FYI BitLocker is on by default in Windows 11. The defaults will also upload the BitLocker key to a Microsoft Account if available.
This is why the FBI can compel Microsoft to provide the keys. It's possible, perhaps even likely, that the suspect didn't even know they had an encrypted laptop. Journalists love the "Microsoft gave" framing because it makes Microsoft sound like they're handing these out because they like the cops, but that's not how it works. If your company has data that the police want and they can get a warrant, you have no choice but to give it to them.
This makes the privacy purists angry, but in my opinion it's the reasonable default for the average computer user. It protects their data in the event that someone steals the laptop, but still allows them to recover their own data later from the hard drive.
Any power users who prefer their own key management should follow the steps to enable Bitlocker without uploading keys to a connected Microsoft account.
> Any power users who prefer their own key management should follow the steps to enable Bitlocker without uploading keys to a connected Microsoft account.
Except the steps to to that are disable bitlocker, create a local user account (assuming you initially signed in with a Microsoft account because Ms now forces it on you for home editions of windows), delete your existing keys from OneDrive, then re-encrypt using your local account and make sure not to sign into your Microsoft account or link it to Windows again.
A much more sensible default would be to give the user a choice right from the beginning much like how Apple does it. When you go through set up assistant on mac, it doesn't assume you are an idiot and literally asks you up front "Do you want to store your recovery key in iCloud or not?"
> make sure not to sign into your Microsoft account or link it to Windows again
That's not so easy. Microsoft tries really hard to get you to use a Microsoft account. For example, logging into MS Teams will automatically link your local account with the Microsoft account, thus starting the automatic upload of all kinds of stuff unrelated to MS Teams.
In the past I also had Edge importing Firefox data (including stored passwords) without me agreeing to do so, and then uploading those into the Cloud.
Nowadays you just need to assume that all data on Windows computers is available to Microsoft; even if you temporarily find a way to keep your data out of their hands, an update will certainly change that.
Note that password-based Bitlocker requires Windows Pro which is quite a bit more expensive.
> sign into your Microsoft account or link it to Windows again.
For reference, I did accidentally login into my Microsoft account once on my local account (registered in the online accounts panel). While Edge automatically enabled synchronization without any form of consent from my part, it does not look like that my Bitlocker recovery key is listed on https://account.microsoft.com/devices/recoverykey. But since I unlinked my account, it could be that it was removed automatically (but possible still cached somewhere).
You can turn it off without resorting to a local account, although it's non-obvious.
GPEdit -> Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives → “Choose how BitLocker-protected operating system drives can be recovered”
Does using the "manage-bde -protectors -add" command to add a device key encrypted by a local recovery key, followed by the "manage-bde -protectors -delete" command to delete the device key encrypted by the uploaded key not work?
They could have taken a more defence-in-depth approach to key storage and encrypted the cloud copy of the Bitlocker key with a random master key itself protected by a user password-derived key arrangement, with any crypto action occuring on the device to avoid knowledge of the plaintext key. That way the Bitlocker key stored in the cloud is opaque to Microsoft, and only by knowing the user's current cleartext password could they access the raw Bitlocker key.
The current approach is weak, and strikes me as a design unlikely to be taken unless all the people involved were unfamiliar with secure design (unlikely IMO), or they intentionally left the door open to this type of access.
>Except the steps to to that are disable bitlocker, create a local user account (assuming you initially signed in with a Microsoft account because Ms now forces it on you for home editions of windows), delete your existing keys from OneDrive, then re-encrypt using your local account and make sure not to sign into your Microsoft account or link it to Windows again.
1. Is there any indication it forcibly uploads your recovery keys to microsoft if you're signed into a microsoft account? Looking at random screenshots, it looks like it presents you an option https://helpdeskgeek.com/wp-content/pictures/2022/12/how-to-...
2. I'm pretty sure you don't have to decrypt and rencrypt the entire drive. The actual key used for encrypting data is never revealed, even if you print or save a recovery key. Instead, it generates a "protectors", which encrypts the actual key using the recovery key, then stores the encrypted version on the drive. If you remove a recovery method (ie. protector), the associated recovery key becomes immediately useless. Therefore if your recovery keys were backed up to microsoft and you want to opt out, all you have to do is remove the protector.
You can encrypt a Bitlocker volume without syncing your keys even if you do log in with a Microsoft account, at least last time I was configuring Bitlocker.
> Any power users who prefer their own key management should follow the steps to enable Bitlocker without uploading keys to a connected Microsoft account.
Once the feature exists, it's much easier to use it by accident. A finger slip, a bug in a Windows update, or even a cosmic ray flipping the "do not upload" bit in memory, could all lead to the key being accidentally uploaded. And it's a silent failure: the security properties of the system have changed without any visible indication that it happened.
There's a lot of sibling comments to mine here that are reading this literally, but instead, I would suggest the following reading: "I never selected that option!" "Huh, must have been a cosmic ray that uploaded your keys ;) Modern OS updates never obliterate user-chosen configurations"
This is correct, I also discovered while preparing several ThinkPads for a customer based on a Windows 11 image i made, that even if you have bitlocker disabled you may also need to check that hardware disk encryption is disabled as well (was enabled by default in my case). Although this is different from bitlocker in that the encryption key is stored in the TPM, it is something to be aware of as it may be unexpected.
If users are so paranoid that they worry about a cosmic ray bit flipping their computer into betraying them, they're probably not using a Microsoft account at all with their Windows PC.
>A finger slip, a bug in a Windows update, or even a cosmic ray flipping the "do not upload" bit in memory, could all lead to the key being accidentally uploaded.
This is absurd, because it's basically a generic argument about any sort of feature that vaguely reduces privacy. Sorry guys, we can't have automated backups in windows (even opt in!), because if the feature exists, a random bitflip can cause everything to be uploaded to microsoft against the user's will.
You can always count on someone coming along and defending the multi-trillion dollar corporation that just so happens to take a screenshot of your screen every few seconds (among many, many - too many other things)
I big demographic of HN users are people who want to be the multi-trillion dollar corporation so it’s not too surprising. In this case though I think they are right. And I’m a big time Microsoft hater.
AI enshittification is irrelevant here. Why is someone pointing out that sensible secure defaults are a good thing suddenly defending the entire company?
Yes, because object level facts matter, and it's intellectually dishonest to ignore the facts and go straight into analyzing which side is the most righteous, like:
>Microsoft is an evil corporation, so we must take all bad stories about them at face value. You're not some corpo bootlicker, now, are you? Now, in unrelated news, I heard Pfizer, another evil corporation with a dodgy history[1] is insisting their vaccines are safe...
Microsoft doesn't take the screenshot; their operating system does if Recall is enabled, and although the screenshots themselves are stored in an insecure format and location, Microsoft doesn't get them by default.
> If your company has data that the police want and they can get a warrant, you have no choice but to give it to them.
Yes. The thing is: Microsoft made the design decision to copy the keys to the cloud, in plaintext. And they made this decision with the full knowledge that the cops could ask for the data.
You can encrypt secrets end-to-end - just look at how password managers work - and it means the cops can only subpoena the useless ciphertext. But Microsoft decided not to do that.
I dread to think how their passkeys implementation works.
> Yes. The thing is: Microsoft made the design decision to copy the keys to the cloud, in plaintext. And they made this decision with the full knowledge that the cops could ask for the data.
Apple does this too. So does Google. This is nothing new.
It's a commonly used feature by the average user who loses their password or their last device.
During set up, they even explicitly inform the user that their bitlocker keys are being backed up to the cloud. And, you can still choose to use bitlocker without key escrow.
Power users should stop bothering with Windows nonsense and install Linux instead so that they can actually have control over their system.
It's 2026. The abuses of corporations are well documented. Anyone who still chooses Windows of their own volition is quite literally asking for it and they deserve everything that happens to them.
You only have to run through a modern Windows installer to understand how screwed you are if you install it. Last time I did this for a disposable Windows VM (a couple of years ago) I remember having to click through a whole bunch of prompts asking about all the different types of data Microsoft wanted my computer to send them. Often the available answers weren't "yes" or "no" but more like "share all data" vs "share just some data". After that I recall being forced to sign up for an outlook account just to create a local login unless I unplugged my network cable during the install. I've heard they have closed that loophole in recent installers.
I'd already long since migrated away from Windows but if I'd been harbouring any lingering doubts, that was enough to remove them.
I’ll bite. What Linux distro currently has the nicest desktop experience? I work on a MacBook but my desktop is a windows PC that I use for gaming and personal projects. I hear Proton has made the former pretty good now, and the latter is mostly in WSL for me anyway. Maybe a good time to try.
What do you suggest? I’ll try it in a VM or live usb.
> Any power users who prefer their own key management should follow the steps to enable Bitlocker without uploading keys to a connected Microsoft account.
The real issue is that you can't be sure that the keys aren't uploaded even if you opt out.
At this point, the only thing that can restore trust in Microsoft is open sourcing Windows.
I'm not sure how to do this on Windows, but to disable FileVault cloud key backup on Mac, go to `Settings > Users & Groups > click on the (i) tooltip next to your account` and uncheck "Allow user to reset password using Apple Account".
This is a part of Settings that you will never see at a passing glance, so it's easy to forget that you may have it on.
I'd also like to gently push back against the cynicism expressed about having a feature like this. There are more people who benefit from a feature like this than not. They're more likely thinking "I forgot my password and I want to get the pictures of my family back" than fully internalizing the principles and practices of self custody - one of which is that if you lose your keys, you lose everything.
MacOS has this feature as well. It used to be called "Allow my iCloud account to unlock my disk," but it keeps getting renamed and moved around in new MacOS versions. I think it's now tied together with remote password resets into one option called "allow user to reset password using Apple Account."
To be fair, which makes it even more ominous with Apple. At least Microsoft explicitly informs you during setup and isn't trying to hide it behind some vague language about "resetting password".
As someone who has benefiter ones from this, I have to say: good.
In my humble opinion: the current state is better than no encryption at all. For example: Laptop theft, scavengers trying to find pictures, etc. And if you think you are target of either Microsoft or the law enforcement manage your keys yourself or go straight to Linux.
Exactly. And any halfway decent corporate IT setup would be managing the keys themselves as well (although I would imagine many third party tools could also be compelled to do this with a proper warrant)
Bitlocker on by default (even if Microsoft does have the keys and complies with warrants) is still a hell if a lot better than the old default of no encryption. At least some rando can't steal your laptop, pop out the HDD, and take whatever data they want.
Users absolutely 100% will lose their password and recovery key and not understand that even if the bytes are on a desk physically next to you, they are gone. Gone baby gone.
In university, I helped a friend set up encryption on a drive w/ his work after a pen drive with work on it was stolen. He insisted he would not lose the password. We went through the discussion of "this is real encryption. If you lose the password, you may as well have wiped the files. It is not in any way recoverable. I need you to understand this."
The "Microsoft gave" framing is the exact right wording!, because Microsoft should never have had these keys in the first place. This is a compromise on security that sidesteps back doors on the low level and essentially transforms all Windows installations into Clipper-chip products.
In court? Not really. These warrants are on solid ground from a legal standpoint. To the point that fighting them could be a sanction-able kind of grandstanding.
While it is true that NSLs or other coercion tactics will force them to give out the keys, it is also true that this is only possible because Microsoft implemented a fatally flawed system where they have access to the keys.
Any system where a third party has access to cleartext or the keys to decrypt to cleartext is completely broken and must not be used.
To be fair, if they didn't have BitLocker enabled at all, the FBI would have just scanned the hard-drive as-is. The only usefulness of BitLocker is if a stranger steals your laptop, assuming Microsoft doesn't hand out the keys to just anybody, your files should be safe, in theory.
At Microsoft-scale, data requests from law enforcement are an inevitability. Designing a system such that their requests are answerable is a choice. Signal's cloud backup system is an example of a different choice being made.
> Journalists love the "Microsoft gave" framing because it makes Microsoft sound like they're handing these out because they like the cops, but that's not how it works. If your company has data that the police want and they can get a warrant, you have no choice but to give it to them.
I’m not sure how you’re criticizing the “gave” framing when you’re describing and stating Microsoft literally giving the keys to the FBI.
Because "gave" implies a favor or a one sided exchange. It implies that Microsoft is just giving away keys for no reason!
Better, and more accurate wording, would be that "Microsoft surrendered keys" or "Microsoft ceded keys". Or "Microsoft legally compelled to give the keys". If Microsoft did so without a warrant, then "gave" would be more tonally accurate.
In addition, none of this is new. They've been turning over keys when legally compelled to, for many years.
> Journalists love the "Microsoft gave" framing because it makes Microsoft sound like they're handing these out because they like the cops, but that's not how it works. If your company has data that the police want and they can get a warrant, you have no choice but to give it to them.
Often it is the case that companies hand over private data to law enforcement just by being asked for it nicely, no warrant needed.
Microsoft did give them. Just because they have a warrant doesn't mean keys should be handed over in any usable form. As indicated in the Forbes [0] article - both Meta and Apple have the exact same convenience in place (cloud backup) with none of the direct risk.
So, yes. That is how it works: 1) Microsoft forces users to online accounts 2) Bitlocker keys are stored in an insecure manner allowing any US agency to ask for them. I intentionally say "ask for them" because the US government is a joke with respect to respecting its own citizens privacy [1] at this point.
This type of apologetic half-truth on behalf of a multi-billion dollar corporation is getting old fast.
All that is true and the spin I focus on is can Microsoft have implemented it such that they have zero (ish) knowledge by default.
We know iCloud has configurations that can’t disclosed, and I wonder if there is a middle ground between if you loose the recovery key you are stuffed and maybe have a recovery key unblocked by a password similar to ssh keys
There is no other way for this to work that won't result in an absolutely massive number of people losing their data permanently who had no idea
their drive was encrypted. Well there is, leave BitLocker disabled by default and the drive unencrypted. Now the police don't even have to ask!
With this scheme the drive is recoverable by the user and unreadable to everyone except you, Microsoft, and the police. Surely that's a massive improvement over sitting in plaintext readable by the world. The people who are prepared to do proper key management will know how to do it themselves.
Apple does the same thing with FileVault when you set up with your iCloud account where, again, previously your disk was just left unencrypted.
>Any power users who prefer their own key management should follow the steps to enable Bitlocker without uploading keys to a connected Microsoft account.
