Microsoft May Be Collecting Windows Disk Encryption Keys

If you recently bought a new Windows computer, Microsoft probably has your encryption key. Or at least that?EU?s the news that's causing a flurry of speculation as this holiday season winds down.

Disk encryption is built into Windows and turned on automatically. You have to physically turn it off if you don?EU?t want to use it as a data protection mechanism in case your computer is lost of stolen. You may already know this.

?EU?But what is less well-known is that, if you are like most users and login to Windows 10 using your Microsoft account, your computer automatically uploaded a copy of your recovery key -- which can be used to unlock your encrypted disk -- to Microsoft?EU?s servers, probably without your knowledge and without an option to opt out,?EU? said The Intercept's Micah Lee, who first reported the story.

In his article, Lee offers advice on ?EU?how to make it less bad." All you have to do is log into your computer using your Microsoft account and turn the feature off. But how bad is this vulnerability, really? Is it as bad as some technology news headlines suggest?

How Risky Is It?

We caught up with Craig Young, a cybersecurity researcher for advanced threat detection firm Tripwire, to get his thoughts on the controversial news.

Young told us while this key backup behavior certainly presents an increased risk that someone may be able to bypass advertised encryption protections, it's important to consider the risk in context.

?EU?In order for this ?EU?vulnerability?EU? to be exploited, an attacker must be able to both gain access to the backed up key and gain physical access to the encrypted storage,?EU? Young said. ?EU?There is essentially an infinitely long list of easier ways for an intruder to bypass disk encryption and retrieve data from a protected device...

Comments are closed.