Disclaimer: I am not trying to give tips to the bad guys. But given the fact that I have been emailed about this repeatedly since this story broke, I felt that I needed to respond.
Late last week, news broke that Microsoft not only will hand over Bitlocker keys to law enforcement, but it has done so.
Wait, what are Bitlocker keys? Glad that you asked that question.
Microsoft Windows 11 has a full disk encryption feature called Bitlocker. The goal of Bitlocker is to keep your data on your laptop or desktop safe by encrypting it. And to decrypt it, you need a key to do that. So think of it like this. Your data is protected by a padlock. And you have a key to unlock it. That should keep it save from prying eyes.
But here’s the catch, Microsoft also has a key to your data and is willing to hand it over to law enforcement. Now this is likely making you think “wait, I didn’t give Microsoft a key to my data”. Well, actually you did. If you install Windows 11 and you turn on Bitlocker, assuming that it isn’t on already, you need to create a Microsoft account. The idea is that it will store the Bitlocker key in the cloud. The thing is, that the second you do that, Microsoft has access to that key. Now you can opt out of this, but it takes a lot of effort (the cynic in me says that this is deliberate on the part of Microsoft) to do that. And the average user isn’t going to go through that effort. So they take the easy way out.
If you’re still with me, you’re now likely thinking “wow, that’s a massive potential security risk for users.” And you’d be right. The fact that Microsoft can do this to anyone who uses Windows 11 with a Microsoft account is problematic to say the least. Contrast that with Apple who claims to have zero access to keys related to FileVault which is their full disk encryption feature, it creates a comparison that I am going to guess that Microsoft would rather you not make.
So, if this freaks you out, the question becomes what are your options to mitigate this risk. This is what I would suggest:
- Use A Local Account Instead Of A Microsoft Account: By installing Windows 11 with a local account, you avoid this completely as it doesn’t upload the Bitlocker keys to the cloud where Microsoft can get access to them. Microsoft shockingly has instructions as to how to do this here. But I would default to these instructions as they are a bit more straightforward.
- Don’t Use Bitlocker To Encrypt Your Disk: Alternatives to Bitlocker that I would actually recommend to people are few and far between. What I would recommend instead is using a self encrypting hard drive. The reason being is that Bitlocker is largely software encryption. That means that there is a bit of overhead in terms of the data being encrypted and decrypted. A self encrypting hard drive is hardware encryption which has substantially less overhead. Another plus that self encrypting drives have over Bitlocker is that these drives secure data in ways that make them difficult if not impossible to break into. Self encrypting drives can be installed in most laptops and desktops after purchase, or they can be added as options during the purchase process. Besides speed, these drives also adhere to standards such as FIPS 140-2 Level 3 validation. Which makes them ideal for environments where the security of data is paramount. The only thing that I would ensure is that you should make sure that the drive that you use adheres to the TCG Opal 2.0 specifications for maximum compatibility with applications that manage these drives. If you want to go down the rabbit hole on self encrypting drives, this will help you to do so.
Now should you worry about the fact that Microsoft will hand over your Bitlocker keys to law enforcement? One view is that if you’re not a bad guy you shouldn’t be concerned. Another view is that if you care about privacy, you should be concerned as someone outside of Microsoft might get their hands on these keys and use them for whatever evil purpose that they have in mind. Or Microsoft may start handing these keys over to non-law enforcement agencies or repressive governments or the like. The bottom line is that you have to look at this relative to your comfort level of letting Microsoft have access to the keys that protect your data. And take action based on that.
Related
This entry was posted on January 26, 2026 at 10:02 am and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Microsoft Says That It Will Hand Over Your Bitlocker Keys To Law Enforcement… Should You Worry And What Can You Do To Protect Yourself
Disclaimer: I am not trying to give tips to the bad guys. But given the fact that I have been emailed about this repeatedly since this story broke, I felt that I needed to respond.
Late last week, news broke that Microsoft not only will hand over Bitlocker keys to law enforcement, but it has done so.
Wait, what are Bitlocker keys? Glad that you asked that question.
Microsoft Windows 11 has a full disk encryption feature called Bitlocker. The goal of Bitlocker is to keep your data on your laptop or desktop safe by encrypting it. And to decrypt it, you need a key to do that. So think of it like this. Your data is protected by a padlock. And you have a key to unlock it. That should keep it save from prying eyes.
But here’s the catch, Microsoft also has a key to your data and is willing to hand it over to law enforcement. Now this is likely making you think “wait, I didn’t give Microsoft a key to my data”. Well, actually you did. If you install Windows 11 and you turn on Bitlocker, assuming that it isn’t on already, you need to create a Microsoft account. The idea is that it will store the Bitlocker key in the cloud. The thing is, that the second you do that, Microsoft has access to that key. Now you can opt out of this, but it takes a lot of effort (the cynic in me says that this is deliberate on the part of Microsoft) to do that. And the average user isn’t going to go through that effort. So they take the easy way out.
If you’re still with me, you’re now likely thinking “wow, that’s a massive potential security risk for users.” And you’d be right. The fact that Microsoft can do this to anyone who uses Windows 11 with a Microsoft account is problematic to say the least. Contrast that with Apple who claims to have zero access to keys related to FileVault which is their full disk encryption feature, it creates a comparison that I am going to guess that Microsoft would rather you not make.
So, if this freaks you out, the question becomes what are your options to mitigate this risk. This is what I would suggest:
Now should you worry about the fact that Microsoft will hand over your Bitlocker keys to law enforcement? One view is that if you’re not a bad guy you shouldn’t be concerned. Another view is that if you care about privacy, you should be concerned as someone outside of Microsoft might get their hands on these keys and use them for whatever evil purpose that they have in mind. Or Microsoft may start handing these keys over to non-law enforcement agencies or repressive governments or the like. The bottom line is that you have to look at this relative to your comfort level of letting Microsoft have access to the keys that protect your data. And take action based on that.
Share this:
Like this:
Related
This entry was posted on January 26, 2026 at 10:02 am and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.