I have W11 w a local account and no bitlocker on my desktop computer, but the sheer amount of nonsense MS has been doing these days has really made me question if 'easy modding*' is really enough of a benefit for me to not just nuke it and install linux yet again
* You can get the MO2 mod manager running under linux, but it's a pain, much like you can also supposedly run executable mods (downgraders, engine patches, etc) in the game's context, but again, pain
Correct me if I'm wrong, but isn't forcing you to divulge your encryption password compelled speech? So the police can crack my phone but they can't force me to tell them my PIN.
Yes, you cannot be compelled to testify against yourself, but Microsoft is under no such obligation when served a warrant because of third party doctrine. Microsoft holding bitlocker recovery keys is considered you voluntarily giving the information to a third party, so the warrant isn't compelling you to do anything, so not a rights violation.
But, the 5th amendment is also why its important to not rely on biometrics. Generally (there are some gray areas) in the US you cannot be compelled to give up your password, but biometrics are viewed as physical evidence and not protected by the 5th.
Warrants are a mechanism by which speech is legally compelled.
The 5th Amendment gives you the right to refuse speech that might implicate you in a crime. It doesn’t protect Microsoft from being compelled to provide information that may implicate one of its customers in a crime.
They can't force you to tell them your PIN in some countries, but they can try all PINs, and they can search your desk drawer to find the post-it where you wrote your PIN.
> Any power users who prefer their own key management should follow the steps to enable Bitlocker without uploading keys to a connected Microsoft account.
You mean "Install Linux",because that's easier than dealing with the steps required to do that on Windows
The reasonable default is transparency about it and 2FA for recovery scenarios. MS does not have to have the keys in the clear, as it is reasonable for any secrets you store.
The same is true for Apple laptops! Take a look in your Passwords app and you will see it automatically saves and syncs your laptop decryption key into the cloud.
So all the state needs to get into your laptop is to get access from Apple to your iCloud account.
There needs to be more awareness into setting up W11 install ISO's which can be modified to disable bitlocker by default, disable the online account requirement.
I recently needed to make a bootable key and found that Rufus out of the box allows you to modify the installer, game changer.
> This makes the privacy purists angry, but in my opinion it's the reasonable default for the average computer user.
Absolutely not. If my laptop tells me that it is encrypted by default, I don't like that the default is to also hold a copy of the keys in case big brother wants them.
Call me a "privacy purist" all you want, but it shouldn't be normal to expect the government to have access to a key to your house.
I think this is a fair position and believe you're making it in good faith, but I can't help but disagree.
I think the reasonable default here would be to not upload to MS severs without explicit consent about what that means in practise. I suspect if you actually asked the average person if they're okay with MS having access to all of the data on their device (including browser history, emails, photos) they'd probably say no if they could.
Maybe I'm wrong though... I admit I have a bad theory of mind when it comes to this stuff because I struggle to understand why people don't value privacy more.
This. Real "power users" (as opposed to people who aren't completely computer-illiterate) use the likes of Arch Linux and Gentoo and self-host whatever "cloud" services they need, they aren't running Windows and paying for Copilot 365 subscriptions.
> Journalists love the "Microsoft gave" framing because it makes Microsoft sound like they're handing these out because they like the cops, but that's not how it works.
Companies know that putting themselves in a position where they can betray their users, means they will be forced to do so. Famously demonstrated when Apple had to ban the Hong Kong protest app [1]. Yet they continue to do it, don't inform their users, and in the rare occasion that they offer an alternative, it is made unclear and complicated and easy to get wrong [2].
> Journalists love the "Microsoft gave" framing because it makes Microsoft sound like they're handing these out because they like the cops, but that's not how it works. If your company has data that the police want and they can get a warrant, you have no choice but to give it to them.
These two statements are in no way mutually exclusive. Microsoft is gobbling up your supposedly private encryption keys because they love cops and want an excuse to give your supposedly private data to cops.
Microsoft could simply not collect your keys and then would have no reason or excuse to hand them to cops.
Similar case with Apple devices. They default to backing up to Apple servers where they are unencrypted. So they can provide data to police if requested. But for anyone concerned about privacy they can use Advanced Data Protection which encrypts all their data and prevents Apple from reading it or recovering it.
Definitely agree that choices like these are the most sane for the default user experience and that having these advanced options for power users to do with it what they want is a fair compromise. Wish more people were open to designing software for the average person and compromising on a middle ground the benefits both kinds of users.
Yeah guys, if it's encrypted by default, it's not a violation of user security or privacy expectations to have a set of master keys that you hold onto and give to third parties to decrypt user devices. I mean it was just encrypted by default... by default...
Microsoft could have done key backups to secure enclaves that will only return them to a user able to produce valid signatures using a backup code or otherwise they hold. Hell they were the ones that normalized remote attestation.
But Microsoft chose to keep them plain text, and thus they are, and will continue to be abused.
We must not victim blame. This is absolutely corruption on microsofts part.
can they compel testimony? keys, passcodes and the like are usually considered testimony. did they try? the usual story here is that they don't have to, that the big corporations will turn over any info they have on request because they can and the government makes a better friend than a single user. the article mentions 20 "requests" per year on average but doesn't say anything about the government using force.
I agree with your conclusion though: data you share with anyone is data you've shared with everyone and that includes your encryption keys. if that matters to you, then you need to take active steps to ensure your own security because compelled or not, the cloud providers aren't here to help keep you safe.
"They have no choice" because they're "just doing their job" and "following the law."
Which are both choices. Microsoft can for sure choose to block the government and so can individual workers. Let's not continue the fascism-enabling narratives of "no choice."
Tl;dr - "Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPestPAiNPi11s@ virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT" (Mickens, 2014)
Microsoft shouldn't be uploading keys, but nor should they be turning bitlocker on without proper key backup. Therefore it should be left as an optional feature.
The quality of journalism you consume is highly dependent on the sources you choose. Some outlets still highly value journalistic integrity. I prefer to read those. Not that any of them are perfect. But it makes a huge difference and they typically provide a much more nuanced view. The Atlantic and the Wall Street Journal are good examples of this in my opinion.
>The defaults will also upload the BitLocker key to a Microsoft Account if available.
>This is why the FBI can compel Microsoft to provide the keys.
>in my opinion it's the reasonable default
I really can't imagine what kind of person would say that with a straight face. Hanlon's razor be damned, I have to ask: are you a Microsoft employee or investor?
> Back in the day hackernews had some fire and resistance.
Most of the comments are fire and resistance, but they commonly take ragebait and run with the assumptions built-in to clickbait headlines.
> Too many tech workers decided to rollover for the government and that's why we are in this mess now.
I take it you've never worked at a company when law enforcement comes knocking for data?
The internet tough guy fantasy where you boldly refuse to provide the data doesn't last very long when you realize that it just means you're going to be crushed by the law and they're getting the data anyway.
> I take it you've never worked at a company when law enforcement comes knocking for data?
The solution to that is to not have the data in the first place. You can't avoid the warrants for data if you collect it, so the next best thing is to not collect it in the first place.
If you design it so you don't have access to the data, what can they do? I'm sure there's some cryptographic way to avoid Microsoft having direct access to the keys here.
> Too many tech workers decided to rollover for the government and that's why we are in this mess now.
It has nothing to do with the state and has to do with getting the RSUs to pay the down payment for a house in a HCOL area in order to maybe have children before 40 and make the KPIs so you don't get stack-ranked into the bottom 30% and fired at big tech, or grinding 996 to make your investors richest and you rich-ish in the process if you're unlikely enough to exit in the upper decile with your idea. This doesn't include the contingent of people who fundamentally believe in the state, too.
Most people are activists only to the point of where it begins to impede on their comfort.
The engineers who developed this developed it to a spec so that microsoft demanded that allows them to get into the system at any time. There was nothing lazy about it. This would be easily found by anyone who has the impetus to encrypt their drive. Don't put things on your work laptop that you don't want Dom down in IT reading all of it or Phil the police forensics dick
it the natural results this site catter not just to tech nerds but one chasing venture capital money. its an inudustry that has never seen a dark patern it didn't like. we have gone from "don't be evil" to "be evil if makes the stonks go up"
Look around you. At least in my company half the programmers are H-1B Indians. They're not going to resist anybody with the risk of getting deported back to India.
I don’t see that at all. Instead, I think tech workers, including the engineers and the product managers, are correctly prioritizing user convenience over resistance to government abuse. It’s honestly the right trade off to make. Most users worry about casual criminals, not governments. Say a criminal snatching your laptop and accessing your files that way. If you worry about governments you should already know what to do.
And too many tech workers decided to rollover for the big companies too. Accepting and advocating whatever they do. Even when it is tricky, can find the way to defend the big names, because they are big names, they know the way, they became big!
Unfortunately there's a loud contingent of incredibly proud idiots that post here as well that really like to pretend they know what they're doing.
The people going 'well of course' or 'this is for the user' drive me insane here because as said, there are secure ways you can build a key escrow system so that your data and systems are actually secure. From a secure design standpoint it feels more and more like we're living in Idiocracy as people argue insecure solutions are secure actually and perfectly acceptable.
I agree with you, but also think this is only true because we as an industry have been so completely corrupted by money at this point.
In the 90s and 00s people overwhelmingly built stuff in tech because they cared about what they were building. The money wasn't bad, but no one started coding for the money. And that mindset was so obvious when you looked at the products and cultures of companies like Google and Microsoft.
Today however people largely come into this industry and stay in it for the money. And increasingly tech products are reflecting the attitudes of those people.
> Back in the day hackernews had some fire and resistance
Hackernews is a public forum, and the people here change constantly. "Back in the day" there were mostly posts about LISP and startup equity. It's obviously not the same people here now.
> Too many tech workers decided to rollover for the government
Again, not the same group of people. In the 2000s "tech workers" might have mostly been Californians. Now they're mostly in India. Differing perspectives on government, to be sure.
> lazy engineers build lazy key escrow
Hey you should know this one, because it's something that HAS stayed constant since "back in the day": The engineers have absolutely no say in this whatsoever.
This is such a lazy take and ignores that this is the only system that has the property of not losing data when users forget their passwords and lose (or likely never write down) their recovery key.
That's it. That's the whole thing. Whatever "secure system" you build will not have this property and users will lose their data, be mad at you, and eventually you'll have to turn it off by default leaving everyone's data in plaintext. It's a compromise that improves security for people who previously left their disk unencrypted. It changes nothing for people who previously did their own key management.
You won't be able to turn the first group into the second group. That's HN's "Average Familiarity" fallacy. The fact that basically every 2FA system has a means of recovering your account by removing it should tell you that even technical people are shit at key management.
Yep... I've seen exactly this happen. People losing data/access by their own fault and yet being extremely mad at the OS developer or the company they have an account with. And, no, it does not matter if you tell them 100 times that they are responsible for not losing their own keys/passwords, they will still be furious that you set up your system in (from their perspective) such a shitty way that it's even possible for a permanent lockout to happen.
Saying "of course" doesn't mean we agree with it or fail to try to resist it. It's simply not surprising that this happened.
When you get high up in an org, choosing Microsoft is the equivalent of the old "nobody ever got fired for buying IBM". You are off-loading responsibility. If you ever get high up at a fortune 500 company, good luck trying to get off of behemoths like Microsoft.
It's why tech loves young engineers who just do what their told, of old engineers only as long as they can't say no. Once you dig into the system and see how all the pieces fit together, you can't ethically or morally continue to participate any longer. Learned that the hard way. In the middle of an attempt at midlife career change because of it to maybe free myself to write software that needs to be written instead of having to have a retained lawyer on hand to wrangle employment contract clauses to keep my work belonging to me.
> Too many tech workers decided to rollover for the government and that's why we are in this mess now.
It isn't really about the government. It's about a bunch of people trying to convince you that the locked-down proprietary closed source corporate crap that they use isn't in and of itself a security risk, no matter what the quality of the code that you've never seen is. Apple, Microsoft, Google etc. aren't your friends; no matter how brand loyal you are, they'll never care whether you're alive or dead.
FOSS isn't your friend either, but they're not asking you to trust them. Any exposure to these world spanning juggernaut military and intelligence contractor companies is a security hole. It's insane that people (thinking of Europeans now) get fired up to switch from this stuff because Trump but not because of course you should. Instead they're busy calling being suspicious of Microsoft old and hatred of Apple's customer corral stuck up and the desire to own your own machine fanatical and judgemental. Have you ever considered that you've been programmed to say and encourage dumb stuff that is completely against your own interests and supports the interests of the people who sell things to you?
You're convinced by the argument that people dumber than you have to be protected from their own machines (by corporations who have no interest in or obligation to protect them) - have you ever thought that people are saying the same thing about you? That you have to be protected from writing things you shouldn't write or talking to people you shouldn't be talking to? And the world isn't a meritocracy: the people on the top are inbred creeps. You've given up your freedom to dummies with marketing departments.
I used to be a principled freedom fighter. But others defected(thinking mostly about Apple users...). I promoted open source software, even dealing with the pains.
So now I just use whatever I want. Someone else can be a tech moralist.
The median user's threat model doesn't include the government, but does include data loss, forgetting the password, or a thief stealing your laptop. Microsoft struck the right balance.
I'm glad the knee-jerk absolutists are marginal, for one. A world run by you people would be much worse for anyone who isn't you.
A world one by "those" people would lead to a less abusive and exploitive world, our current world is one based on suffering if you aren't extremely wealthy. I think I know which world I would rather join.
Today the median users threat model absolutely includes the government! They are snatching people up left and right, including their electronics.
I don’t get how people like you trust the corporation or the government that much. If we were all more cognizant of security and privacy, it would be much harder for large orgs to break our society the way they are doing today.
The median user would be better off in a society where computers are not needed for daily life. The median user doesn't understand computers. In their life, computers only manfiest as a tool of control imposed by the people who understand computers over those that don't.
This is one such example.
This sort of utilitarian nitpicking over the convenience of a "median" user is like maximizing the happiness of a cow on a factory farm. The cow would be better off if it did not exist at all. It is a matter of freedom and dignity.
My Linux drives are all encrypted, and one of the wonderful features of this is that there is no entity or force on this planet that can decrypt them.
What happens if I forget my keys? Same thing that happens if my computer gets struck by a meteor. New drive, new key, restore contents from backups.
It's simple, secure, set-and-forget, and absolutely nobody but me and your favored deity have any idea what's on my drives. Microsoft and the USGov don't have any business having access to my files, and it's completely theoretically impossible for them to gain access within the next few decades.
Don't use Windows. Use a secure operating system. Windows is not security for you, it's security for a hostile authoritarian government.
