14 DAY TRIAL // Microsoft has been secretly saving hard-drive encryption keys to its servers for all new Windows devices. Fortunately, for people who like their privacy, there's a way around this issue.
First of all, we need to distinguish between device encryption and BitLocker. Beginning with Windows 8, Microsoft started offering standard, free device encryption on all devices that were equipped with a tamper-resistant chip (TPM - Trusted Platform Module).
If running Windows 8, 8.1, or 10 Home Edition, this is included by default. For Microsoft's other Windows versions, Pro and Enterprise, device encryption is also included, but so is BitLocker.
Technically, there's no difference between the standard disk encryption feature provided for Home users and the BitLocker feature for Pro and Enterprise users, except the presence of a settings page in the Control Panel where users can decide what they can do with their encryption key.
For all new Windows devices, disk encryption is enabled by default, and the first time a user logs into his Microsoft account, a copy of the encryption key is automatically saved to Microsoft's servers.
While not all users log into their Microsoft accounts, and not all people have recently bought a new Windows device, it may be useful to know how to remove this backup encryption key from Microsoft's servers.
Does Microsoft have my disk encryption key?
First of all, you'd want to know if Microsoft has a copy of any of your encryption keys. You can check this out at onedrive.live.com/recoverykey, where you can also delete existing keys. Please write down the most recent one on a piece of paper, or copy-paste it in a file, just in case.
From this page users can remove the encryption key from Microsoft's servers, but this does not guarantee that next time a Windows Home user logs into his account, that key won't be re-uploaded. Unfortunately, for Home users, there's no other way to use disk encryption without Microsoft having a copy of your encryption key.
In case you decide Microsoft knows too much about you already, and you don't really need disk encryption, you can disable it via your Control Panel's "PC and devices -> PC info -> Device Encryption" (or just search for "Device Encryption," it's much faster).
In case you like and need disk encryption but don't want to bother with Microsoft's sneaky encryption key backup system, open source disk encryption systems exist, like VeraCrypt, or paid solutions like BestCrypt. Just make sure to check hardware requirements first, since they're not universal.
How to make sure Microsoft never gets my encryption key again
For Windows Pro and Enterprise users, Windows also uploads a copy of their encryption key to Microsoft's servers by default. Fortunately for them, there's a way to delete this key, or make it obsolete. Unfortunately, this is not an option when setting up your computer, like on Macs, and a few steps need to be taken.
First, go to your Control Panel and type "BitLocker" in the search field. Once on the BitLocker page, if disk encryption is supported on your device, BitLocker will be on by default. Turn it off. This will take some time, so be patient.
Once BitLocker is off, turn it on again. This will generate a new encryption key, and this time around, BitLocker will ask what you want to do with the encryption key, instead of blindly sending it to Microsoft's servers the first time you log into your Microsoft account.
Here, three or four options will be presented (image below), and you can choose the option that fits your activity best (save it to file, save it to USB, or print to paper). Just make sure not to upload it to your Microsoft account, since this defeats the whole purpose of this tutorial.
Once you've selected the option you wanted, the BitLocker encryption will ask you for all the usual encryption settings, and then prompt you to restart the computer.
To check to see if your current key was uploaded to Microsoft's servers or to delete older encryption keys, just go as before to onedrive.live.com/recoverykey.
Thanks to Micah Lee from The Intercept, for his research into Microsoft's disk encryption.
