Home

Podfeet Podcasts

Security Bits logo - a green padlock with the words Security Bits to the right and in tiny letters below ithat it says 10101010 indicating a digital lock

Security Bits — 1 February 2026

  • by Bart Busschots

    • Feedback & Followups

    Deep Dive — 🧯 Understanding the Microsoft BitLocker Key ‘Controversy’

    TL;DR — most NosillaCastaways probably want to continue to accept the BitLocker default setting and continue to have the encryption key backed up to their Microsoft Account.

    Windows supports full disk encryption using a feature named BitLocker, and it works like any other full disk encryption technology, protecting the data on the disk from being accessed by anyone who steals the computer or the drive.

    All of these systems work in a similar way — the actual bits on the disk are encrypted with a long, complex key, but since that can’t be easily written down, let alone remembered, that key gets re-encrypted with the user’s password. This means that to unlock the drive, normally the user enters their password, which decrypts the key, which decrypts the data on the drive. If they forget their password, the data on the drive can still be recovered if there’s a backup copy of the actual encryption key. This design has the added advantage of allowing users to reset their password without needing to re-encrypt the entire drive; only the drive’s actual key needs to be re-encrypted with the new password.

    All this protects the data on the drive from both criminals and government agencies.

    However, it also means that if the user forgets their password, it’s impossible for them to recover their data without a copy of the underlying key. Unless the user is OK with depending entirely on their backups, that would be catastrophic! To say that might cause some support headaches for Microsoft would be an understatement 😉

    So, Microsoft provide mechanisms for backing up the key when BitLocker is initialised.

    For home users, Microsoft provide two recovery options — you can export a copy of the key to a thumb drive that you then need to keep safe, or you can save the key to your Microsoft Personal account.

    Expecting typical home users to have a spare thumb drive and then to keep it safe is not realistic, so the default option offered to home users is to save the key to their Microsoft account.

    This obviously provides good protection from accidental data loss, but it comes with a trade-off — Microsoft have a copy of the key and can be compelled to hand it over to government agencies armed with an appropriate order from a judge.

    For most home users, this tradeoff makes perfect sense — their biggest risk by far is data loss!

    However, some high-risk users might prefer to manage the key themselves, or even, to choose to treat the drive as disposable, and accept the fact that if they forget their password, all data on the drive is gone. If you’re a cloud-first kind of person, this is actually a very reasonable option.

    What Changed? Why the Fresh Headlines/Controversy?

    At a technological level, nothing changed!

    All that happened is that we now have a publicly disclosed example of Microsoft being issued with an appropriate disclosure order and complying with it.

    On foot of the (baseless in my opinion) internet outrage, Microsoft also shared that they comply with about 20 orders each year. Given how many Windows users there are, that’s an infinitesimally small fraction!

    Remember, without your drive or a bit-level clone of your drive, the key is useless!

    Notes for Enterprise/Education Users

    If your Windows device is managed by your organisation, then the chances are high that the treatment of your BitLocker key is out of your control. Organisations can lock the setting down with an MDM (Mobile Device Management) policy.

    Assuming they setting the organisation force is to back the key up to the cloud, it won’t go into the user’s personal Microsoft account though, instead, it will go into the organisation’s Active Directory or Entra ID, which may or may not be in the cloud at all, and even if it is, Microsoft may or may not have access depending on how the organisation manages their master encryption keys.

    However, remember that on a managed device, your organisation owns the data! That means that your organisation is in complete control over access to all the data stored on that device. You can’t assume anything you do on a managed device is hidden from your organisation, let alone from a government armed with a court order issued to either your organisation or Microsoft.

    Notes for Mac Users

    For the most part, the story is very similar for Mac users, just substitute FileVault for BitLocker and iCloud for Personal Microsoft Account. In fact, for users of managed devices, the situation is effectively identical — your organisation is in full control, and you can’t assume anything.

    For home users, things are a little more complicated, though, because Apple made a small but impactful change with macOS 26.

    Older versions of macOS behave almost identically to BitLocker. One subtle difference is that Apple never back up the raw encryption key, instead they back up a long and truly random recovery code that can be used to decrypt a copy of the key stored on the drive itself. But ultimately, Mac users before macOS 26 were defaulted to saving this recovery key to their iCloud Account, and they had the option to fall back to displaying the recovery code so they could write it down and store it somewhere safe.

    But that has changed a little with macOS 26. When you set up full disk encryption with the macOS 26 installer, the default is not to store the recovery key in your iCloud account, but in the Password app. This means you can display the code any time you like, export it to another password manager, and it syncs with your iCloud Key Chain, which is fully end-to-end encrypted, so Apple can’t access it.

    This means that for people with new Macs bought after macOS 26 was released, their keys are not available to Apple, even when provided with a court order. Encryption keys are configured when a drive is formatted, so unless you reformat your drive, simply upgrading to macOS 26 won’t change your encryption keys.

    Links

    ❗ Action Alerts

    Worthy Warnings

    Notable News

    Excellent Explainers

    Interesting Insights

    • 🎦 A fun deep-dive into how Passkeys really work on websites, showing the entire process in action on a dummy website, including all the code and the content of all the messages over and back to the server — youtube.com/…(Via Joop in the NosillaCast slack)

    Palate Cleansers

    Legend

    When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by Bart.

    Emoji Meaning
    🎧 A link to audio content, probably a podcast.
    A call to action.
    flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
    📊 A link to graphical content, probably a chart, graph, or diagram.
    🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
    💵 A link to an article behind a paywall.
    📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
    🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.
    🎦 A link to video content.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Scroll to top