It's a good start, but FDE alone is still fairly easy to compromise in many cases. If you ever type the password under a camera, it may be leaked. If the device ever leaves your possession and you don't have secure boot, your bootloader can be trivially altered to leak the password. Then there are keyloggers. And cold boot attacks can often be done if your system is running.
> there is no entity or force on this planet that can decrypt them.
At this point I think all of the modern, widely used symmetric cryptography that humans have invented will never be broken in practice, even by another more technologically advanced civilization.
On the asymmetric side, it's a different story. It seems like we were in a huge rush to standardize because we really needed to start PQ encrypting data in transit. All the lattice stuff still seems very green to me. I put P(catastrophic attack) at about 10% over the next decade.
Yeah, if the drive can be encrypted by an external party that you didn't give permission, I'm not sure how it's really "encryption" other than burning cycles when doing writes.
I've been trying to get my parents to move, but until Microsoft Office desktop is able to be run natively on there my parents won't entertain the subject.
I've tried to get them to use the web version of office, I've tried to get them to use OnlyOffice and LibreOffice, I've even tried showing them LaTeX as a last ditch effort, but no, if it isn't true Microsoft Branded Office 2024, the topic isn't even worth discussing [1].
I'm sure there are technical reasons why Wine can't run Office 2024, and I am certainly not trying to criticize the wine developers at all, but until I can show Wine running full-fat MS Office, my parents will always "miss" Windows.
To be clear, I hate MS Office. I do not miss it on Linux. I'm pretty sure my parents could get by just fine with LibreOffice or OnlyOffice or Google Docs, but they won't hear it.
I've also tried to get them to use macOS, since that does have a full-fat MS Office, I've even offered to buy them Macbooks so they can't claim it's "too expensive", and they still won't hear it. I love my parents but they can be stubborn.
[1] Before you accuse me of pushing for "developer UI", LaTeX was not something I led with. I tried the more "normy-friendly" options first.
Your parents have a point. I've been switching most of my family's PCs to linux in the past few years and I miss Office. It is as easy to use as OnlyOffice and as powerful as LibreOffice for my tasks. There exists no equivalent on linux.
I recently helped my GF by proofreading something she wrote, which is a primarily Hebrew (RTL) Word document with English terms like units, numbers, and unpronouncable chemical names sprinkled in.
If I had a dollar for every time MS Word failed to correctly handle the BIDI mix and put things in the wrong order, despite me reapeatedly trying different ways to fix it, I'd be richer than Microsoft.
On the contrary, Google Docs, LibreOffice, and pretty much every text box outside of MS Office can effortlessly handle BIDI mixing, all thanks the Unicode Bidirectional Algorithm [1] being widely implemented ans standardized.
I use macOS most of the time, but switch to a Windows VM for Excel. Without the same keyboard shortcuts, the macOS version ends up having a fraction of the power available to experienced users of the Windows version. For people who use Excel extensively, LibreOffice or Google Sheets would have to offer some remarkable new killer features to make it worth the switch. I don’t think feature parity alone would make the benefits of Linux outweigh the significant transition costs.
Is your last name Segurakreischer?
Have them try - leave the Windows computer online and accessible, give your parents a linux box and have them use it exclusively unless they absolutely 100% need to get back on the Windows machine for some reason, and talk with you about it. Set up a NAS with an external HD and a shared folder on both the windows and linux box, so if they actually do need to go back to Windows, they aren't leaving anything stuck on the Linux box.
That's a 100% easy peasy safe mode, the worst they're likely to encounter is a brief 2 minute call with you, and in the worst case scenario, they get to go back to Windows without having to be scared of losing anything.
Just remember, never use or recommend Debian-family(Ubuntu/Mint) or you will be back to windows. Do not fall for the marketing term Stable, which means outdated and contains bugs that are fixed.
Fedora is my recommendation. I remind people Fedora is not Arch. Fedora is a consumer grade OS that is so good, I don't lump it in with the word Linux.
Fedora is good and fairly stable, but it has bugged on me a few times.
In the past 3 years:
- mouse/cursor issues due to some kernel upgrade I think, as Fedora stays close to upstream
- unresponsive computer due to a bug in the AMD graphics driver
Both were easy to fix (kernel cmdline change or just kept updating my computer), and I absolutely recommend Fedora. That's what I'd use if I had servers. But, you'll probably have to debug _some_ issues if you use something less-used like AMD.
I’ve tried multiple versions when trying to move away from windows, but was always stuck with random inconsistencies everywhere.
Eventually I had to choose a larger evil and choose Mac after paying for a week of lost productivity installing, setting up, fucking up, wiping l, installing random Linux distros.
Once you've got a bit of savvy, do Arch. But if you're looking for "good" and "just works" and you don't want to tinker and/or occasionally scream at your computer in inchoate fury, Fedora is the way.
You can build your ideal fantasy setup piecewise, and I definitely recommend getting there, but Fedora is nice, and clean, and has plenty of "just works", and 99.999% of the problems you might run into, someone else has, too, and they wrote a treatise and tutorial on how to fix it and why it happened.
> Microsoft told Forbes that the company sometimes provides BitLocker recovery keys to authorities, having received an average of 20 such requests per year.
At least they are honest about it, but a good reason to switch over to linux. Particularly if you travel.
If microsoft is giving these keys out to the US government, they are almost certainly giving them to all other governments that request them.
That only strengthens the parent point. Switch to an OS where this requirement doesn't come into play if you're worried about any governments having a backdoor into your own machine.
Microsoft is known for regularly altering the deal. Just because you configure the OS to not upload keys today, does not mean that setting will be respected in the future.
Because that gives you a lot more control over your computer than just solving this particular issue. If you care about privacy it's definitely a good idea.
you've baked in an unfounded assumption that bitlocker is even initially enabled intentionally by someone who knows that's a choice they can make:
> Here's what happens on your Dell computer:
> BitLocker turns on automatically when you first set up Windows 10 or Windows 11
> It works quietly in the background, you won't notice it's there
> Your computer creates a special recovery key (like a backup password) that's saved to your Microsoft account
> You might be reading this article because:
> Your computer is asking for a BitLocker recovery key
...such as after your laptop resets its tpm randomly which is often the first time many people learn their disk is encrypted and that there's a corresponding recovery key in their microsoft account for the data they are now unexpectedly locked out of.
Based on the comments in the thread, I sense I will be in the minority, but for most consumers this is a reasonable default. Broadly speaking, the threat model most users are concerned with doesn't account for their government. The previous default is no encryption at rest, which doesn't protect from the most common threats, like theft or tampering. With BitLocker on, a new risk for users is created: loss of access to their data because they don't have their recovery key. You are never forced to keep your recovery keys in Microsoft's servers and it's not a default for corporate users.
It's certainly a reasonable default. People lose or have their laptops stolen much more often than they get targeted by their governments.
Though that doesn't mean Microsoft couldn't implement a way of storing these keys so that they can't be accessed by Microsoft. Still better than nothing though.
I'll always remember - when I was first learning about it, one of the interesting counter-arguments to ignoring privacy was "what if the Nazis come back, would you want them to have your data?". I suppose there's some debate these days, but hostile governments seem a lot closer than they were 10-15 years ago.
Will this make people care? Probably not, but you never know.
I honestly love how HN is missing the forest for the trees, here, in the sense that ya’ll are upset Microsoft gave keys over for BitLocker to the feds but seemingly forget that Microsoft has been doing this in various forms since BitLocker released. Hell, they’ve given alphabet agencies tools that just pop the decryption in the field before, for intelligence work.
I trust BitLocker and Apple’s encryption to protect my stuff against snooping thieves, but I have never, ever assumed for a moment that it’d protect me against a nation-state, and neither should you. All the back-and-forth you see in the media is just what’s public drama, and a thin veil of what’s actually going on behind the scenes.
If there’s stuff you don’t want a nation state to see, it better be offline, on a OSS OS, encrypted with thoroughly audited and properly configured security tooling. Even then, you’re more likely to end up in jail for refusing to decrypt it [1][2].
Perhaps next time, an agent will copy the data, wipe the drive, and say they couldn't decrypt it. 10 years ago agents were charged for diverting a suspect's Bitcoin, I feel like the current leadership will demand a cut.
This is my biggest fear wrt gov't search-and-seizure. I know the police won't be able to get at my juicy encypted bits, but I also know they're vindictive basterds who'll be held to no accountability. Of course they'll wipe my drives just to get revenge for me "winning" by having blocked their access.
Sadly VeraCrypt is not optimized for SSDs and has a massive performance impact compared to Bitlocker for full disk encryption because the SSD doesn't know what space is used/free with VeraCrypt.
Forgive me this shameless ad :) with the latest performance updates, Shufflecake ( https://shufflecake.net/ ) is blazing fast (so much, in fact, that exceeds performances of LUKS/dm-crypt/VeraCrypt in many scenarios, including SSD use.
VeraCrypt can be set to pass through TRIM. It just makes it really obvious which sectors are unused within your encrypted partition (they read back as 00 bytes)
Remember when the original dev of TrueCrypt (the VeraCrypt predecessor) suddenly abandoned the project and wrote that people should use BitLocker instead? [1] [2]
We now know that BitLocker is not secure, and an intelligent open source dev saying that was probably knowingly not saying the truth.
The best explanation to me is that this was said under duress, because somebody wanted people to move away from the good TrueCrypt to something they could break.
alternatively, they knew truecrypt/veracrypt to be irrepairably compromised, and while bitlocker may be backdoored in the same way, it is at least maintained
In Apple's case, starting with macOS Tahoe, Filevault saves your recovery key to your iCloud Keychain [0]. iCloud Keychain is end-to-end encrypted, and so Apple doesn't have access to the key.
As a US company, it's certainly true that given a court order Apple would have to provide these keys to law enforcement. That's why getting the architecture right is so important. Also check out iCloud Advanced Data Protection for similar protections over the rest of your iCloud data.
As of macOS Tahoe, the FileVault key you (optionally) escrow with Apple is stored in the iCloud Keychain, which is cryptographically secured by HSM-backed, rate-limited protections.
Unbreakable phones are coming. We’ll have to decide who controls the cockpit: The captain? Or the cabin?
The security in iOS is not to designed make you safer, in the same way that cockpit security doesn't protect economy class from rogue pilots or business-class terrorists. Apple made this decision years ago, they're right there in Slide 5 of the Snowden PRISM disclosure. Today, Tim stands tall next to POTUS. Any preconceived principle that Apple might have once clung to is forfeit next to their financial reliance on American protectionism: https://www.cnbc.com/2025/09/05/trump-threatens-trade-probe-...
Of course Apple offers a similar feature. I know lots of people here are going to argue you should never share the key with a third party, but if Apple and Microsoft didn't offer key escrow they would be inundated with requests from ordinary users to unlock computers they have lost the key for. The average user does not understand the security model and is rarely going to store a recovery key at all, let alone safely.
Apple will escrow the key to allow decryption of the drive with your iCloud account if you want, much like Microsoft will optionally escrow your BitLocker drive encryption key with the equivalent Microsoft account feature. If I recall correctly it's the default option for FileVault on a new Mac too.
It's also the "default" in Windows 11 to require a recovery bitlocker key every time you do a minor modification to the "bios" like changing the boot order
I was going to say: "Well Apple historically is an easy target of Pegasus" but that can only be used a few times before Apple figures out the exploit and fixes it. Its more expensive than just asking the Apple.
But given PRISM, I'm sure Apple will just give it up.
I see a lot of comments recommending TrueCrypt/VeraCrypt here, which is fine, but did you know there is something even more interesting? ;)
Shufflecake ( https://shufflecake.net/ ) is a "spiritual successor" to TrueCrypt/VeraCrypt but vastly improved: works at the block device level, supports any filesystem of choice, can manage many nested layers of secrecy concurrently in read/write, comes with a formal proof of security, and is blazing fast (so much, in fact, that exceeds performances of LUKS/dm-crypt/VeraCrypt in many scenarios, including SSD use).
Disclaimer: it is still a proof of concept, only runs on Linux, has no security audit yet. But there is a prototype for the "Holy Grail" of plausible deniability on the near future roadmap: a fully hidden Linux OS (boots a different Linux distro or Qubes container set depending on the password inserted at boot). Stay tuned!
I think most people don't understand that 99% of people don't know what data encryption is and definitely don't care about it. If it weren't for Bitlocker, their laptops wouldn't be encrypted at all! And of course if your software (Windows) encrypts by default but you don't want to bother the average user with the details (because they don't know anything about this or care about it) you will need to store the key in case they need it.
To everyone saying 'time to use Linux!'; recognize that if these people were using Linux, their laptops wouldn't be encrypted at all!
> If it weren't for Bitlocker, their laptops wouldn't be encrypted at all!
And because of Bitlocker, their encryption is worth nothing in the end.
> if these people were using Linux, their laptops wouldn't be encrypted
Maybe, maybe not. Ubuntu and Fedora both have FDE options in the installer. That's objectively more honest and secure than forcing a flawed default in my opinion.
> And because of Bitlocker, their encryption is worth nothing in the end.
No, it's worth exactly what it's meant for: in case your laptop gets stolen!
> flawed default
Look, in terms of flaws I would argue 'the government can for legal reasons request the key to decrypt my laptop' is pretty low down there. Again, we're dealing with the general populace here; if it's a choice between them getting locked out of their computer completely vs the government being able to decrypt their laptop this is clearly the better option. Those who actually care about privacy will setup FDE themselves, and everyone else gets safety in case their laptop gets stolen.
> ... The hackers would still need physical access to the hard drives to use the stolen recovery keys.
This is incorrect. A full disk image can easily obtained remotely, then mounted wherever the hacking is located. The host machine will happily ask for the Bitlocker key and make the data available.
This is a standard process for remote forensic image collection and can be accomplished surreptitiously with COTS.
> The hackers would still need physical access to the hard drives to use the stolen recovery keys.
Or remote access to the computer. Or access to an encrypted backup drive. Or remote access to a cloud backup of the drive. So no, physical access to the original hard drive is not necessarily a requirement to use the stolen recovery keys.
No one should be surprised by this. If you are doing anything on a computer and don’t want it to be readily available to governments or law enforcement you have to use Linux
I consider myself pretty pro-privacy, but there is so much dragnet surveillance and legitimate breaches of the fourth amendment that I have a hard time getting up in arms over a company complying with a valid search warrant that is scoped to three hard drives (and which required law enforcement to have physical possession of the drives to begin with).
This is so much more reasonable than (for example) all the EU chat control efforts that would let law enforcement ctrl+f on any so-called private message in the EU.
