> Microsoft told Forbes that the company sometimes provides BitLocker recovery keys to authorities, having received an average of 20 such requests per year.
At least they are honest about it, but a good reason to switch over to linux. Particularly if you travel.
If microsoft is giving these keys out to the US government, they are almost certainly giving them to all other governments that request them.
FYI BitLocker is on by default in Windows 11. The defaults will also upload the BitLocker key to a Microsoft Account if available.
This is why the FBI can compel Microsoft to provide the keys. It's possible, perhaps even likely, that the suspect didn't even know they had an encrypted laptop. Journalists love the "Microsoft gave" framing because it makes Microsoft sound like they're handing these out because they like the cops, but that's not how it works. If your company has data that the police want and they can get a warrant, you have no choice but to give it to them.
This makes the privacy purists angry, but in my opinion it's the reasonable default for the average computer user. It protects their data in the event that someone steals the laptop, but still allows them to recover their own data later from the hard drive.
Any power users who prefer their own key management should follow the steps to enable Bitlocker without uploading keys to a connected Microsoft account.
Microsoft did give them. Just because they have a warrant doesn't mean keys should be handed over in any usable form. As indicated in the Forbes [0] article - both Meta and Apple have the exact same convenience in place (cloud backup) with none of the direct risk.
So, yes. That is how it works: 1) Microsoft forces users to online accounts 2) Bitlocker keys are stored in an insecure manner allowing any US agency to ask for them. I intentionally say "ask for them" because the US government is a joke with respect to respecting its own citizens privacy [1] at this point.
This type of apologetic half-truth on behalf of a multi-billion dollar corporation is getting old fast.
"They have no choice" because they're "just doing their job" and "following the law."
Which are both choices. Microsoft can for sure choose to block the government and so can individual workers. Let's not continue the fascism-enabling narratives of "no choice."
As someone who has benefiter ones from this, I have to say: good.
In my humble opinion: the current state is better than no encryption at all. For example: Laptop theft, scavengers trying to find pictures, etc. And if you think you are target of either Microsoft or the law enforcement manage your keys yourself or go straight to Linux.
All that is true and the spin I focus on is can Microsoft have implemented it such that they have zero (ish) knowledge by default.
We know iCloud has configurations that can’t disclosed, and I wonder if there is a middle ground between if you loose the recovery key you are stuffed and maybe have a recovery key unblocked by a password similar to ssh keys
The "Microsoft gave" framing is the exact right wording!, because Microsoft should never have had these keys in the first place. This is a compromise on security that sidesteps back doors on the low level and essentially transforms all Windows installations into Clipper-chip products.
While it is true that NSLs or other coercion tactics will force them to give out the keys, it is also true that this is only possible because Microsoft implemented a fatally flawed system where they have access to the keys.
Any system where a third party has access to cleartext or the keys to decrypt to cleartext is completely broken and must not be used.
> This is by far one of the best advertisements for LUKS/VeraCrypt I've ever seen.
LUKS isn't all rainbows and butterflies either [https://news.ycombinator.com/item?id=46708174]. This vulnerability has been known for years, and despite this, nothing has been done to address it.
Furthermore, if you believe that Microsoft products are inherently compromised and backdoored, running VeraCrypt instead of BitLocker on Windows likely won’t significantly improve your security. Implementing a VeraCrypt backdoor would be trivial for Microsoft.
This is disappointing but I wonder if this is quid pro quo. Microsoft and Nadella want to appear to be cooperating with the government, so they are given more government contracts and so they don’t get regulatory problems (like on antitrust or whatever).
The engineers who developed this developed it to a spec so that microsoft demanded that allows them to get into the system at any time. There was nothing lazy about it. This would be easily found by anyone who has the impetus to encrypt their drive. Don't put things on your work laptop that you don't want Dom down in IT reading all of it or Phil the police forensics dick
> Back in the day hackernews had some fire and resistance
Hackernews is a public forum, and the people here change constantly. "Back in the day" there were mostly posts about LISP and startup equity. It's obviously not the same people here now.
> Too many tech workers decided to rollover for the government
Again, not the same group of people. In the 2000s "tech workers" might have mostly been Californians. Now they're mostly in India. Differing perspectives on government, to be sure.
> lazy engineers build lazy key escrow
Hey you should know this one, because it's something that HAS stayed constant since "back in the day": The engineers have absolutely no say in this whatsoever.
So, forcing user to connect to Internet and log in to Microsoft account has more to do than tracking you and selling ads -- Microsoft may be intentionally helping law enforcement unlocking your computer -- and that's not a conspiracy.
Perhaps next time, an agent will copy the data, wipe the drive, and say they couldn't decrypt it. 10 years ago agents were charged for diverting a suspect's Bitcoin, I feel like the current leadership will demand a cut.
This is my biggest fear wrt gov't search-and-seizure. I know the police won't be able to get at my juicy encypted bits, but I also know they're vindictive basterds who'll be held to no accountability. Of course they'll wipe my drives just to get revenge for me "winning" by having blocked their access.
Based on the comments in the thread, I sense I will be in the minority, but for most consumers this is a reasonable default. Broadly speaking, the threat model most users are concerned with doesn't account for their government. The previous default is no encryption at rest, which doesn't protect from the most common threats, like theft or tampering. With BitLocker on, a new risk for users is created: loss of access to their data because they don't have their recovery key. You are never forced to keep your recovery keys in Microsoft's servers and it's not a default for corporate users.
This isn't even about Microsoft or BitLocker. This is about the U.S.A.: anyone who thrusts the rule of law in the U.S. is a fool.
Yes, the American government retrieves these keys "legally". But so what? The American courts won't protect foreigners, even if they are heads of state or dictators. The American government routinely frees criminals (the ones that donate to Republicans) and persecutes lawful citizens (the ones that cause trouble to Republicans). The "rule of law" in the U.S. is a farce.
