Your Windows 10 device encryption keys are stored on OneDrive

Reading time icon 4 min. read

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

The Intercept – the government-busting news site funded by EBay founder Pierre Omidyar that popped up following Snowden – has dug up some not-exactly-new feature of Windows 10 for probing, which is automatic device encryption and key storage on OneDrive. Since their article is gaining some steam, let’s talk about it.

What’s it all about?

First of all, a quick description for the unfamiliar. Users signing in to a new shiny device using a Microsoft account will have their devices automatically encrypted by Windows behind the scene, after which the encryption key will be stored automatically on OneDrive. Automatic is the keyword here: users don’t need to use an ounce of effort for all this. They also may not ever know about it happening, either.
This is separate from BitLocker, which requires a user to open the Bitlocker service, start the encryption process manually, and choose where to store the key (in fact, we have a handy guide available that you can give a look). Also, unlike BitLocker, the built-in encryption is not limited to the Pro and Business version of Windows, instead it’s available to Home users as well. As a matter of fact, the feature has been available since Windows 8, which makes The Intercept’s article a bit old hat.

Convenience versus potential risk – the age-old tech dilemma

How is encryption secure? The encrypted device will be inaccessible, period, in case of recovery, without the key. Conversely, the key by itself is useless without the actual physical device for it to unlock; it’s a two-way system not too dissimilar to a physical lock. It means, however, that if you lose your key, prepare to kiss all your data goodbye, since there will be no way for you to get to it. Ever. Which is why the automatic key backup is more convenient for, and actually preferred by, most layman users (or so the quoted Microsoft spokesperson claims).
The security risk, the original article argues, starts the moment the key leaves your device, as it can then be intercepted by a third party, Microsoft or otherwise. Sure enough, the uploaded keys can be checked and deleted very easily by following this link , which Microsoft claimed would wipe them from existence, but at that point, it’s hard to be completely, absolutely sure that your key has not been tampered with. In the best world, according to the article, Microsoft would be doing the same as Apple with their built-in encryption FireVault, asking users whether they want the cloud backup during initial setup.
Paranoia aside though, as mentioned before having the key means nothing without the physical device to unlock, so you should be reasonably safe. If you’re still having doubts, the original article suggests using BitLocker to decrypt and encrypt the device again, rendering the uploaded key useless, after which you can keep a new local key handy.


All in all, it is really up to the users to evaluate the trade-off for convenience and draw the line on what they see as compromising their privacy. All business operates on a certain degree of mutual trust with its customers, and with the increasing frequency of data breach in recent years, that trust may be getting eroded, which is why articles like what The Intercept wrote are getting attention.
Nevertheless, given that Microsoft has always been a leader in cyber security, and that it, like most companies, want to stay in business, claiming that it actively tries to compromise customers’ data and trust is a bit far-fetched. We have reached out to Microsoft for comment regarding the original article, and will update you once more info comes.