A lot of them are not really legitimate though. There's a reason that 4th amendment needs a modern version to require a warrant for tapping of any sort for things people generally assume are private. Flock, palantir, etc need to all go bankrupt, starved of data to spy on. In an ideal world of course. Maybe someday we'll wake up from the nightmare.
I fully agree that this is disconcerting form a privacy standpoint,
and the danger it poses when Microsoft gets hacked.
As for it being user hostile.
I am pretty certain that thousands of users a year are delighted when something has gone wrong and they can recover their keys and data from the MS Cloud.
There should perhaps be a screen in a wizard,
Do you want your data encrypted?
y,n
If (yes)
Do you want to be able to recover your data if something bad happens?
(else it will be gone for ever, you can never ever access it again)
y/n
I think it is the kind of right place to ask: Is it possible to encrypt the system disc after Linux was installed or so I have to reinstall Linux for that purpose?
I have opted out of all cloud services in my windows installation; I use a passphrase, too (it is even before booting the computer). I feel like this is pretty safe
except MS could easily turn something on without you knowing and be uploading your files to their cloud. Yes, I believe they would stoop that low and even lower.
Companies like MS and Apple are telling their clients they offer a way to encrypt and secure their data but at best these claims are only half truths, mostly smoke and mirrors.
This is not OK. I don't want to get into legal parts of it, because I'm sure there's a fine print there that literally says it's smoke and mirrors, but it's despicable that these claims are made in the first place.
(2) the real need of ironclad encryption
I was born and raised in Eastern Europe. When I was a teenager it was common that police would stop me and ask me to show them contents of my backpack. Here you had two options - either (a) you'd show them the contents or (b) you would get beat up to a pulp and disclose the contents anyway.
It's at least 5h debate whether that's good or not, but in my mind, for 90% of cases if you're law abiding citizen you can simply unlock your phone and be done with that.
Sure, there are remaining 10% of use cases where you are a whistleblower, journalist or whatever and you want to retain whatever you have on your phone. But if you put yourself in that situation you'd better have a good understanding of the tech behind your wellbeing. Namely - use something else.
In the year of 2026, the rule of thumb is if you can get your work done without touching windows, then you should.
It goes without saying you should never trust any third party let alone a big corp.
Big shocker! Gotta love the collusion between government and big tech, it never ends, and our 4th amendment will ever be infringed through these loopholes -- and all will carry on not caring enough about it.
What quid pro quo? Is there an allegation that the FBI gave Microsoft something in exchange?
As far as I can see this particular case is a straightforward search warrant. A court absolutely has the power to compel Microsoft to hand over the keys.
The bigger question is why Microsoft has the recovery feature at all. But honestly I believe Microsoft cares so little about privacy and security that they would do it just to end the "help customers who lose their key" support tickets, with no shady government deal required. I'd want to see something more than speculation to convince me otherwise.
So, forcing user to connect to Internet and log in to Microsoft account has more to do than tracking you and selling ads -- Microsoft may be intentionally helping law enforcement unlocking your computer -- and that's not a conspiracy.
> Johns Hopkins professor and cryptography expert Matthew Green raised the potential scenario where malicious hackers compromise Microsoft’s cloud infrastructure — something that has happened several times in recent years — and get access to these recovery keys.
Bitlocker isn't serious security. What is the easiest solution for non-technical users? Does FDE duplicate Bitlocker's funcationality?
This is disappointing but I wonder if this is quid pro quo. Microsoft and Nadella want to appear to be cooperating with the government, so they are given more government contracts and so they don’t get regulatory problems (like on antitrust or whatever).
This isn't even about Microsoft or BitLocker. This is about the U.S.A.: anyone who thrusts the rule of law in the U.S. is a fool.
Yes, the American government retrieves these keys "legally". But so what? The American courts won't protect foreigners, even if they are heads of state or dictators. The American government routinely frees criminals (the ones that donate to Republicans) and persecutes lawful citizens (the ones that cause trouble to Republicans). The "rule of law" in the U.S. is a farce.
And this is not just about the U.S. Under the "five eyes" agreement, the governments of Canada, UK, Autralia and New Zealand could also grab your secrets.
Never trust the United States. We live in dangerous times. Ignore it at your own risk.
it's like microsoft has nothing better to do other than keep digging the hole to burry windows as mainstay operating system deeper and deeper with every new day.
Keys are stored securely in a TPM in the sense that a random program has no access to it. They are not stored safely there in the sense that they couldn’t possibly get destroyed. TPM hardware, or the motherboard that hosts it, occasionally fails. Or you might want to migrate your physical hard drive to a different PC. That’s the purpose of backing up the keys to the cloud. Alternatively, you can write down a recovery key and put it in your safe. Personally, I put it in my password vault that also happens to be backed up to the cloud (though not Microsoft’s).
There's also no security in the communication between the CPU and the TPM, so you can plug in a chip that intercepts it and copies all the keys, or plug the TPM into a chip that pretends to be the CPU and derives identical keys.
> Not a reason to violate privacy IMO, especially when at the time this was done these people were only suspected of fraud, not convicted.
Well you can't really wait until the conviction to collect evidence in a criminal trial.
There are several stages that law enforcement must go through to get a warrant like this. The police didn't literally phone up Microsoft and ask for the keys to someone's laptop on a hunch. They had to have already confiscated the laptop, which means they had to have collected enough early evidence to prove suspicion and get a judge to sign off and so on.
They had a warrant. That's enough. Nobody at Microsoft is going to be willing to go to jail for contempt to protect fraudsters grifting off of the public taxpayer. Would you?
Your firmware and UEFI likely accept MS keys even if you supplied your own for Secure Boot. Sometimes the keys are unable to be removed, or they'll appear "removed" but still present because losing the keys could break firmware updates/option ROMs/etc.
Similarly, your TPM is protected by keys Intel or AMD can give anyone.
If you want to extrapolate, your Yubikey was supplied by an American company with big contracts to supply government with their products. Since it's closed source and you can't verify what it runs, a similar thing could possibly happen with your smartcard/GPG/pass keys.
FYI BitLocker is on by default in Windows 11. The defaults will also upload the BitLocker key to a Microsoft Account if available.
This is why the FBI can compel Microsoft to provide the keys. It's possible, perhaps even likely, that the suspect didn't even know they had an encrypted laptop. Journalists love the "Microsoft gave" framing because it makes Microsoft sound like they're handing these out because they like the cops, but that's not how it works. If your company has data that the police want and they can get a warrant, you have no choice but to give it to them.
This makes the privacy purists angry, but in my opinion it's the reasonable default for the average computer user. It protects their data in the event that someone steals the laptop, but still allows them to recover their own data later from the hard drive.
Any power users who prefer their own key management should follow the steps to enable Bitlocker without uploading keys to a connected Microsoft account.
> Any power users who prefer their own key management should follow the steps to enable Bitlocker without uploading keys to a connected Microsoft account.
Except the steps to to that are disable bitlocker, create a local user account (assuming you initially signed in with a Microsoft account because Ms now forces it on you for home editions of windows), delete your existing keys from OneDrive, then re-encrypt using your local account and make sure not to sign into your Microsoft account or link it to Windows again.
A much more sensible default would be to give the user a choice right from the beginning much like how Apple does it. When you go through set up assistant on mac, it doesn't assume you are an idiot and literally asks you up front "Do you want to store your recovery key in iCloud or not?"
> make sure not to sign into your Microsoft account or link it to Windows again
That's not so easy. Microsoft tries really hard to get you to use a Microsoft account. For example, logging into MS Teams will automatically link your local account with the Microsoft account, thus starting the automatic upload of all kinds of stuff unrelated to MS Teams.
In the past I also had Edge importing Firefox data (including stored passwords) without me agreeing to do so, and then uploading those into the Cloud.
Nowadays you just need to assume that all data on Windows computers is available to Microsoft; even if you temporarily find a way to keep your data out of their hands, an update will certainly change that.
59 replies →
Why would you need to create a local account? You can just not choose to store the keys in your Microsoft account during BitLocker setup: https://www.diskpart.com/screenshot/en/others/windows-11/win...
Admittedly, the risks of choosing this option are not clearly laid out, but the way you are framing it also isn't accurate
17 replies →
Note that password-based Bitlocker requires Windows Pro which is quite a bit more expensive.
> sign into your Microsoft account or link it to Windows again.
For reference, I did accidentally login into my Microsoft account once on my local account (registered in the online accounts panel). While Edge automatically enabled synchronization without any form of consent from my part, it does not look like that my Bitlocker recovery key is listed on https://account.microsoft.com/devices/recoverykey. But since I unlinked my account, it could be that it was removed automatically (but possible still cached somewhere).
1 reply →
You can turn it off without resorting to a local account, although it's non-obvious.
GPEdit -> Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives → “Choose how BitLocker-protected operating system drives can be recovered”
Repeat for other drives.
2 replies →
> delete your existing keys from OneDrive
This seems to go against principles of key management. If your key escrow peer has defected, the correct response is to rotate your keys.
1 reply →
Does using the "manage-bde -protectors -add" command to add a device key encrypted by a local recovery key, followed by the "manage-bde -protectors -delete" command to delete the device key encrypted by the uploaded key not work?
They don't do that for iMessage though... https://james.darpinian.com/blog/apple-imessage-encryption
2 replies →
They could have taken a more defence-in-depth approach to key storage and encrypted the cloud copy of the Bitlocker key with a random master key itself protected by a user password-derived key arrangement, with any crypto action occuring on the device to avoid knowledge of the plaintext key. That way the Bitlocker key stored in the cloud is opaque to Microsoft, and only by knowing the user's current cleartext password could they access the raw Bitlocker key.
The current approach is weak, and strikes me as a design unlikely to be taken unless all the people involved were unfamiliar with secure design (unlikely IMO), or they intentionally left the door open to this type of access.
If I wanted privacy that couldn’t be broken by Microsoft I wouldn’t be using OneDrive.
I would be using an operating system that wasn’t geared up to be cloud backed up and closed source.
>Except the steps to to that are disable bitlocker, create a local user account (assuming you initially signed in with a Microsoft account because Ms now forces it on you for home editions of windows), delete your existing keys from OneDrive, then re-encrypt using your local account and make sure not to sign into your Microsoft account or link it to Windows again.
1. Is there any indication it forcibly uploads your recovery keys to microsoft if you're signed into a microsoft account? Looking at random screenshots, it looks like it presents you an option https://helpdeskgeek.com/wp-content/pictures/2022/12/how-to-...
2. I'm pretty sure you don't have to decrypt and rencrypt the entire drive. The actual key used for encrypting data is never revealed, even if you print or save a recovery key. Instead, it generates a "protectors", which encrypts the actual key using the recovery key, then stores the encrypted version on the drive. If you remove a recovery method (ie. protector), the associated recovery key becomes immediately useless. Therefore if your recovery keys were backed up to microsoft and you want to opt out, all you have to do is remove the protector.
1 reply →
With Bitlocker it is still possible to have single password-based key. But enabling that requires to enter a few commands on the command line.
4 replies →
You can encrypt a Bitlocker volume without syncing your keys even if you do log in with a Microsoft account, at least last time I was configuring Bitlocker.
> Any power users who prefer their own key management should follow the steps to enable Bitlocker without uploading keys to a connected Microsoft account.
Once the feature exists, it's much easier to use it by accident. A finger slip, a bug in a Windows update, or even a cosmic ray flipping the "do not upload" bit in memory, could all lead to the key being accidentally uploaded. And it's a silent failure: the security properties of the system have changed without any visible indication that it happened.
There's a lot of sibling comments to mine here that are reading this literally, but instead, I would suggest the following reading: "I never selected that option!" "Huh, must have been a cosmic ray that uploaded your keys ;) Modern OS updates never obliterate user-chosen configurations"
1 reply →
This is correct, I also discovered while preparing several ThinkPads for a customer based on a Windows 11 image i made, that even if you have bitlocker disabled you may also need to check that hardware disk encryption is disabled as well (was enabled by default in my case). Although this is different from bitlocker in that the encryption key is stored in the TPM, it is something to be aware of as it may be unexpected.
If users are so paranoid that they worry about a cosmic ray bit flipping their computer into betraying them, they're probably not using a Microsoft account at all with their Windows PC.
8 replies →
>even a cosmic ray flipping the "do not upload" bit in memory
Stats on this very likely scenario?
27 replies →
>A finger slip, a bug in a Windows update, or even a cosmic ray flipping the "do not upload" bit in memory, could all lead to the key being accidentally uploaded.
This is absurd, because it's basically a generic argument about any sort of feature that vaguely reduces privacy. Sorry guys, we can't have automated backups in windows (even opt in!), because if the feature exists, a random bitflip can cause everything to be uploaded to microsoft against the user's will.
7 replies →
[flagged]
16 replies →
> a cosmic ray flipping the "do not upload" bit in memory, could all lead to the key being accidentally uploaded.
Nah, no shot.
You can always count on someone coming along and defending the multi-trillion dollar corporation that just so happens to take a screenshot of your screen every few seconds (among many, many - too many other things)
I big demographic of HN users are people who want to be the multi-trillion dollar corporation so it’s not too surprising. In this case though I think they are right. And I’m a big time Microsoft hater.
7 replies →
Sorry to interrupt the daily rage session with some neutral facts about how Windows and the law work.
> that just so happens to take a screenshot of your screen every few seconds
Recall is off by default. You have to go turn it on if you want it.
4 replies →
https://en.wikipedia.org/wiki/Room_641A ... Then, years later every one acts like Snowden had some big reveal.
There is the old password for candy bar study: https://blog.tmb.co.uk/passwords-for-chocolate
Do users care? I would posit that the bulk of them do not, because they just dont see how it applies to them, till they run into some type of problem.
Are you referring to Microsoft Recall? My understanding is that is opt-in and only stored locally.
3 replies →
AI enshittification is irrelevant here. Why is someone pointing out that sensible secure defaults are a good thing suddenly defending the entire company?
20 replies →
[flagged]
1 reply →
Yes, because object level facts matter, and it's intellectually dishonest to ignore the facts and go straight into analyzing which side is the most righteous, like:
>Microsoft is an evil corporation, so we must take all bad stories about them at face value. You're not some corpo bootlicker, now, are you? Now, in unrelated news, I heard Pfizer, another evil corporation with a dodgy history[1] is insisting their vaccines are safe...
[1] https://en.wikipedia.org/wiki/Pfizer#Legal_issues
Microsoft doesn't take the screenshot; their operating system does if Recall is enabled, and although the screenshots themselves are stored in an insecure format and location, Microsoft doesn't get them by default.
