Microsoft may have your encryption key; here’s how to take it back

    Microsoft may have your encryption key; here’s how to take it back

    Microsoft may have your encryption key; here’s how to take it back


    Posted: 30 Dec 2015

    It doesn't require you to buy a new copy of Windows.

    As happens from time to time, somebody has spotted a feature in Windows 10 that isn't actually new and has largely denounced it as a great privacy violation.

    The Intercept has written that if you have bought a Windows PC recently then Microsoft probably has your encryption key. This is a reference to Windows' device encryption feature. We wrote about this feature when it was new, back when Microsoft introduced it in Windows 8.1 in 2013 (and before that, in Windows RT).

    Device encryption is a simplified version of the BitLocker drive encryption that made its debut in Windows Vista in 2006. The full BitLocker requires a Pro or Enterprise edition of Windows, and includes options such as integration with Active Directory, support for encrypting removable media, and the use of passwords or USB keys to unlock the encrypted disk. Device encryption is more restricted. It only supports internal system drives, and it requires the use of Secure Boot, Trusted Platform Module 2.0 (TPM), and Connected Standby-capable hardware. This is because Device encryption is designed to be automatic; it uses the TPM to store the password used to decrypt the disk, and it uses Secure Boot to ensure that nothing has tampered with the system to compromise that password.
    Read more: http://arstechnica.com/information-t...-take-it-back/
    Cluster Head's Avatar Posted By: Cluster Head
    30 Dec 2015


  1. Posts : 5,478
    2004
       #1

    Honestly, so what? I'm not shooting the messenger of course but this privacy stuff is getting silly.

    For this to be an issue you have to both have someone steal your device and secondly hack into your MS account. Having your bitlocker key without your disk is as useless as the other way around.

    Of course you can do as the article suggests

    you'd be strongly advised to write it down
    and stick it on a post-it under your keyboard presumably. I couldn't remember 9 blocks of 6 characters certainly.

    Nonetheless an interesting article for non Pro users (who can't use bitlocker). If you want bitlocker you would buy Pro. If you don't device encryption is a good compromise as your data isn't just saved in the clear on your disk.
      My Computer


  2. Posts : 22,740
    Windows 10 Home x64
       #2

    lx07 said:
    Honestly, so what? I'm not shooting the messenger of course but this privacy stuff is getting silly.

    For this to be an issue you have to both have someone steal your device and secondly hack into your MS account. Having your bitlocker key without your disk is as useless as the other way around.

    Of course you can do as the article suggests

    and stick it on a post-it under your keyboard presumably. I couldn't remember 9 blocks of 6 characters certainly.

    Nonetheless an interesting article for non Pro users (who can't use bitlocker). If you want bitlocker you would buy Pro. If you don't device encryption is a good compromise as your data isn't just saved in the clear on your disk.
    I read that as a real non issue,, issue. Must be a slow news day??
      My Computer


  3. Posts : 487
       #3

    I've just looked at OneDrive Recovery Keys and Windows 10 Mobile recovery keys aren't stored there despite 'Device Encryption' being switched on. Neither does it show as encrypted under 'Storage', which begs the question, is 'Device Encryption' even on and if it is, where are the recovery keys stored for Windows 10 Mobile Devices?

    -win-10-mobile-encryption.png
      My Computer


  4. Posts : 5,478
    2004
       #4

    What if you look here though?

    -capture.png

    I blanked out the disks I'm still using (just in case).

    Are you saying phones aren't available? That could be a different problem I don't know about.
      My Computer


  5. Posts : 487
       #5

    lx07 said:
    Are you saying phones aren't available? That could be a different problem I don't know about.

    Nope, as you can see in the above screenshot, no recovery keys listed for Windows 10 Mobile and other than physically trying to access the data on a locked phone, there doesn't appear to be a way to tell if the device storage is actually encrypted or not other than the toggle switch to switch it on /off.
      My Computer


  6. Posts : 5,478
    2004
       #6

    You may be right but I don't have a phone to test. In any case this thread was about PC (specifically Windows 10 home not Pro) device encryption which can be used by some devices with only 10 home (but with TPM, UEFI etc) that would not normally be eligible to use bitlocker.

    There are others with MS phones here - you could ask in another thread perhaps.
      My Computer


  7. Posts : 1,557
    W10 32 bit, XUbuntu 18.xx 64 bit
       #7

    I read the article, how can it be done with Windows 10 home? It still wasn't clear enough for me. I didn't think Bitlocker could be enabled on windows 10 home.

    What I worry about encryption is Image backups, restores, partitioning and multi-boot systems, these make it harder to use Bitlocker or encryption program. Another things that would be an issue, I don't have a system reserve partition, so I would need to do a clean install of windows 10.
      My Computer


  8. Posts : 5,478
    2004
       #8

    groze said:
    I read the article, how can it be done with Windows 10 home? It still wasn't clear enough for me. I didn't think Bitlocker could be enabled on windows 10 home.
    There are 2 different things here.

    1. Bitlocker. You need 7 Enterprise or Ultimate or later. There are no hardware restrictions to speak of (only your MB must be able to recognize USB). You get better functionality if your system supports TPM. It is included in 8 Pro and 10 Pro (and Enterprise and Education).

    2. Secure Devices. This uses a cut down bitlocker for home users where the hardware requirements are somewhat higher. You need a device with fixed storage, TPM, UEFI and secure boot. At the end though it is the same system (although more limited) as normal bitlocker that doesn't have these requirements. Phones fall into this category but I don't know about that, sorry.

    groze said:
    What I worry about encryption is Image backups, restores, partitioning and multi-boot systems, these make it harder to use Bitlocker or encryption program.
    Partitioning is irrelevant. I use bitlocker on my system C: drive, I have other partitions for other OS that are not encrypted or in the case of OSX encrypted with a different system (Firevault).

    Backups - You need to think about this. Macrium copes with bitlocker. Standard MS recovery doesn't (although you can make a PE image and add bitlocker support).

    groze said:
    Another things that would be an issue, I don't have a system reserve partition, so I would need to do a clean install of windows 10.
    Easiest way, yes. Bitlocker does require an unencrypted partition. If you are booting legacy BIOS system with only one C: partition you would have to make another for boot files to be on.
      My Computer


  9. Posts : 487
       #9

    lx07 said:
    <Snip>In any case this thread was about PC (specifically Windows 10 home not Pro) device encryption
    It is about Device Encryption on Windows devices. That makes it relevant.

    Anyway, just for you...
    https://www.tenforums.com/antivirus-f...10-mobile.html
    Last edited by ARC1020; 30 Dec 2015 at 14:15.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 21:23.
Find Us




Windows 10 Forums