Surrender as a service: Microsoft unlocks BitLocker for feds

updated If you think using Microsoft’s BitLocker encryption will keep your data 100 percent safe, think again. Last year, Redmond reportedly provided the FBI with encryption keys to unlock the laptops of Windows users charged in a fraud indictment.

The government case [PDF], which claims defendants in Guam fraudulently collected pandemic unemployment benefits, represents the first publicly known instance of Microsoft providing BitLocker keys, according to Forbes.

BitLocker is a Windows security system that can encrypt data on storage devices. It supports two modes: Device Encryption, a mode designed to simplify security, and BitLocker Drive Encryption, an advanced mode. 

For either mode, Microsoft “typically” backs up BitLocker keys to its servers when the service gets set up from an active Microsoft account. “If you use a Microsoft account, the BitLocker recovery key is typically attached to it, and you can access the recovery key online,” the company explains in its documentation.

The situation is similar for managed devices. “If you’re using a device that’s managed by your work or school, the BitLocker recovery key is typically backed up and managed by your organization’s IT department,” the company says.

Microsoft provides the option to store keys elsewhere. Instead of selecting “Save to your Microsoft Account,” customers can “Save to a USB flash drive,” “Save to a file,” or “Print the recovery key.” 

But customers are encouraged to entrust keys to Microsoft because as long as they have access to the account online, they can recover the keys, effectively making Redmond their digital doorman. However, in such circumstances, customers no longer have total control over access to their data.

Apple offers a similar device encryption service called FileVault, complemented by its iCloud service. The iCloud service also offers an easy mode called “Standard data protection” and “Advanced Data Protection for iCloud.” 

With Standard data protection, Apple holds the encryption keys for iCloud data, with some exceptions (e.g. Passwords and Keychain). With Advanced Data Protection, the company has the keys only to iCloud Mail, Contacts, and Calendar. 

Both Apple and Microsoft, like other companies, comply with government information demands they determine to be lawful. But they can’t provide keys they don’t control. 

Apple says as much in its guidelines [PDF] for law enforcement: “All iCloud content data stored by Apple is additionally encrypted at the location of the server. For data Apple can decrypt, Apple retains the encryption keys in its US data centers. Apple does not receive or retain encryption keys for [a] customer’s end-to-end encrypted data.”

That’s not the case with BitLocker, where Microsoft may have access to encryption keys for a customer’s end-to-end encrypted data if the customer allowed that during setup.

Microsoft explains that it does not provide governments with its own encryption keys. But it does not make that commitment with regard to its customers.

“We do not provide any government with our encryption keys or the ability to break our encryption,” the company says in its law enforcement guidance. “In most cases, our default is for Microsoft to securely store our customers’ encryption keys. Even our largest enterprise customers usually prefer we keep their keys to prevent accidental loss or theft. However, in many circumstances we also offer the option for consumers or enterprises to keep their own keys, in which case Microsoft does not maintain copies.”

It’s a clear message to activist organizations and law firms that Microsoft is not building their products for you.

According to Microsoft’s most recent Government Requests for Customer Data Report, covering July 2024 through December 2024, the company received a total of 128 requests from law enforcement organizations around the world, 77 of which came from US authorities. Only four of the requests during that period, three in Brazil and one in Canada, led to the disclosure of content.

After this story was filed a Microsoft spokesperson said, “With BitLocker, customers can choose to store their encryption keys locally, in a location inaccessible to Microsoft, or in Microsoft’s cloud. We recognize that some customers prefer Microsoft’s cloud storage so we can help recover their encryption key if needed. While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide whether to use key escrow and how to manage their keys.”

“Microsoft is making a tradeoff here between privacy and recoverability,” said Erica Portnoy, senior staff technologist at the Electronic Frontier Foundation, in an email to The Register. “At a guess, I’d say that’s because they’re more focused on the business use case, where loss of data is much worse than Microsoft or governments getting access to that data. But by making that choice, they make their product less suitable for individuals and organizations with higher privacy needs. It’s a clear message to activist organizations and law firms that Microsoft is not building their products for you.” ®

READ MORE HERE