1 reply →
> If your company has data that the police want and they can get a warrant, you have no choice but to give it to them.
Yes. The thing is: Microsoft made the design decision to copy the keys to the cloud, in plaintext. And they made this decision with the full knowledge that the cops could ask for the data.
You can encrypt secrets end-to-end - just look at how password managers work - and it means the cops can only subpoena the useless ciphertext. But Microsoft decided not to do that.
I dread to think how their passkeys implementation works.
> Yes. The thing is: Microsoft made the design decision to copy the keys to the cloud, in plaintext. And they made this decision with the full knowledge that the cops could ask for the data.
Apple does this too. So does Google. This is nothing new.
It's a commonly used feature by the average user who loses their password or their last device.
During set up, they even explicitly inform the user that their bitlocker keys are being backed up to the cloud. And, you can still choose to use bitlocker without key escrow.
1 reply →
Where did you get that they are stored in plaintext?
3 replies →
Power users should stop bothering with Windows nonsense and install Linux instead so that they can actually have control over their system.
It's 2026. The abuses of corporations are well documented. Anyone who still chooses Windows of their own volition is quite literally asking for it and they deserve everything that happens to them.
You only have to run through a modern Windows installer to understand how screwed you are if you install it. Last time I did this for a disposable Windows VM (a couple of years ago) I remember having to click through a whole bunch of prompts asking about all the different types of data Microsoft wanted my computer to send them. Often the available answers weren't "yes" or "no" but more like "share all data" vs "share just some data". After that I recall being forced to sign up for an outlook account just to create a local login unless I unplugged my network cable during the install. I've heard they have closed that loophole in recent installers.
I'd already long since migrated away from Windows but if I'd been harbouring any lingering doubts, that was enough to remove them.
I’ll bite. What Linux distro currently has the nicest desktop experience? I work on a MacBook but my desktop is a windows PC that I use for gaming and personal projects. I hear Proton has made the former pretty good now, and the latter is mostly in WSL for me anyway. Maybe a good time to try.
What do you suggest? I’ll try it in a VM or live usb.
11 replies →
> Any power users who prefer their own key management should follow the steps to enable Bitlocker without uploading keys to a connected Microsoft account.
The real issue is that you can't be sure that the keys aren't uploaded even if you opt out.
At this point, the only thing that can restore trust in Microsoft is open sourcing Windows.
> The real issue is that you can't be sure that the keys aren't uploaded even if you opt out.
The fully security conscious option is to not link a Microsoft account at all.
I just did a Windows 11 install on a workstation (Windows mandatory for some software) and it was really easy to set up without a Microsoft account.
8 replies →
I'm not sure how to do this on Windows, but to disable FileVault cloud key backup on Mac, go to `Settings > Users & Groups > click on the (i) tooltip next to your account` and uncheck "Allow user to reset password using Apple Account".
This is a part of Settings that you will never see at a passing glance, so it's easy to forget that you may have it on.
I'd also like to gently push back against the cynicism expressed about having a feature like this. There are more people who benefit from a feature like this than not. They're more likely thinking "I forgot my password and I want to get the pictures of my family back" than fully internalizing the principles and practices of self custody - one of which is that if you lose your keys, you lose everything.
Or use a local account to login ?
2 replies →
MacOS has this feature as well. It used to be called "Allow my iCloud account to unlock my disk," but it keeps getting renamed and moved around in new MacOS versions. I think it's now tied together with remote password resets into one option called "allow user to reset password using Apple Account."
To be fair, which makes it even more ominous with Apple. At least Microsoft explicitly informs you during setup and isn't trying to hide it behind some vague language about "resetting password".
As someone who has benefiter ones from this, I have to say: good.
In my humble opinion: the current state is better than no encryption at all. For example: Laptop theft, scavengers trying to find pictures, etc. And if you think you are target of either Microsoft or the law enforcement manage your keys yourself or go straight to Linux.
Exactly. And any halfway decent corporate IT setup would be managing the keys themselves as well (although I would imagine many third party tools could also be compelled to do this with a proper warrant)
Bitlocker on by default (even if Microsoft does have the keys and complies with warrants) is still a hell if a lot better than the old default of no encryption. At least some rando can't steal your laptop, pop out the HDD, and take whatever data they want.
> It protects their data in the event that someone steals the laptop, but still allows them to recover their own data later from the hard drive.
False. If you only put the keys on the Microsoft account, and Microsoft closes your account for whatever reason, you are done.
Yes if someone steals your laptop at the same moment Microsoft bans you you're done. What's the likelyhood of that happening?
done here meaning you've lost your data which uhhh, is currently on a drive in the hands of thieves, so what did you lose again?
1 reply →
The "reasonable default" is to force the user to actually make the choice, probably after forcing the user to prove they understand the implications.
I don't think there's a good answer here.
Users absolutely 100% will lose their password and recovery key and not understand that even if the bytes are on a desk physically next to you, they are gone. Gone baby gone.
In university, I helped a friend set up encryption on a drive w/ his work after a pen drive with work on it was stolen. He insisted he would not lose the password. We went through the discussion of "this is real encryption. If you lose the password, you may as well have wiped the files. It is not in any way recoverable. I need you to understand this."
6 weeks is all it took him.
8 replies →
The "Microsoft gave" framing is the exact right wording!, because Microsoft should never have had these keys in the first place. This is a compromise on security that sidesteps back doors on the low level and essentially transforms all Windows installations into Clipper-chip products.
You’re ignoring the international element. If I’m a Danish organisation then sure, the Danish government can compel me to do things.
However a hostile foreign government has less control over me.
As such using a tool of a hostile foreign government (Microsoft) needs to be understood and avoided.
> If your company has data that the police want and they can get a warrant, you have no choice but to give it to them.
They can fight the warrant, if you don't at least object to it then "giving the keys away" is not an incorrect characterization.
In court? Not really. These warrants are on solid ground from a legal standpoint. To the point that fighting them could be a sanction-able kind of grandstanding.
This is my thought also. So they're only holding the keys to prevent anyone from whining about lost data, they don't actually want to be responsible.
> "Microsoft gave"
While it is true that NSLs or other coercion tactics will force them to give out the keys, it is also true that this is only possible because Microsoft implemented a fatally flawed system where they have access to the keys.
Any system where a third party has access to cleartext or the keys to decrypt to cleartext is completely broken and must not be used.
To be fair, if they didn't have BitLocker enabled at all, the FBI would have just scanned the hard-drive as-is. The only usefulness of BitLocker is if a stranger steals your laptop, assuming Microsoft doesn't hand out the keys to just anybody, your files should be safe, in theory.
It’s definitely better than no encryption at all, which would be what most people would have otherwise.
At Microsoft-scale, data requests from law enforcement are an inevitability. Designing a system such that their requests are answerable is a choice. Signal's cloud backup system is an example of a different choice being made.
^^^ This
1 reply →
> Journalists love the "Microsoft gave" framing because it makes Microsoft sound like they're handing these out because they like the cops, but that's not how it works. If your company has data that the police want and they can get a warrant, you have no choice but to give it to them.
I’m not sure how you’re criticizing the “gave” framing when you’re describing and stating Microsoft literally giving the keys to the FBI.
Because "gave" implies a favor or a one sided exchange. It implies that Microsoft is just giving away keys for no reason!
Better, and more accurate wording, would be that "Microsoft surrendered keys" or "Microsoft ceded keys". Or "Microsoft legally compelled to give the keys". If Microsoft did so without a warrant, then "gave" would be more tonally accurate.
In addition, none of this is new. They've been turning over keys when legally compelled to, for many years.
Fun fact: Apple does this too. https://support.apple.com/en-us/108756
1 reply →
> Journalists love the "Microsoft gave" framing because it makes Microsoft sound like they're handing these out because they like the cops, but that's not how it works. If your company has data that the police want and they can get a warrant, you have no choice but to give it to them.
Often it is the case that companies hand over private data to law enforcement just by being asked for it nicely, no warrant needed.
Microsoft did give them. Just because they have a warrant doesn't mean keys should be handed over in any usable form. As indicated in the Forbes [0] article - both Meta and Apple have the exact same convenience in place (cloud backup) with none of the direct risk.
So, yes. That is how it works: 1) Microsoft forces users to online accounts 2) Bitlocker keys are stored in an insecure manner allowing any US agency to ask for them. I intentionally say "ask for them" because the US government is a joke with respect to respecting its own citizens privacy [1] at this point.
This type of apologetic half-truth on behalf of a multi-billion dollar corporation is getting old fast.
[0] https://www.forbes.com/sites/thomasbrewster/2026/01/22/micro... [1] https://www.npr.org/2026/01/23/nx-s1-5684185/doge-data-socia...
The difference is Microsoft has the keys to your front door, Apple only has an encrypted copy of your house (but no key).
All that is true and the spin I focus on is can Microsoft have implemented it such that they have zero (ish) knowledge by default.
We know iCloud has configurations that can’t disclosed, and I wonder if there is a middle ground between if you loose the recovery key you are stuffed and maybe have a recovery key unblocked by a password similar to ssh keys
Hacker News defending corporate key escrow. Wow.
> It protects their data in the event that someone steals the laptop, but still allows them to recover their own data later from the hard drive.
It allows /anyone/ to recover their data later. You don't have to be a "purist" to hate this.
There is no other way for this to work that won't result in an absolutely massive number of people losing their data permanently who had no idea their drive was encrypted. Well there is, leave BitLocker disabled by default and the drive unencrypted. Now the police don't even have to ask!
With this scheme the drive is recoverable by the user and unreadable to everyone except you, Microsoft, and the police. Surely that's a massive improvement over sitting in plaintext readable by the world. The people who are prepared to do proper key management will know how to do it themselves.
Apple does the same thing with FileVault when you set up with your iCloud account where, again, previously your disk was just left unencrypted.
2 replies →
>Any power users who prefer their own key management should follow the steps to enable Bitlocker without uploading keys to a connected Microsoft account.
I have W11 w a local account and no bitlocker on my desktop computer, but the sheer amount of nonsense MS has been doing these days has really made me question if 'easy modding*' is really enough of a benefit for me to not just nuke it and install linux yet again
* You can get the MO2 mod manager running under linux, but it's a pain, much like you can also supposedly run executable mods (downgraders, engine patches, etc) in the game's context, but again, pain
20 requests per year also doesn't sound like a privacy problem. These are people where the police got a search warrant for the hard drives.
I'd be more concerned about access to cloud data (emails, photos, files.)
Correct me if I'm wrong, but isn't forcing you to divulge your encryption password compelled speech? So the police can crack my phone but they can't force me to tell them my PIN.
Yes, you cannot be compelled to testify against yourself, but Microsoft is under no such obligation when served a warrant because of third party doctrine. Microsoft holding bitlocker recovery keys is considered you voluntarily giving the information to a third party, so the warrant isn't compelling you to do anything, so not a rights violation.
But, the 5th amendment is also why its important to not rely on biometrics. Generally (there are some gray areas) in the US you cannot be compelled to give up your password, but biometrics are viewed as physical evidence and not protected by the 5th.
Warrants are a mechanism by which speech is legally compelled.
The 5th Amendment gives you the right to refuse speech that might implicate you in a crime. It doesn’t protect Microsoft from being compelled to provide information that may implicate one of its customers in a crime.
2 replies →
In theory...
In practice: https://en.wikipedia.org/wiki/In_re_Boucher
The government gets what the government wants.
In the UK they can jail you just for not providing an encryption key
2 replies →
They can't force you to tell them your PIN in some countries, but they can try all PINs, and they can search your desk drawer to find the post-it where you wrote your PIN.
4 replies →
In the US.
But this is irrelevant to the argument made above, right?
> Any power users who prefer their own key management should follow the steps to enable Bitlocker without uploading keys to a connected Microsoft account.
You mean "Install Linux",because that's easier than dealing with the steps required to do that on Windows
Unfortunately Microsoft are working hard to get rid of local accounts, meaning the alternative here isn't much of an alternative.
That would be all well and good if any of this was communicated to the user.
The reasonable default is transparency about it and 2FA for recovery scenarios. MS does not have to have the keys in the clear, as it is reasonable for any secrets you store.
So long as Microsoft also "give customer set of BitLocker encryption keys to unlock their own laptop" in the right set of conditions.
The problem is they don't make this clear to the user or make it easy to opt out. Contrast with how Apple does it.
If you are super concerned about their privacy, should you be using Windows anyway? Or any commercial OS for that matter?
The same is true for Apple laptops! Take a look in your Passwords app and you will see it automatically saves and syncs your laptop decryption key into the cloud.
So all the state needs to get into your laptop is to get access from Apple to your iCloud account.
The iCloud Keychain is end-to-end encrypted.[0] Apple can't decrypt it.
That said, when setting up FileVault, you have the option to escrow your recovery key with Apple. If you enable that, Apple can get the recovery key.
[0] https://support.apple.com/en-us/102651
3 replies →
So you're saying Microsoft gave the FBI the key?
There needs to be more awareness into setting up W11 install ISO's which can be modified to disable bitlocker by default, disable the online account requirement.
I recently needed to make a bootable key and found that Rufus out of the box allows you to modify the installer, game changer.
It would make me a lot less angry if Microsoft didn't go out of their way to force people to use a Microsoft account of course.
> This makes the privacy purists angry, but in my opinion it's the reasonable default for the average computer user.
Absolutely not. If my laptop tells me that it is encrypted by default, I don't like that the default is to also hold a copy of the keys in case big brother wants them.
Call me a "privacy purist" all you want, but it shouldn't be normal to expect the government to have access to a key to your house.
And the only reason windows uploads the keys is that Microsoft wants to help the government while fucking you.
I think this is a fair position and believe you're making it in good faith, but I can't help but disagree.
I think the reasonable default here would be to not upload to MS severs without explicit consent about what that means in practise. I suspect if you actually asked the average person if they're okay with MS having access to all of the data on their device (including browser history, emails, photos) they'd probably say no if they could.
Maybe I'm wrong though... I admit I have a bad theory of mind when it comes to this stuff because I struggle to understand why people don't value privacy more.
VeraCrypt exists for this reason or other open source programs. Why would you ever trust encryption to closed source?
Any power users should avoid Windows entirely.
This. Real "power users" (as opposed to people who aren't completely computer-illiterate) use the likes of Arch Linux and Gentoo and self-host whatever "cloud" services they need, they aren't running Windows and paying for Copilot 365 subscriptions.
