The Intercept has written that if you have bought a Windows PC recently then Microsoft probably has your encryption key. This is a reference to Windows’ device encryption feature. We wrote about this feature when it was new, back when Microsoft introduced it in Windows 8.1 in 2013 (and before that, in Windows RT).
Device encryption is a simplified version of the BitLocker drive encryption that made its debut in Windows Vista in 2006. The full BitLocker requires a Pro or Enterprise edition of Windows and includes options such as integration with Active Directory, support for encrypting removable media, and the use of passwords or USB keys to unlock the encrypted disk. Device encryption is more restricted. It only supports internal system drives, and it requires the use of Secure Boot, Trusted Platform Module 2.0 (TPM), and Connected Standby-capable hardware. This is because Device encryption is designed to be automatic; it uses the TPM to store the password used to decrypt the disk, and it uses Secure Boot to ensure that nothing has tampered with the system to compromise that password.
The final constraint for Device encryption is that you must sign in to Windows with a Microsoft account or a Windows domain account to turn it on. This is because full disk encryption opens the door to all kinds of new data loss opportunities. If, for example, you have your system’s motherboard replaced due to a hardware problem, then you will lose access to the disk, because the decryption keys needed to read the disk are stored in the motherboard-mounted TPM. Some disk encryption users may feel that this is a price worth paying for security, but for an automatic feature such as device encryption, it’s an undesirable risk.
To combat that, device encryption stores a recovery key. For domain accounts, the recovery key is stored in Active Directory, but in the common consumer case, using a Microsoft account, it is instead stored in OneDrive. This recovery key can be used after, say, a motherboard replacement or when trying to recover data from a different Windows installation.
While device encryption is available in all versions of Windows 10, it has a particular significance in the Home version, where the full BitLocker isn’t available. Windows 10 Home also can’t use domain accounts. This means that if you enable device encryption (and on new systems that are set up to use Microsoft accounts, it may well be enabled by default) then the recovery key is necessarily stored on OneDrive.
If you have Windows 10 Home and want to encrypt your disk, but don’t want the recovery key to be stored in OneDrive, that’s OK; you can do it. Contrary to what The Intercept wrote, this doesn’t require a paid upgrade to Windows 10 Pro or Enterprise; Windows 10 Home can do it, too. The first step is simple: go to the list of recovery keys on OneDrive and delete any that you don’t want stored in the cloud. Microsoft says that the recovery key will soon be purged from backups. Someone wanting to get their recovery key off the cloud probably won’t trust that to keep them safe, so the next step is to create a new recovery key to replace the cloud one.
The instructions given here walk through the process of doing this. Windows 10 Home users will need to skip step 4—that step is only applicable to Windows domain accounts—but the other steps work correctly on Windows 10 Home.
The new key generated this way won’t be synced to OneDrive. It won’t be synced anywhere, so you’d be strongly advised to write it down or otherwise record it if you want to be able to recover your data.
Windows 10 will probably recognize that something is amiss; it will claim that no drives in the system support device encryption, and if you want to disable or otherwise reconfigure device encryption, you’ll have to do so using the command line. But there’s no need to decrypt the entire hard disk to do this, nor is there any need to buy a more expensive version of Windows.
It’s not necessary to re-encrypt the disk due to the way BitLocker (and most other full disk encryption systems) works. BitLocker uses a fast symmetric algorithm (by default 128-bit AES in XTS mode in the current version of Windows 10) for the bulk encryption of data on disk. The key used for this algorithm is itself stored on the disk, encrypted with a second key, typically using a slower asymmetric algorithm. It’s this second key that is stored in the system’s TPM or on a USB key or backed up to Active Directory or, in the case for device encryption, in OneDrive.
The AES key used for the bulk encryption and decryption never leaves your PC no matter how you use BitLocker. As such, the only thing necessary to prevent the OneDrive key from being usable to access your disk is to ensure that the AES key is encrypted with a different key. Following the steps linked above does precisely this.
If you later decide that you want to re-enable OneDrive syncing, however, the easiest way seems to be to turn off encryption entirely; this fixes up device encryption and lets Windows do its thing.
It may be true that Microsoft has the decryption keys to your encrypted hard disk if you bought a PC with Windows 10 or Windows 8.1 preinstalled, if it supports device encryption (we still come across machines that for one reason or another don’t support it or need reconfiguration to support it), and if you use a Microsoft account to log into Windows. But it isn’t a security disaster that they do, and if you aren’t happy that they do, it takes no more than a couple of minutes to delete the copy of the key they hold and then update your system to render their key useless. This can be done on any Windows version, even Home.