Microsoft Sharing BitLocker Keys With FBI
Zac Bowden (via Hacker News):
Microsoft has confirmed in a statement to Forbes that the company will provide the FBI access to BitLocker encryption keys if a valid legal order is requested. These keys enable the ability to decrypt and access the data on a computer running Windows, giving law enforcement the means to break into a device and access its data.
The news comes as Forbes reports that Microsoft gave the FBI the BitLocker encryption keys to access a device in Guam that law enforcement believed to have “evidence that would help prove individuals handling the island’s Covid unemployment assistance program were part of a plot to steal funds” in early 2025.
Lorenzo Franceschi-Bicchierai (Hacker News, Slashdot):
But, by default, BitLocker recovery keys are uploaded to Microsoft’s cloud, allowing the tech giant — and by extension law enforcement — to access them and use them to decrypt drives encrypted with BitLocker, as with the case reported by Forbes.
[…]
Apart from the privacy risks of handing recovery keys to a company, Johns Hopkins professor and cryptography expert Matthew Green raised the potential scenario where malicious hackers compromise Microsoft’s cloud infrastructure — something that has happened several times in recent years — and get access to these recovery keys.
It’s not surprising or improper that Microsoft would cooperate with law enforcement, but it may be surprising to many users that they had shared their recovery keys with Microsoft.
Microsoft has made it increasingly harder for individual consumers to set up a new PC without creating a Microsoft account. Between closing loopholes and fighting users who want to make local accounts, this means most people are unknowingly uploading their BitLocker keys to Microsoft’s servers. Whether intentional or not, the fact that Microsoft hasn’t designed a way to be out of the encryption key business is concerning.
Apple also strongly and repeatedly encourages users to store the FileVault recovery key on Apple’s servers. I was not able to find information about this in their security guide, but the situation should be better than with Windows because the recovery key is now stored in iCloud Keychain, which is end-to-end encrypted.
Previously:
- Tahoe FileVault: iCloud Keychain and SSH
- macOS Tahoe Beta Forces Sharing FileVault Key
- FileVault 2’s Apple ID Backdoor