If by "power user" you mean "enemy of the state", there's a lot of software you'd be better-off avoiding.
11 replies →
> Journalists love the "Microsoft gave" framing because it makes Microsoft sound like they're handing these out because they like the cops, but that's not how it works.
Companies know that putting themselves in a position where they can betray their users, means they will be forced to do so. Famously demonstrated when Apple had to ban the Hong Kong protest app [1]. Yet they continue to do it, don't inform their users, and in the rare occasion that they offer an alternative, it is made unclear and complicated and easy to get wrong [2].
They deserve every ounce of blame.
[1] https://news.ycombinator.com/item?id=46736345
This is a really bad take
The choice is not between honoring the warrant and breaking the law.
They can go to a judge and fight the warrant. Other companies have done this.
Microsoft won’t, one more reason I will never use anything from them.
> Journalists love the "Microsoft gave" framing because it makes Microsoft sound like they're handing these out because they like the cops, but that's not how it works. If your company has data that the police want and they can get a warrant, you have no choice but to give it to them.
These two statements are in no way mutually exclusive. Microsoft is gobbling up your supposedly private encryption keys because they love cops and want an excuse to give your supposedly private data to cops.
Microsoft could simply not collect your keys and then would have no reason or excuse to hand them to cops.
Microsoft chose to do this.
Do not be charitable to fascists.
Similar case with Apple devices. They default to backing up to Apple servers where they are unencrypted. So they can provide data to police if requested. But for anyone concerned about privacy they can use Advanced Data Protection which encrypts all their data and prevents Apple from reading it or recovering it.
Definitely agree that choices like these are the most sane for the default user experience and that having these advanced options for power users to do with it what they want is a fair compromise. Wish more people were open to designing software for the average person and compromising on a middle ground the benefits both kinds of users.
Doesn’t windows 11 force you to use a Microsoft account
> you have no choice but to give it to them
Will they shoot me in head?
What if I truly forgot the password to my encrypted drive? Will they also shoot me in the head?
Do they need to actually shoot you? Have you had a loaded gun pressed to your head and asked for your password?
What about your wife's head? Your kids' heads?
Yeah guys, if it's encrypted by default, it's not a violation of user security or privacy expectations to have a set of master keys that you hold onto and give to third parties to decrypt user devices. I mean it was just encrypted by default... by default...
Microsoft could have done key backups to secure enclaves that will only return them to a user able to produce valid signatures using a backup code or otherwise they hold. Hell they were the ones that normalized remote attestation.
But Microsoft chose to keep them plain text, and thus they are, and will continue to be abused.
We must not victim blame. This is absolutely corruption on microsofts part.
>can compel Microsoft to provide the keys
can they compel testimony? keys, passcodes and the like are usually considered testimony. did they try? the usual story here is that they don't have to, that the big corporations will turn over any info they have on request because they can and the government makes a better friend than a single user. the article mentions 20 "requests" per year on average but doesn't say anything about the government using force.
I agree with your conclusion though: data you share with anyone is data you've shared with everyone and that includes your encryption keys. if that matters to you, then you need to take active steps to ensure your own security because compelled or not, the cloud providers aren't here to help keep you safe.
> you have no choice but to give it to them
There is always a choice.
"They have no choice" because they're "just doing their job" and "following the law."
Which are both choices. Microsoft can for sure choose to block the government and so can individual workers. Let's not continue the fascism-enabling narratives of "no choice."
user notification is another major litmus test.
None of this matters. XKCD. Hit him with this $5 wrench until he gives you the keys.
Mass surveillance through $5 wrench (and massive thug salary) attacks do not scale, but mass surveillance through turn-key decryption does.
This is a great reminder: if your device doesn't ask you for a pin/passphrase every time it turns on, it's not actually encrypted.
Also, this essay by Mickens at USENIX over a decade ago - https://www.usenix.org/system/files/1401_08-12_mickens.pdf
Tl;dr - "Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPestPAiNPi11s@ virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT" (Mickens, 2014)
[dead]
it's easy to design a system where the center doesn't have the key and thus can't be compelled.
but they didn't do so.
and it's surely just a coincidence, because m$ has always been such an ethical company.
and it's surely not by design to centralize power by locking out competing criminals from the user's data, but not themselves.
</s>
[flagged]
Microsoft shouldn't be uploading keys, but nor should they be turning bitlocker on without proper key backup. Therefore it should be left as an optional feature.
The quality of journalism you consume is highly dependent on the sources you choose. Some outlets still highly value journalistic integrity. I prefer to read those. Not that any of them are perfect. But it makes a huge difference and they typically provide a much more nuanced view. The Atlantic and the Wall Street Journal are good examples of this in my opinion.
>The defaults will also upload the BitLocker key to a Microsoft Account if available.
>This is why the FBI can compel Microsoft to provide the keys.
>in my opinion it's the reasonable default
I really can't imagine what kind of person would say that with a straight face. Hanlon's razor be damned, I have to ask: are you a Microsoft employee or investor?
It's interesting how many comments these days are like, "well of course".
Back in the day hackernews had some fire and resistance.
Too many tech workers decided to rollover for the government and that's why we are in this mess now.
This isn't an argument about law, it's about designing secure systems. And lazy engineers build lazy key escrow the government can exploit.
> Back in the day hackernews had some fire and resistance.
Most of the comments are fire and resistance, but they commonly take ragebait and run with the assumptions built-in to clickbait headlines.
> Too many tech workers decided to rollover for the government and that's why we are in this mess now.
I take it you've never worked at a company when law enforcement comes knocking for data?
The internet tough guy fantasy where you boldly refuse to provide the data doesn't last very long when you realize that it just means you're going to be crushed by the law and they're getting the data anyway.
> I take it you've never worked at a company when law enforcement comes knocking for data?
The solution to that is to not have the data in the first place. You can't avoid the warrants for data if you collect it, so the next best thing is to not collect it in the first place.
7 replies →
"Good" companies in the old days would ensure they don't have your data, so they don't have to give it to the police.
7 replies →
If you design it so you don't have access to the data, what can they do? I'm sure there's some cryptographic way to avoid Microsoft having direct access to the keys here.
5 replies →
That's not the point. Microsoft shouldn't be silently taking your encryption key in the first place. The law doesn't compel them to do that.
2 replies →
> Too many tech workers decided to rollover for the government and that's why we are in this mess now.
It has nothing to do with the state and has to do with getting the RSUs to pay the down payment for a house in a HCOL area in order to maybe have children before 40 and make the KPIs so you don't get stack-ranked into the bottom 30% and fired at big tech, or grinding 996 to make your investors richest and you rich-ish in the process if you're unlikely enough to exit in the upper decile with your idea. This doesn't include the contingent of people who fundamentally believe in the state, too.
Most people are activists only to the point of where it begins to impede on their comfort.
To be fair, house prices have a lot to do with the state.
1 reply →
You are talking about Microslop. They have never been against government and in fact have always been anti consumer and in war with any hacker ethos.
There was no “back in the day” where big tech was on our side. Stop being a poser
> This isn't an argument about law, it's about designing secure systems
False. You can design truly end-to-end encrypted secure system and then the state comes at you and says that this is not allowed, period. [1]
[1] https://medium.com/@tahirbalarabe2/the-encryption-dilemma-wh...
Another one: https://www.theguardian.com/australia-news/2024/nov/05/sessi...
I'd love to see companies stop service in countries that request things like this, to put pressure on the governments to not be scumbags.
The engineers who developed this developed it to a spec so that microsoft demanded that allows them to get into the system at any time. There was nothing lazy about it. This would be easily found by anyone who has the impetus to encrypt their drive. Don't put things on your work laptop that you don't want Dom down in IT reading all of it or Phil the police forensics dick
The resistance is to switch to Linux.
it the natural results this site catter not just to tech nerds but one chasing venture capital money. its an inudustry that has never seen a dark patern it didn't like. we have gone from "don't be evil" to "be evil if makes the stonks go up"
yeah, every time someone says 'good, government must protect us from terrorists', they need to remember that sometimes
Look around you. At least in my company half the programmers are H-1B Indians. They're not going to resist anybody with the risk of getting deported back to India.
I don’t see that at all. Instead, I think tech workers, including the engineers and the product managers, are correctly prioritizing user convenience over resistance to government abuse. It’s honestly the right trade off to make. Most users worry about casual criminals, not governments. Say a criminal snatching your laptop and accessing your files that way. If you worry about governments you should already know what to do.
> Too many tech workers decided to rollover for the government
s/workers/Corporations/
A Corporation can't do anything without a worker's consent.
1 reply →
I actually understood that as in “of course . . . because Microsoft”
They rolled over to the money, not the government.
And too many tech workers decided to rollover for the big companies too. Accepting and advocating whatever they do. Even when it is tricky, can find the way to defend the big names, because they are big names, they know the way, they became big!
Unfortunately there's a loud contingent of incredibly proud idiots that post here as well that really like to pretend they know what they're doing.
The people going 'well of course' or 'this is for the user' drive me insane here because as said, there are secure ways you can build a key escrow system so that your data and systems are actually secure. From a secure design standpoint it feels more and more like we're living in Idiocracy as people argue insecure solutions are secure actually and perfectly acceptable.
It’s not about engineers being lazy, it’s about money.
Trying to resist building ethically questionable software usually means quitting or being fired from a job.
No this is lazy. Microsoft shouldn’t have access to your keys. If they do, anyone who hacks Microsoft (again) also has them.
I agree with you, but also think this is only true because we as an industry have been so completely corrupted by money at this point.
In the 90s and 00s people overwhelmingly built stuff in tech because they cared about what they were building. The money wasn't bad, but no one started coding for the money. And that mindset was so obvious when you looked at the products and cultures of companies like Google and Microsoft.
Today however people largely come into this industry and stay in it for the money. And increasingly tech products are reflecting the attitudes of those people.
> Back in the day hackernews had some fire and resistance
Hackernews is a public forum, and the people here change constantly. "Back in the day" there were mostly posts about LISP and startup equity. It's obviously not the same people here now.
> Too many tech workers decided to rollover for the government
Again, not the same group of people. In the 2000s "tech workers" might have mostly been Californians. Now they're mostly in India. Differing perspectives on government, to be sure.
> lazy engineers build lazy key escrow
Hey you should know this one, because it's something that HAS stayed constant since "back in the day": The engineers have absolutely no say in this whatsoever.
This is such a lazy take and ignores that this is the only system that has the property of not losing data when users forget their passwords and lose (or likely never write down) their recovery key.
That's it. That's the whole thing. Whatever "secure system" you build will not have this property and users will lose their data, be mad at you, and eventually you'll have to turn it off by default leaving everyone's data in plaintext. It's a compromise that improves security for people who previously left their disk unencrypted. It changes nothing for people who previously did their own key management.
You won't be able to turn the first group into the second group. That's HN's "Average Familiarity" fallacy. The fact that basically every 2FA system has a means of recovering your account by removing it should tell you that even technical people are shit at key management.
Yep... I've seen exactly this happen. People losing data/access by their own fault and yet being extremely mad at the OS developer or the company they have an account with. And, no, it does not matter if you tell them 100 times that they are responsible for not losing their own keys/passwords, they will still be furious that you set up your system in (from their perspective) such a shitty way that it's even possible for a permanent lockout to happen.
Saying "of course" doesn't mean we agree with it or fail to try to resist it. It's simply not surprising that this happened.
When you get high up in an org, choosing Microsoft is the equivalent of the old "nobody ever got fired for buying IBM". You are off-loading responsibility. If you ever get high up at a fortune 500 company, good luck trying to get off of behemoths like Microsoft.
It's why tech loves young engineers who just do what their told, of old engineers only as long as they can't say no. Once you dig into the system and see how all the pieces fit together, you can't ethically or morally continue to participate any longer. Learned that the hard way. In the middle of an attempt at midlife career change because of it to maybe free myself to write software that needs to be written instead of having to have a retained lawyer on hand to wrangle employment contract clauses to keep my work belonging to me.
> Too many tech workers decided to rollover for the government and that's why we are in this mess now.
It isn't really about the government. It's about a bunch of people trying to convince you that the locked-down proprietary closed source corporate crap that they use isn't in and of itself a security risk, no matter what the quality of the code that you've never seen is. Apple, Microsoft, Google etc. aren't your friends; no matter how brand loyal you are, they'll never care whether you're alive or dead.
FOSS isn't your friend either, but they're not asking you to trust them. Any exposure to these world spanning juggernaut military and intelligence contractor companies is a security hole. It's insane that people (thinking of Europeans now) get fired up to switch from this stuff because Trump but not because of course you should. Instead they're busy calling being suspicious of Microsoft old and hatred of Apple's customer corral stuck up and the desire to own your own machine fanatical and judgemental. Have you ever considered that you've been programmed to say and encourage dumb stuff that is completely against your own interests and supports the interests of the people who sell things to you?
You're convinced by the argument that people dumber than you have to be protected from their own machines (by corporations who have no interest in or obligation to protect them) - have you ever thought that people are saying the same thing about you? That you have to be protected from writing things you shouldn't write or talking to people you shouldn't be talking to? And the world isn't a meritocracy: the people on the top are inbred creeps. You've given up your freedom to dummies with marketing departments.
I used to be a principled freedom fighter. But others defected(thinking mostly about Apple users...). I promoted open source software, even dealing with the pains.
So now I just use whatever I want. Someone else can be a tech moralist.
The median user's threat model doesn't include the government, but does include data loss, forgetting the password, or a thief stealing your laptop. Microsoft struck the right balance.
I'm glad the knee-jerk absolutists are marginal, for one. A world run by you people would be much worse for anyone who isn't you.
The median user does not have a threat model.
Ask a non techy user:
* How do they backup their data/do they backup their data at all?
* Do they know 3-2-1 rule? Are they following it?
I bet 90% people will answer no to some of the questions.
And data backup is much more of an everyday topic compared to disk encryption.
A world one by "those" people would lead to a less abusive and exploitive world, our current world is one based on suffering if you aren't extremely wealthy. I think I know which world I would rather join.
Today the median users threat model absolutely includes the government! They are snatching people up left and right, including their electronics.
I don’t get how people like you trust the corporation or the government that much. If we were all more cognizant of security and privacy, it would be much harder for large orgs to break our society the way they are doing today.
The median user would be better off in a society where computers are not needed for daily life. The median user doesn't understand computers. In their life, computers only manfiest as a tool of control imposed by the people who understand computers over those that don't.
This is one such example.
