The Sleuth Journal

Windows 10 Covertly Sends Your Disk-Encryption Keys To Microsoft

There’s no way to turn off the “recovery” feature that sends your disk encryption keys to Microsoft by default, without notice — though you can (and should) ask Microsoft to forget the keys later.

The new disk encryption protocol in Windows 10 is in stark contrast with Microsoft’s Bitlocker product, a hardcore, Fed-infuriating full-disk encryption system that allows you to decide whether or not to escrow your keys with Microsoft.

Windows 10 has many unprecedented anti-user features: a remote killswitch that lets it disable your hardware; keylogging and browser-history logging that, by default, sends it all to Microsoft, and a deceptive “privacy mode” that continues to exfiltrate your data, even when you turn it on.

As soon as your recovery key leaves your computer, you have no way of knowing its fate. A hacker could have already hacked your Microsoft account and can make a copy of your recovery key before you have time to delete it. Or Microsoft itself could get hacked, or could have hired a rogue employee with access to user data. Or a law enforcement or spy agency could send Microsoft a request for all data in your account, which would legally compel them to hand over your recovery key, which they could do even if the first thing you do after setting up your computer is delete it.