missing some bits i lose all the files instead of some if i just left it unencrypted.
(Score: 2) by VLM on Monday January 26, @04:19PM (1 child)
Waste of time and compute wattage. You don't have root on the software, OS, or hardware and you're not compiling your own software, certainly not your BIOS or your TPM chip firmware or keyboard controller for example.
Simply utilize the pre-built back door to log your keystrokes, compel discovery of the recorded keystrokes, wa la they have full access.
The reason we need fake "encrypted" storage services or web passkeys is to make it easier for corporations and governments to access your stuff without your permission, not harder. Passkeys especially.
(Score: 3, Insightful) by sgleysti on Monday January 26, @05:04PM
The point with full disk encryption is that the data on the disk at rest is strongly encrypted based on a password that you have memorized. I'm saying don't use TPM for this and don't use encryption software that backs up keys in the cloud. The password is entered at boot before the full OS initializes. They'd have to find a way to sneak a keylogger in that minimal part of the OS and then retrieve its output. It's a higher barrier than getting keys from Microsoft with a data request or just plugging in your drive.
(Score: 5, Interesting) by Anonymous Coward on Monday January 26, @02:29AM (7 children)
Microsoft isn't the only one with your keys. Beware your backups as well.
Backblaze doesn't publish data requests and warrant information that they receive. However, they say that all data is encrypted, and they _say_ that they don't have the encryption keys.
If you look at the strings in their exe, the private encryption key is transmit'ed to backblaze when it is configured and set up. They say they don't have it, they say that they can't recover your data if you lose your private key, but it's clear that they collect your private key when you create it with their app.
(Score: 5, Insightful) by Reziac on Monday January 26, @03:33AM (6 children)
I conclude from this discussion that encryption is mostly a placebo.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 5, Informative) by Bentonite on Monday January 26, @04:43AM
Encryption is always a placebo when implemented with proprietary software that doesn't serve you.
Encryption works when it's implemented with free software that serves you and you don't install proprietary malware that spies on you.
(Score: 5, Insightful) by sgleysti on Monday January 26, @06:24AM (4 children)
If you encrypt the stuff yourself before sending it off to cloud storage, then the encryption is for sure effective. Just be sure to protect the key.
Encryption turns the problem of keeping information secret into keeping the encryption key secret.
(Score: 2) by Reziac on Monday January 26, @07:19AM (3 children)
Precisely.
Then comes the problem of when you've lost your key...
And there is no Alkibiades to come back and save us from ourselves.
(Score: 0) by Anonymous Coward on Monday January 26, @02:07PM
Ah yes, that's when you implement plan C: bend over, place your head between your knees, and kiss your ass goodbye?
(Score: 1, Funny) by Anonymous Coward on Monday January 26, @03:12PM
(Score: 0) by Anonymous Coward on Tuesday January 27, @05:11PM
[1]This can happen in countries like the UK.
(Score: 5, Informative) by canopic jug on Monday January 26, @12:13PM
TFA is a timely warning of why Europe (and other regions) need open, platform-independent digital ecosystems. And, coincidentally enough, the European Commission is soliciting input on just that topic now [europa.eu] through February 3rd, 2026. We even had a short discussion here on Poul-Henning Kamp's feedback to the EU on Digital Sovereignty [soylentnews.org] which could have been listed at the tail end of the summary.
However, to focus on the specifics raised in the article. There's no legitimate reason to do more that even look at BitLocker. If you're on GNU/Linux or M$ Windows, then LUKS is your best option. LUKS is easy to work with on GNU/Linux and presumable no harder than anything else on M$ Windows. If you've upgraded to FreeBSD, then use geli(8) [freebsd.org] or if you've made the full move and are on OpenBSD then softraid(4) [openbsd.org].
Kudos to Forbes for even raising the issue. Next time, I hope they bring up the fact that better options already exist.
Money is not free speech. Elections should not be auctions.
(Score: 2) by Rosco P. Coltrane on Tuesday January 27, @10:22PM
True professionals don't upload decryption keys to the cloud.
True professionals don't trust Microsoft.