This sort of utilitarian nitpicking over the convenience of a "median" user is like maximizing the happiness of a cow on a factory farm. The cow would be better off if it did not exist at all. It is a matter of freedom and dignity.
My Linux drives are all encrypted, and one of the wonderful features of this is that there is no entity or force on this planet that can decrypt them.
What happens if I forget my keys? Same thing that happens if my computer gets struck by a meteor. New drive, new key, restore contents from backups.
It's simple, secure, set-and-forget, and absolutely nobody but me and your favored deity have any idea what's on my drives. Microsoft and the USGov don't have any business having access to my files, and it's completely theoretically impossible for them to gain access within the next few decades.
Don't use Windows. Use a secure operating system. Windows is not security for you, it's security for a hostile authoritarian government.
It's a good start, but FDE alone is still fairly easy to compromise in many cases. If you ever type the password under a camera, it may be leaked. If the device ever leaves your possession and you don't have secure boot, your bootloader can be trivially altered to leak the password. Then there are keyloggers. And cold boot attacks can often be done if your system is running.
And finally-- there are other more "traditional" ways to get people to divulge their keys.
1 reply →
> What happens if I forget my keys? … restore contents from backups.
What happens if you forget your backup keys?
Sticky note in a secure location
Redownload everything from OneDrive and Outlook.com.. shit!! ;D
> there is no entity or force on this planet that can decrypt them.
At this point I think all of the modern, widely used symmetric cryptography that humans have invented will never be broken in practice, even by another more technologically advanced civilization.
On the asymmetric side, it's a different story. It seems like we were in a huge rush to standardize because we really needed to start PQ encrypting data in transit. All the lattice stuff still seems very green to me. I put P(catastrophic attack) at about 10% over the next decade.
Yeah, if the drive can be encrypted by an external party that you didn't give permission, I'm not sure how it's really "encryption" other than burning cycles when doing writes.
Obligatory XKCD https://xkcd.com/538
alternatively, being held in contempt for a decade for refusing to give passwords
the only real defense of privacy these days is to literally not write anything down or store it in any way
1 reply →
[dead]
I wish there was more people like you and me.
Privacy is not a crime.
I wish people didn't have to be like us to have privacy.
Hear that? It's the sound of the year of the Linux desktop.
It's time - it's never been easier, and there's nothing you'll miss about Windows.
I've been trying to get my parents to move, but until Microsoft Office desktop is able to be run natively on there my parents won't entertain the subject.
I've tried to get them to use the web version of office, I've tried to get them to use OnlyOffice and LibreOffice, I've even tried showing them LaTeX as a last ditch effort, but no, if it isn't true Microsoft Branded Office 2024, the topic isn't even worth discussing [1].
I'm sure there are technical reasons why Wine can't run Office 2024, and I am certainly not trying to criticize the wine developers at all, but until I can show Wine running full-fat MS Office, my parents will always "miss" Windows.
To be clear, I hate MS Office. I do not miss it on Linux. I'm pretty sure my parents could get by just fine with LibreOffice or OnlyOffice or Google Docs, but they won't hear it.
I've also tried to get them to use macOS, since that does have a full-fat MS Office, I've even offered to buy them Macbooks so they can't claim it's "too expensive", and they still won't hear it. I love my parents but they can be stubborn.
[1] Before you accuse me of pushing for "developer UI", LaTeX was not something I led with. I tried the more "normy-friendly" options first.
Your parents have a point. I've been switching most of my family's PCs to linux in the past few years and I miss Office. It is as easy to use as OnlyOffice and as powerful as LibreOffice for my tasks. There exists no equivalent on linux.
I recently helped my GF by proofreading something she wrote, which is a primarily Hebrew (RTL) Word document with English terms like units, numbers, and unpronouncable chemical names sprinkled in.
If I had a dollar for every time MS Word failed to correctly handle the BIDI mix and put things in the wrong order, despite me reapeatedly trying different ways to fix it, I'd be richer than Microsoft.
On the contrary, Google Docs, LibreOffice, and pretty much every text box outside of MS Office can effortlessly handle BIDI mixing, all thanks the Unicode Bidirectional Algorithm [1] being widely implemented ans standardized.
[1] https://unicode.org/reports/tr9/
I use macOS most of the time, but switch to a Windows VM for Excel. Without the same keyboard shortcuts, the macOS version ends up having a fraction of the power available to experienced users of the Windows version. For people who use Excel extensively, LibreOffice or Google Sheets would have to offer some remarkable new killer features to make it worth the switch. I don’t think feature parity alone would make the benefits of Linux outweigh the significant transition costs.
3 replies →
Is your last name Segurakreischer? Have them try - leave the Windows computer online and accessible, give your parents a linux box and have them use it exclusively unless they absolutely 100% need to get back on the Windows machine for some reason, and talk with you about it. Set up a NAS with an external HD and a shared folder on both the windows and linux box, so if they actually do need to go back to Windows, they aren't leaving anything stuck on the Linux box.
That's a 100% easy peasy safe mode, the worst they're likely to encounter is a brief 2 minute call with you, and in the worst case scenario, they get to go back to Windows without having to be scared of losing anything.
2 replies →
Just remember, never use or recommend Debian-family(Ubuntu/Mint) or you will be back to windows. Do not fall for the marketing term Stable, which means outdated and contains bugs that are fixed.
Fedora is my recommendation. I remind people Fedora is not Arch. Fedora is a consumer grade OS that is so good, I don't lump it in with the word Linux.
Fedora is good and fairly stable, but it has bugged on me a few times.
In the past 3 years: - mouse/cursor issues due to some kernel upgrade I think, as Fedora stays close to upstream - unresponsive computer due to a bug in the AMD graphics driver
Both were easy to fix (kernel cmdline change or just kept updating my computer), and I absolutely recommend Fedora. That's what I'd use if I had servers. But, you'll probably have to debug _some_ issues if you use something less-used like AMD.
I’ve tried multiple versions when trying to move away from windows, but was always stuck with random inconsistencies everywhere. Eventually I had to choose a larger evil and choose Mac after paying for a week of lost productivity installing, setting up, fucking up, wiping l, installing random Linux distros.
Once you've got a bit of savvy, do Arch. But if you're looking for "good" and "just works" and you don't want to tinker and/or occasionally scream at your computer in inchoate fury, Fedora is the way.
You can build your ideal fantasy setup piecewise, and I definitely recommend getting there, but Fedora is nice, and clean, and has plenty of "just works", and 99.999% of the problems you might run into, someone else has, too, and they wrote a treatise and tutorial on how to fix it and why it happened.
> Microsoft told Forbes that the company sometimes provides BitLocker recovery keys to authorities, having received an average of 20 such requests per year.
At least they are honest about it, but a good reason to switch over to linux. Particularly if you travel.
If microsoft is giving these keys out to the US government, they are almost certainly giving them to all other governments that request them.
It's not like companies have a choice. If they have a key in their possession and law enforcement gets an order for it, they have to provide it.
That only strengthens the parent point. Switch to an OS where this requirement doesn't come into play if you're worried about any governments having a backdoor into your own machine.
13 replies →
> It's not like companies have a choice.
> If they have a key in their possession [...]
So they do have a choice.
2 replies →
And even if they don't have the key. Case in point: https://medium.com/@tahirbalarabe2/the-encryption-dilemma-wh...
1 reply →
Why take the drastic step of switching to linux (a difficult endeavor) when you can simply turn off key uploading.
Why continue to use an operating system that’s adversarial towards you?
2 replies →
Microsoft is known for regularly altering the deal. Just because you configure the OS to not upload keys today, does not mean that setting will be respected in the future.
1 reply →
Because that gives you a lot more control over your computer than just solving this particular issue. If you care about privacy it's definitely a good idea.
Because Microsoft absolutely will make it mandatory somewhere in the not so distant future.
you've baked in an unfounded assumption that bitlocker is even initially enabled intentionally by someone who knows that's a choice they can make:
> Here's what happens on your Dell computer:
> BitLocker turns on automatically when you first set up Windows 10 or Windows 11
> It works quietly in the background, you won't notice it's there
> Your computer creates a special recovery key (like a backup password) that's saved to your Microsoft account
> You might be reading this article because:
> Your computer is asking for a BitLocker recovery key
...such as after your laptop resets its tpm randomly which is often the first time many people learn their disk is encrypted and that there's a corresponding recovery key in their microsoft account for the data they are now unexpectedly locked out of.
https://www.dell.com/support/kbdoc/el-gr/000124701/automatic...
oh man, it's so difficult even teenagers can do it within an hour and all they have to do is click on a few buttons.
1 reply →
All other governments is a stretch here, but likelihood of at least one another government getting same privileges is extremely high.
[dead]
Based on the comments in the thread, I sense I will be in the minority, but for most consumers this is a reasonable default. Broadly speaking, the threat model most users are concerned with doesn't account for their government. The previous default is no encryption at rest, which doesn't protect from the most common threats, like theft or tampering. With BitLocker on, a new risk for users is created: loss of access to their data because they don't have their recovery key. You are never forced to keep your recovery keys in Microsoft's servers and it's not a default for corporate users.
I think it’s a reasonable default if Microsoft weren’t able to access your encryption keys.
Apple has that figured out. Your keys can be stored in your cloud synced keychain but only you can decrypt that keychain.
That’s why they couldn’t help the FBI to decrypt devices even when compelled.
Microsoft should have done the same. They should never find themselves in a place where they can be compromised like this.
It's certainly a reasonable default. People lose or have their laptops stolen much more often than they get targeted by their governments.
Though that doesn't mean Microsoft couldn't implement a way of storing these keys so that they can't be accessed by Microsoft. Still better than nothing though.
I'll always remember - when I was first learning about it, one of the interesting counter-arguments to ignoring privacy was "what if the Nazis come back, would you want them to have your data?". I suppose there's some debate these days, but hostile governments seem a lot closer than they were 10-15 years ago.
Will this make people care? Probably not, but you never know.
"Closer"? They're already here. Trusting corporations or governments is inherently moronic.
1 reply →
I honestly love how HN is missing the forest for the trees, here, in the sense that ya’ll are upset Microsoft gave keys over for BitLocker to the feds but seemingly forget that Microsoft has been doing this in various forms since BitLocker released. Hell, they’ve given alphabet agencies tools that just pop the decryption in the field before, for intelligence work.
I trust BitLocker and Apple’s encryption to protect my stuff against snooping thieves, but I have never, ever assumed for a moment that it’d protect me against a nation-state, and neither should you. All the back-and-forth you see in the media is just what’s public drama, and a thin veil of what’s actually going on behind the scenes.
If there’s stuff you don’t want a nation state to see, it better be offline, on a OSS OS, encrypted with thoroughly audited and properly configured security tooling. Even then, you’re more likely to end up in jail for refusing to decrypt it [1][2].
[1] https://arstechnica.com/tech-policy/2020/02/man-who-refused-...
[2] https://www.vice.com/en/article/how-refusing-to-hand-over-yo...
Here's a story about what the FBI may do when they don't unlock the laptop:
https://cointelegraph.com/news/fbi-cant-be-blamed-for-wiping...
Perhaps next time, an agent will copy the data, wipe the drive, and say they couldn't decrypt it. 10 years ago agents were charged for diverting a suspect's Bitcoin, I feel like the current leadership will demand a cut.
This is my biggest fear wrt gov't search-and-seizure. I know the police won't be able to get at my juicy encypted bits, but I also know they're vindictive basterds who'll be held to no accountability. Of course they'll wipe my drives just to get revenge for me "winning" by having blocked their access.
This happens with every company that has your sensitive info. When the government asks for your info, the companies provide it.
Some ways around this is to either not store sensitive user data on servers, or if that needs to happen then encrypt it with user supplied keys.
This is by far one of the best advertisements for LUKS/VeraCrypt I've ever seen.
Is LUKS still secure if I'm not using secureboot?
Agree, use Linux, use LUKS.
PGP WDE was a preferred corporate solution, but now you have to trust Broadcom.
Sadly VeraCrypt is not optimized for SSDs and has a massive performance impact compared to Bitlocker for full disk encryption because the SSD doesn't know what space is used/free with VeraCrypt.
Forgive me this shameless ad :) with the latest performance updates, Shufflecake ( https://shufflecake.net/ ) is blazing fast (so much, in fact, that exceeds performances of LUKS/dm-crypt/VeraCrypt in many scenarios, including SSD use.
i want to see some real world numbers about that "massive" impact of trim, which is repeated regularly.
first of all trim only affects write speed (somewhat), which is not really all that important for non-server use.
it also has some impact on wear which is probably more interesting than its performance impact.
VeraCrypt can be set to pass through TRIM. It just makes it really obvious which sectors are unused within your encrypted partition (they read back as 00 bytes)
1 reply →
Remember when the original dev of TrueCrypt (the VeraCrypt predecessor) suddenly abandoned the project and wrote that people should use BitLocker instead? [1] [2]
We now know that BitLocker is not secure, and an intelligent open source dev saying that was probably knowingly not saying the truth.
The best explanation to me is that this was said under duress, because somebody wanted people to move away from the good TrueCrypt to something they could break.
[1] https://truecrypt.sourceforge.net
[2] https://en.wikipedia.org/wiki/TrueCrypt#End_of_life_announce...
alternatively, they knew truecrypt/veracrypt to be irrepairably compromised, and while bitlocker may be backdoored in the same way, it is at least maintained
So theoretically if you loose the key , you can selfreport for some small crime and get your laptop decrypted.
This is almost certainly users who elect to store their BitLocker keys in OneDrive.
Don't think Apple wouldn't do the same.
If you don't want other people to have access to your keys, don't give your keys to other people.
In Apple's case, starting with macOS Tahoe, Filevault saves your recovery key to your iCloud Keychain [0]. iCloud Keychain is end-to-end encrypted, and so Apple doesn't have access to the key.
As a US company, it's certainly true that given a court order Apple would have to provide these keys to law enforcement. That's why getting the architecture right is so important. Also check out iCloud Advanced Data Protection for similar protections over the rest of your iCloud data.
[0] https://sixcolors.com/post/2025/09/filevault-on-macos-tahoe-...
You shouldn't include Apple in this.
As of macOS Tahoe, the FileVault key you (optionally) escrow with Apple is stored in the iCloud Keychain, which is cryptographically secured by HSM-backed, rate-limited protections.
You can (and should) watch https://www.youtube.com/watch?v=BLGFriOKz6U&t=1993s for all the details about how iCloud is protected.
