Now Reading
Microsoft stores your Disk Encryption keys on its servers, but you shouldn’t be worried about it

Microsoft stores your Disk Encryption keys on its servers, but you shouldn’t be worried about it

by AshwinDecember 31, 2015

A couple of days ago, a report emerged claiming that Microsoft stores Disk Encryption keys on its servers.

Microsoft Device EncryptionIs this worth worrying about? Let’s analyse the situation.

But before that, what is encryption anyway?

It is a form of securing data, by locking down the information, with a password. Only by entering the password, can anyone decrypt your data, and view it, let alone modify it. They cannot use your data without this key.

Now, Disk Encryption in Windows does the same thing, but for your entire Hard Drive. Mind you, this is different from the BitLocker Encryption feature.

When Disk Encryption is enabled, Windows generates a key (aka a password), which it stores locally, so you can decrypt the data. As it turns out, Microsoft apparently stores a backup of this key in your OneDrive account, on its servers.

This only affects newer PCs, which come with Windows 8.1 or Windows 10 pre-installed and only those that are TPM compatible. (Trusted Platform Module).

We have come across several reports at many tech blogs, which are saying that this is not safe, and it is highly risky, and something about how a hacker who gains access to your Microsoft account, can misuse it. Truth is, it is completely harmless. The person with your recovery key will need access to the physical hard drive itself.

Should you still be worried about the company having your encryption key, you can always delete it from Microsoft’s servers manually.

How to delete your Disk Recovery key from OneDrive:

1. Head over to this page:

2. You will be asked to login to your Microsoft account, do so.

3. The page will then tell you if you have any BitLocker recovery keys stored in your account.

4. If it doesn’t, well and good. If it does, don’t worry there is an option on the page which lets you deleted the key.

Then, you can even disable Device Encryption on your PC, which would render your old key useless. You can do so in any edition of Windows. This feature isn’t something recently introduced, it has been there right since the days of Windows 8.1. Oh, yeah it does get enables when you sign into Windows with your Microsoft account (Hotmail or Outlook). The user isn’t notified that the key will be saved in their cloud storage account though.

Microsoft News rightly observes that, the Redmond Company probably stores the key online, in case of a system failure, from which, in the worst case scenario, your PC doesn’t recover. You can then use the backup key, from OneDrive to decrypt your data. And that essentially is a good thing.