MSFT Keeps Backup of Your Encryption Key on its Server ...

[humble3d]

MSFT Keeps Backup of Your Encryption Key on its Server ...

— Here's How to Delete it...

Have you recently purchased a Windows computer?

Congratulations! As your new Windows computer has inbuilt disk encryption feature that is turned on by default in order to protect your data in case your device is lost or stolen.

Moreover, In case you lost your encryption keys then don't worry, Microsoft has a copy of your Recovery Key.
But Wait! If Microsoft already has your Disk Encryption Keys then what’s the use of using disk encryption feature? Doesn't Encryption mean Only you can unlock your disk?
 
Microsoft Probably Holds your Encryption Keys

Since the launch of Windows 8.1, Microsoft is offering disk encryption as a built-in feature for Windows laptops, Windows phones and other devices.

However, there is a little-known fact, highlighted by The Intercept, that if you have logged into Windows 10 using your Microsoft account, your system had automatically uploaded a copy of your recovery key to Microsoft’s servers secretly, and you can't prevent device encryption from sending your recovery key.

Note: Do not get confuse device encryption with BitLocker. Both works same but have different configuration options. BitLocker offers users a choice whether or not they want to backup their Recovery keys on Windows server.
Also Read: Mission '1 Billion' — Microsoft will Automatically Offer Windows 10 Upgrade
Why Should You Worry?

If a hacker hacks your Microsoft account, he can make a copy of your recovery key before you delete it (method described below).

Any Rogue employee at Microsoft with access to user data can access your recovery key.

If Microsoft itself get hacked, the hacker can have their hands on your recovery key.

Even Law Enforcement or Spy agencies could also request Microsoft to hand over your recovery key.
"Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees," said Matthew Green, a cryptography professor at Johns Hopkins University.

How to Delete your Recovery Key from your Microsoft Account?

Although there's no way to prevent a new Windows computer from uploading the recovery key at the very first time you log into your Microsoft account, you can delete the existing recovery key from your Microsoft account and generate a new one.

Follow these simple steps in order to remove your recovery key from your Microsoft account:

Step 1: Open this website and log in with your Microsoft Account
Step 2: You will find list of recovery keys backed up to your Microsoft Account
Step 3: Take a back of your recovery Keys locally
Step 4: Go ahead and delete your recovery key from Microsoft Account.

Important Fact: Green also pointed out that even after deleting the recovery key from your Microsoft account, there is no guarantee that the key has been removed from the company's server.

Instant Solution: To solve this issue, Windows users are recommended to stop using their old encryption keys and generate a new one without sharing it with Microsoft.

How to Generate a New Encryption key (Without Sending a copy to Microsoft)?

Sorry for Windows Home Edition users, but Windows Pro or Enterprise users can create new key by decrypting whole hard disk and then re-encrypt the disk, and this time in such a way that you will actually get asked how you want to backup your Recovery Key.

Step 1: Go to Start, type "Bitlocker," and click "Manage BitLocker."

Step 2: Click "Turn off BitLocker" and it will decrypt your disk.

Step 3: Once done, Click "Turn on BitLocker" again.

how-to-install-bitlocker

Step 4: Then Windows will ask you: How you want to backup your Recovery Key. Make sure to DO NOT SELECT "Save to your Microsoft Account." That's it.

Congratulations! 

Finally, the new Windows device you purchased specially for disk encryption feature has now enabled the feature, and Microsoft no longer can unlock it.

Swati Khandelwal

Swati Khandelwal is Senior Technical Writer and Security Analyst at The Hacker News. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

http://thehackernews.com/2015/12/windows-encryption-key-backup.html?

 

[flash48]

After reading this and other threads and articles on how Windows 10 has major security and privacy features built-in, I am getting paranoid in using this OS.

It appears the NSA, KGB and others all worked with Microsoft in writing Windows 10.

[Holmes]

The KGB hahahaha there is certainly ALOT of FUD no one really knows whats going on (trully) without a doubt.  All these websites writing news articles giving the opinions about what windows ten really is about what it is how it really operates and what not everyone loves to think there the community expert some do and it spreads this so called FUD (Fear Uncertainty and Doubt).  With that said microsoft does collect alot of telemetry they have said they are collecting this and that and microsoft is not being smart about addressing claims of worrying users about this FUD properly (very disappointing).  I think in my humble opinion if you wish to use windows ten be careful with what you type I would use a vpn or tor dont type anything personal in windows search asking cortana questions searching the internet using edge if you decide you want to use edge that is.  Overall windows ten should come with a disclaimer (for now) use with caution like yellow on a traffic stop light.  You dont type or SAY anything personal when typing in windows ten or speaking to cortana you should be ok like I said USE WITH CAUTION.  If Im forgetting anything someone is going to mention it after reading this.

 

As for the copy of the decryption key that article shows you how to remove it from microsoft servers and just in case its not totally removed tells you how to fix that as well (for the tl;dr users).