You can (and should) read Mr. Fart's Favorite Colors as a response, explaining how "perfect" security becomes the enemy of principled security: https://medium.com/@blakeross/mr-fart-s-favorite-colors-3177...
The security in iOS is not to designed make you safer, in the same way that cockpit security doesn't protect economy class from rogue pilots or business-class terrorists. Apple made this decision years ago, they're right there in Slide 5 of the Snowden PRISM disclosure. Today, Tim stands tall next to POTUS. Any preconceived principle that Apple might have once clung to is forfeit next to their financial reliance on American protectionism: https://www.cnbc.com/2025/09/05/trump-threatens-trade-probe-...
> Don't think Apple wouldn't do the same.
Of course Apple offers a similar feature. I know lots of people here are going to argue you should never share the key with a third party, but if Apple and Microsoft didn't offer key escrow they would be inundated with requests from ordinary users to unlock computers they have lost the key for. The average user does not understand the security model and is rarely going to store a recovery key at all, let alone safely.
> https://support.apple.com/en-om/guide/mac-help/mh35881/mac
Apple will escrow the key to allow decryption of the drive with your iCloud account if you want, much like Microsoft will optionally escrow your BitLocker drive encryption key with the equivalent Microsoft account feature. If I recall correctly it's the default option for FileVault on a new Mac too.
Apple's solution is iCloud Keychain which is E2E encrypted, so would not be revealed with a court order.
32 replies →
That's what I said. I admit the double-negative grammar is a bit confusing.
> Don't think Apple wouldn't do the same.
Except for that time they didn't.
https://www.apple.com/customer-letter/
It is the default setting on windows 11 to share your key with microsoft.
It's also the "default" in Windows 11 to require a recovery bitlocker key every time you do a minor modification to the "bios" like changing the boot order
I was going to say: "Well Apple historically is an easy target of Pegasus" but that can only be used a few times before Apple figures out the exploit and fixes it. Its more expensive than just asking the Apple.
But given PRISM, I'm sure Apple will just give it up.
Both Microsoft and Apple (I think Apple does) have the option to encrypt those keys with the user's password where they are storing them.
Just use open source encryption
I see a lot of comments recommending TrueCrypt/VeraCrypt here, which is fine, but did you know there is something even more interesting? ;)
Shufflecake ( https://shufflecake.net/ ) is a "spiritual successor" to TrueCrypt/VeraCrypt but vastly improved: works at the block device level, supports any filesystem of choice, can manage many nested layers of secrecy concurrently in read/write, comes with a formal proof of security, and is blazing fast (so much, in fact, that exceeds performances of LUKS/dm-crypt/VeraCrypt in many scenarios, including SSD use).
Disclaimer: it is still a proof of concept, only runs on Linux, has no security audit yet. But there is a prototype for the "Holy Grail" of plausible deniability on the near future roadmap: a fully hidden Linux OS (boots a different Linux distro or Qubes container set depending on the password inserted at boot). Stay tuned!
I think most people don't understand that 99% of people don't know what data encryption is and definitely don't care about it. If it weren't for Bitlocker, their laptops wouldn't be encrypted at all! And of course if your software (Windows) encrypts by default but you don't want to bother the average user with the details (because they don't know anything about this or care about it) you will need to store the key in case they need it.
To everyone saying 'time to use Linux!'; recognize that if these people were using Linux, their laptops wouldn't be encrypted at all!
> If it weren't for Bitlocker, their laptops wouldn't be encrypted at all!
And because of Bitlocker, their encryption is worth nothing in the end.
> if these people were using Linux, their laptops wouldn't be encrypted
Maybe, maybe not. Ubuntu and Fedora both have FDE options in the installer. That's objectively more honest and secure than forcing a flawed default in my opinion.
> And because of Bitlocker, their encryption is worth nothing in the end.
No, it's worth exactly what it's meant for: in case your laptop gets stolen!
> flawed default
Look, in terms of flaws I would argue 'the government can for legal reasons request the key to decrypt my laptop' is pretty low down there. Again, we're dealing with the general populace here; if it's a choice between them getting locked out of their computer completely vs the government being able to decrypt their laptop this is clearly the better option. Those who actually care about privacy will setup FDE themselves, and everyone else gets safety in case their laptop gets stolen.
> ... The hackers would still need physical access to the hard drives to use the stolen recovery keys.
This is incorrect. A full disk image can easily obtained remotely, then mounted wherever the hacking is located. The host machine will happily ask for the Bitlocker key and make the data available.
This is a standard process for remote forensic image collection and can be accomplished surreptitiously with COTS.
> The hackers would still need physical access to the hard drives to use the stolen recovery keys.
Or remote access to the computer. Or access to an encrypted backup drive. Or remote access to a cloud backup of the drive. So no, physical access to the original hard drive is not necessarily a requirement to use the stolen recovery keys.
No one should be surprised by this. If you are doing anything on a computer and don’t want it to be readily available to governments or law enforcement you have to use Linux
I gave up on osx 5 years ago. I gave up on Linux 3 years ago.
Today, 2 out of 3 of my machines are KDE fedora. The last one is TBD because my kids are using it.
I didn't have a choice for machine 1 because it wasn't eligible for windows 11 and windows 10 security updates were EOL. Machine 2 quickly followed.
At the time, there had been disappointing windows news every few months. Since there have continued to be disappointing windows news every few months.
I expect more disappointing windows news to follow.
I consider myself pretty pro-privacy, but there is so much dragnet surveillance and legitimate breaches of the fourth amendment that I have a hard time getting up in arms over a company complying with a valid search warrant that is scoped to three hard drives (and which required law enforcement to have physical possession of the drives to begin with).
This is so much more reasonable than (for example) all the EU chat control efforts that would let law enforcement ctrl+f on any so-called private message in the EU.
A lot of them are not really legitimate though. There's a reason that 4th amendment needs a modern version to require a warrant for tapping of any sort for things people generally assume are private. Flock, palantir, etc need to all go bankrupt, starved of data to spy on. In an ideal world of course. Maybe someday we'll wake up from the nightmare.
Not your keys not your {thing}
The US Government has quickly realized the utility of monopolies and no longer goes after them.
I fully agree that this is disconcerting form a privacy standpoint, and the danger it poses when Microsoft gets hacked.
As for it being user hostile. I am pretty certain that thousands of users a year are delighted when something has gone wrong and they can recover their keys and data from the MS Cloud.
There should perhaps be a screen in a wizard, Do you want your data encrypted? y,n
If (yes) Do you want to be able to recover your data if something bad happens? (else it will be gone for ever, you can never ever access it again) y/n
I think it is the kind of right place to ask: Is it possible to encrypt the system disc after Linux was installed or so I have to reinstall Linux for that purpose?
https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#...
Install Gentoo.....
The problems of centralization. Some economic sectors are centralized by nature, IT is not.
cachyOS - https://cachyos.org/ I've absolutely loved switching from Manjaro to this.
when it comes to giving out encryption keys, the answer should always be 'we don't have them.' 'you can't get them.'
Sad day for privacy at Microsoft.
BitLocker has a littered history of providing full disk encryption.
Use LUKS instead.
I have opted out of all cloud services in my windows installation; I use a passphrase, too (it is even before booting the computer). I feel like this is pretty safe
except MS could easily turn something on without you knowing and be uploading your files to their cloud. Yes, I believe they would stoop that low and even lower.
or just save all your keystrokes and regular screen captures with "Recall"
I see two distinct problems here:
(1) false advertisement
Companies like MS and Apple are telling their clients they offer a way to encrypt and secure their data but at best these claims are only half truths, mostly smoke and mirrors.
This is not OK. I don't want to get into legal parts of it, because I'm sure there's a fine print there that literally says it's smoke and mirrors, but it's despicable that these claims are made in the first place.
(2) the real need of ironclad encryption
I was born and raised in Eastern Europe. When I was a teenager it was common that police would stop me and ask me to show them contents of my backpack. Here you had two options - either (a) you'd show them the contents or (b) you would get beat up to a pulp and disclose the contents anyway.
It's at least 5h debate whether that's good or not, but in my mind, for 90% of cases if you're law abiding citizen you can simply unlock your phone and be done with that.
Sure, there are remaining 10% of use cases where you are a whistleblower, journalist or whatever and you want to retain whatever you have on your phone. But if you put yourself in that situation you'd better have a good understanding of the tech behind your wellbeing. Namely - use something else.
A more honest title would be: judge order Microsoft to hand over bitlocker keys to FBI.
If you use a local windows account does it still upload your bitlocker key to M$?
No, and by default the keys are stored on the disk so it's not actually secure.
If you open the BitLocker control panel applet your drive(s) will be labelled as "Bitlocker waiting for activation".
Oh? Do tell how to retrieve those insecure keys. I have an old laptop I would love to get access to again.
1 reply →
This is why local account setup is so important on windows, and why microsoft makes it harder and harder each update.
or not use microsoft products for encryption
or not use microsoft products
Anybody thinking that anything you do on a Windows laptop is in any way private, I have a nice bridge to sell you.
I don't know how many bad things Microsoft has to do before consumers realize they are a terrible company and you should stop buying their stuff.
In the year of 2026, the rule of thumb is if you can get your work done without touching windows, then you should. It goes without saying you should never trust any third party let alone a big corp.
I'm certain I should encrypt my data, backup all LUKS headers, and backup all data.
But what about unsophisticated users? In aggregate it might be true data exfiltration is worse than data loss? I don't know if that's true.
But what is true is enabling encryption by default without automated backup and escrow will lead to some data loss.
It's difficult for me to separate the aggregate scenarios from individual scenarios. The individual penalty of data loss can be severe. Permanent.
Big shocker! Gotta love the collusion between government and big tech, it never ends, and our 4th amendment will ever be infringed through these loopholes -- and all will carry on not caring enough about it.
BitLocker or BootLicker?
[dupe] Discussion on source: https://news.ycombinator.com/item?id=46731694
Quid pro quo.
What quid pro quo? Is there an allegation that the FBI gave Microsoft something in exchange?
As far as I can see this particular case is a straightforward search warrant. A court absolutely has the power to compel Microsoft to hand over the keys.
The bigger question is why Microsoft has the recovery feature at all. But honestly I believe Microsoft cares so little about privacy and security that they would do it just to end the "help customers who lose their key" support tickets, with no shady government deal required. I'd want to see something more than speculation to convince me otherwise.
lol. truecrypt and veracrypt
So, forcing user to connect to Internet and log in to Microsoft account has more to do than tracking you and selling ads -- Microsoft may be intentionally helping law enforcement unlocking your computer -- and that's not a conspiracy.
Hello there!
Have you heard of our lord and savior, Linux?
> Yes, but Which version/fork?
If I earn my living from a company that doesn't make Linux versions, should i still switch?
Should my customers?
It's a great idea, and my work does not touch the internet, but the confusing variations of linux do not a happy workfoce make.
Your 'lord and saviour' can fuck off, with all the others, I prefer science.
You like science?
Then test Omarchy.
> Johns Hopkins professor and cryptography expert Matthew Green raised the potential scenario where malicious hackers compromise Microsoft’s cloud infrastructure — something that has happened several times in recent years — and get access to these recovery keys.
Bitlocker isn't serious security. What is the easiest solution for non-technical users? Does FDE duplicate Bitlocker's funcationality?
Relevant XKCD
https://xkcd.com/538/
This is disappointing but I wonder if this is quid pro quo. Microsoft and Nadella want to appear to be cooperating with the government, so they are given more government contracts and so they don’t get regulatory problems (like on antitrust or whatever).
This isn't even about Microsoft or BitLocker. This is about the U.S.A.: anyone who thrusts the rule of law in the U.S. is a fool.
Yes, the American government retrieves these keys "legally". But so what? The American courts won't protect foreigners, even if they are heads of state or dictators. The American government routinely frees criminals (the ones that donate to Republicans) and persecutes lawful citizens (the ones that cause trouble to Republicans). The "rule of law" in the U.S. is a farce.
And this is not just about the U.S. Under the "five eyes" agreement, the governments of Canada, UK, Autralia and New Zealand could also grab your secrets.
Never trust the United States. We live in dangerous times. Ignore it at your own risk.
[flagged]
Water is wet. More news at 11
Water is not wet. Water makes non-hydrophobic materials wet.
This news piece from a non-tech organization will help educate non-tech people.
it's like microsoft has nothing better to do other than keep digging the hole to burry windows as mainstay operating system deeper and deeper with every new day.
What was the point of mandatory TPM then? I thought they were storing the keys securely there!
Keys are stored securely in a TPM in the sense that a random program has no access to it. They are not stored safely there in the sense that they couldn’t possibly get destroyed. TPM hardware, or the motherboard that hosts it, occasionally fails. Or you might want to migrate your physical hard drive to a different PC. That’s the purpose of backing up the keys to the cloud. Alternatively, you can write down a recovery key and put it in your safe. Personally, I put it in my password vault that also happens to be backed up to the cloud (though not Microsoft’s).
There's also no security in the communication between the CPU and the TPM, so you can plug in a chip that intercepts it and copies all the keys, or plug the TPM into a chip that pretends to be the CPU and derives identical keys.
2 replies →
> The case involved several people suspected of fraud related to the Pandemic Unemployment Assistance program
If it were preventing a mass murder I might feel differently...
But this is protecting the money supply (and indirectly the governments control).
Not a reason to violate privacy IMO, especially when at the time this was done these people were only suspected of fraud, not convicted.
> Not a reason to violate privacy IMO, especially when at the time this was done these people were only suspected of fraud, not convicted.
Well you can't really wait until the conviction to collect evidence in a criminal trial.
There are several stages that law enforcement must go through to get a warrant like this. The police didn't literally phone up Microsoft and ask for the keys to someone's laptop on a hunch. They had to have already confiscated the laptop, which means they had to have collected enough early evidence to prove suspicion and get a judge to sign off and so on.
They had a warrant. That's enough. Nobody at Microsoft is going to be willing to go to jail for contempt to protect fraudsters grifting off of the public taxpayer. Would you?
Yes. Businesses have a moral responsibility to honor their agreements with their stakeholders above the government.
Your firmware and UEFI likely accept MS keys even if you supplied your own for Secure Boot. Sometimes the keys are unable to be removed, or they'll appear "removed" but still present because losing the keys could break firmware updates/option ROMs/etc.
Similarly, your TPM is protected by keys Intel or AMD can give anyone.
If you want to extrapolate, your Yubikey was supplied by an American company with big contracts to supply government with their products. Since it's closed source and you can't verify what it runs, a similar thing could possibly happen with your smartcard/GPG/pass keys.