Microsoft may be putting the privacy of millions of users at risk. The built-in disk encryption feature in Windows 10, the latest desktop operating system from the company, is set to automatically upload your recovery key to Microsoft's servers, making it vulnerable in an event of a security breach.
Windows 10 ships with a device encryption feature that is enabled by default. While this has its own benefits such as ensuring your data is protected on the computer, for those who use a Microsoft account (Outlook/Live email) as a method of signing in, this also means that Microsoft has a stored your disk encryption key, reports The Intercept.
The issue, as you can imagine, is that if a person hacks into your Microsoft account, they can access this recovery key. Also, if a fraudster hacks into Microsoft's server, in that event too your privacy is pretty much compromised. There are many more scenarios in which an unauthorised personnel can glean access to your computer's recovery key.
Now in Microsoft's defence, this feature is genuinely useful. At times, you would want your recovery key to be available at a secure place, making it easier for you to log in with your Microsoft account. However, the potential privacy risk it imposes on the account perhaps makes it less worthy. Many Windows Insider participants are likely vulnerable as they are required to use Microsoft account and are likely using it to sign in to their system as well. As of early July of this year, more than 5 million users were signed up as a Windows Insider participant.
The report adds that users who utilise their organisation's email address to sign in, their keys aren't stored in Microsoft's server. So what needs to be done for the rest? You can check if your key is stored in the cloud by visiting this website . You can delete your key from your account to avoid any risk, and Microsoft says all copies will be wiped from its servers and backup drives. Those who don't see any key associated with their Microsoft account probably didn't use their Microsoft account to sign in, or they don't have device encryption enabled. Users who don't have the encryption option visible in Settings need not worry as they are probably using older machines without the Trusted Platform Module (TPM) required for device encryption.
Windows Pro and Windows Enterprise users can use the premium disk encryption service like BitLocker or a third-party tool to generate a new key. Users are recommended to store their new key by either printing it on a piece of paper or on a USB disk, and keeping it some place safe.