And this is not just about the U.S. Under the "five eyes" agreement, the governments of Canada, UK, Autralia and New Zealand could also grab your secrets.
Never trust the United States. We live in dangerous times. Ignore it at your own risk.
it's like microsoft has nothing better to do other than keep digging the hole to burry windows as mainstay operating system deeper and deeper with every new day.
I have opted out of all cloud services in my windows installation; I use a passphrase, too (it is even before booting the computer). I feel like this is pretty safe
85 comments
[ 2.9 ms ] story [ 65.6 ms ] threadIf it were preventing a mass murder I might feel differently...
But this is protecting the money supply (and indirectly the governments control).
Not a reason to violate privacy IMO, especially when at the time this was done these people were only suspected of fraud, not convicted.
At least they are honest about it, but a good reason to switch over to linux. Particularly if you travel.
If microsoft is giving these keys out to the US government, they are almost certainly giving them to all other governments that request them.
This is why the FBI can compel Microsoft to provide the keys. It's possible, perhaps even likely, that the suspect didn't even know they had an encrypted laptop. Journalists love the "Microsoft gave" framing because it makes Microsoft sound like they're handing these out because they like the cops, but that's not how it works. If your company has data that the police want and they can get a warrant, you have no choice but to give it to them.
This makes the privacy purists angry, but in my opinion it's the reasonable default for the average computer user. It protects their data in the event that someone steals the laptop, but still allows them to recover their own data later from the hard drive.
Any power users who prefer their own key management should follow the steps to enable Bitlocker without uploading keys to a connected Microsoft account.
So, yes. That is how it works: 1) Microsoft forces users to online accounts 2) Bitlocker keys are stored in an insecure manner allowing any US agency to ask for them. I intentionally say "ask for them" because the US government is a joke with respect to respecting its own citizens privacy [1] at this point.
This type of apologetic half-truth on behalf of a multi-billion dollar corporation is getting old fast.
[0] https://www.forbes.com/sites/thomasbrewster/2026/01/22/micro... [1] https://www.npr.org/2026/01/23/nx-s1-5684185/doge-data-socia...
Which are both choices. Microsoft can for sure choose to block the government and so can individual workers. Let's not continue the fascism-enabling narratives of "no choice."
In my humble opinion: the current state is better than no encryption at all. For example: Laptop theft, scavengers trying to find pictures, etc. And if you think you are target of either Microsoft or the law enforcement manage your keys yourself or go straight to Linux.
We know iCloud has configurations that can’t disclosed, and I wonder if there is a middle ground between if you loose the recovery key you are stuffed and maybe have a recovery key unblocked by a password similar to ssh keys
but they didn't do so.
and it's surely just a coincidence, because m$ has always been such an ethical company.
and it's surely not by design to centralize power by locking out competing criminals from the user's data, but not themselves.
</s>
However a hostile foreign government has less control over me.
As such using a tool of a hostile foreign government (Microsoft) needs to be understood and avoided.
While it is true that NSLs or other coercion tactics will force them to give out the keys, it is also true that this is only possible because Microsoft implemented a fatally flawed system where they have access to the keys.
Any system where a third party has access to cleartext or the keys to decrypt to cleartext is completely broken and must not be used.
Don't think Apple wouldn't do the same.
If you don't want other people to have access to your keys, don't give your keys to other people.
LUKS isn't all rainbows and butterflies either [https://news.ycombinator.com/item?id=46708174]. This vulnerability has been known for years, and despite this, nothing has been done to address it.
Furthermore, if you believe that Microsoft products are inherently compromised and backdoored, running VeraCrypt instead of BitLocker on Windows likely won’t significantly improve your security. Implementing a VeraCrypt backdoor would be trivial for Microsoft.
Back in the day hackernews had some fire and resistance.
Too many tech workers decided to rollover for the government and that's why we are in this mess now.
This isn't an argument about law, it's about designing secure systems. And lazy engineers build lazy key escrow the government can exploit.
Hackernews is a public forum, and the people here change constantly. "Back in the day" there were mostly posts about LISP and startup equity. It's obviously not the same people here now.
> Too many tech workers decided to rollover for the government
Again, not the same group of people. In the 2000s "tech workers" might have mostly been Californians. Now they're mostly in India. Differing perspectives on government, to be sure.
> lazy engineers build lazy key escrow
Hey you should know this one, because it's something that HAS stayed constant since "back in the day": The engineers have absolutely no say in this whatsoever.
There was no “back in the day” where big tech was on our side. Stop being a poser
It's time - it's never been easier, and there's nothing you'll miss about Windows.
https://cointelegraph.com/news/fbi-cant-be-blamed-for-wiping...
Perhaps next time, an agent will copy the data, wipe the drive, and say they couldn't decrypt it. 10 years ago agents were charged for diverting a suspect's Bitcoin, I feel like the current leadership will demand a cut.
Apple has that figured out. Your keys can be stored in your cloud synced keychain but only you can decrypt that keychain.
That’s why they couldn’t help the FBI to decrypt devices even when compelled.
Microsoft should have done the same. They should never find themselves in a place where they can be compromised like this.
Yes, the American government retrieves these keys "legally". But so what? The American courts won't protect foreigners, even if they are heads of state or dictators. The American government routinely frees criminals (the ones that donate to Republicans) and persecutes lawful citizens (the ones that cause trouble to Republicans). The "rule of law" in the U.S. is a farce.
And this is not just about the U.S. Under the "five eyes" agreement, the governments of Canada, UK, Autralia and New Zealand could also grab your secrets.
Never trust the United States. We live in dangerous times. Ignore it at your own risk.