Microsoft is storing a backup of your Windows encryption keys in the clouds, this is how you can delete it

If you have bought a new Windows based PC or laptop you will have used the all new disk encryption which is built-in and turned on by default,  This key is meant to protect your data in case your device is lost or stolen. However, one of unknown facts of this encryption key is that Microsoft stores a copy of it in the clouds.

Intercept’s Micah Lee has reported this little-known fact, where he pointed out that if an user has logged into Windows 8.1 or Windows 10 using the Microsoft account, the encryption keys which are generated by default are automatically uploaded to the Microsoft’s servers without the user’s knowledge. Also there is a no option the user to stop this process, hence the Windows user can’t prevent device encryption from sending your recovery key.

This is unlike BitLocker which offers three options to the user including an option on whether or not they want to backup their Recovery keys on Windows server. Though the logic behind this is that if you Windows PC/Laptop gets hacked, the encryption keys should not fall in the hands of the hacker while you can always log into your Microsoft account and access the keys.

However by the same logic, sharing your encryption keys with anybody, much less, Microsoft is not recommended. In case if the Microsoft servers are hacked, your encryption keys will be the lowest hanging fruits for the hackers. Also, if any Microsoft employee goes rogue, these encryption keys could fall into his/her hands. Perhaps the most important reason for not storing the encryption keys in the Microsoft server is that such data would be easily handed over to the authorities on presenting a valid warrant.

As Matthew Green, professor of cryptography at Johns Hopkins University puts it, “Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.”

While there is no way from preventing your Windows PC/Laptop from uploading the encryption keys to the clouds, there is a option given by Microsoft to delete such keys from the server if you wish.

Follow these simple steps in order to remove your recovery key from your Microsoft account:
Step 1: Open this website and log in with your Microsoft Account. Here you will find the list of all the recovery keys stored on the server.
Step 2: Take a backup of your recovery Keys locally preferably on a removable source (you should not store your encryption keys on the same machine which is uploading it.)
Step 3: Once you have backed up the keys, you can delete all the entries from the Microsoft Account.
Remember, deleting the keys from the server does not guarantee that they are completely removed from Microsoft records. Also, deleting the keys without taking backup will put your recovery options in a limbo.
You can also generate new keys without uploading the same to Windows servers using BitLocker configuration though this option is not available for Home users. Windows Pro or Enterprise users can create new key by decrypting whole hard disk and then re-encrypting the disk. However, when you are re-encrypting the disk, you use BitLocker instead.
For doing the same, go to Start, type “Bitlocker,” and click “Manage BitLocker.” Click “Turn off BitLocker” and it will decrypt your disk.
Microsoft is storing a backup of your Windows encryption keys in the clouds, this is how you can delete it
Once it has done decrypting, return to the Bitlocker by clicking “Turn on BitLocker” again.
Microsoft is storing a backup of your Windows encryption keys in the clouds, this is how you can delete it
Then Windows will ask you: How you want to backup your Recovery Key. Make sure to DO NOT SELECT “Save to your Microsoft Account.”
To be completely safe, if you dont want to involve Microsoft or Windows in the encryption process, betty try out third-party app like BestCrypt.