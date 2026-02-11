If you are a Windows 11 user, you should not trust or rely on your BitLocker encryption to protect the security and privacy of the data on your hard drive.

This post was inspired by recent revelations (article: https://www.windowscentral.com/microsoft/windows-11/microsoft-bitlocker-encryption-keys-give-fbi-legal-order-privacy-nightmare) that Microsoft was storing the encryption keys for Bitlocker in the cloud for Microsoft 11 users and had subsequently turned over the keys for some users pursuant to law enforcement requests. The implications are that encrypted hard drives people thought were secure with BitLocker are not actually safe, and their data was accessible to others.

I’m not advocating that Microsoft shouldn’t comply with a valid legal process signed off by a judge. Still, the fact that Microsoft is ABLE to provide these keys and decrypt BitLocker goes against the whole purpose of encryption and is enough reason not to use these products.

To quote from the article:

It’s frankly shocking that the encryption keys that do get uploaded to Microsoft aren’t encrypted on the cloud side, too. That would prevent Microsoft from seeing the keys, but it seems that, as things currently stand, those keys are available in an unencrypted state, and it is a privacy nightmare for customers.

If you are using Microsoft’s BitLocker for encryption protection, you must ensure that your recovery keys ARE NOT STORED in the cloud. For me, this story calls into question all of Microsoft’s claims about encryption, and I would avoid Windows products if you are concerned about the security of your data.

What to do if you are a Windows 11 user?

If you are using Windows 11 Home, you aren’t able to store your BitLocker keys locally. This means that effectively, you don’t have encryption on your hard drive because Microsoft or whoever takes, steals, or has access to these keys from Microsoft can unlock your hard drive.

If you upgrade to Windows 11 Pro, you can store your keys locally (so Microsoft won’t have access to the recovery keys). To do this, you have to deactivate BitLocker, delete the keys online, then re-enable it and save the keys locally. Here’s an article with step-by-step instructions for how to do this: https://pureinfotech.com/windows-11-delete-bitlocker-recovery-key-microsoft-account/

Generally, though, I would think twice about relying on Microsoft’s BitLocker for encryption.

A deeper dive into encryption

Encryption is important for personal security and privacy because it prevents others from seeing the contents of your data. That way, if information is intercepted or on a hard drive, it can’t be accessed without decrypting it. Decrypting and encrypting data requires “keys”. Usually, your keys are accessed using knowledge only you have (e.g., a biometric or a password). For example, you decrypt your iPhone when you unlock it with your face or passcode. But keys can also be files stored elsewhere. Microsoft was storing recovery keys in the cloud, which means it has access to them. They did this to make it easier for users to recover their hard drives if they forget the password. Still, it introduces a critical vulnerability in the encryption process.

When encryption keys are available, anyone with access to the keys can decrypt the information. In this case, Microsoft gave them to a 3rd party and allowed for the decryption of information.

The fact that these recovery keys are available to Microsoft also means that a rogue Microsoft employee could decrypt them, or Microsoft could do it for business reasons, or if a hacker who gets access to your Microsoft OneDrive account (by hacking your account or hacking Microsoft) can decrypt them. If the company has your decryption keys, then they can give them up, lose them, etc.

This is why “backdoors” completely break encryption. Once there is a backdoor or a way to defeat encryption, it’s very difficult to control who has access to that backdoor. This is why the cybersecurity community is so opposed to governments attempting to compel platforms like Apple, Signal, or whoever to build in backdoors. (UK example).

What’s end-to-end encryption?

When we talk about end-to-end encryption (E2EE), we mean that only the sender and the receiver can decrypt the data (or access the keys). With E2EE, nobody else has the keys. Not the platform, not the service, not the company. This means only you and the party you are communicating with can see it.

Things that are E2EE

Thanks that aren’t E2EE

Any Google-related service (except Android and Chromebook devices). Gmail, Drive, Photos. Yes, encryption is in place, but Google has the keys to decrypt your data. SMS Phone calls on your carrier phone number. Almost everything else that isn’t on the list above.

What should you do?

Don’t store encryption keys in the cloud, unless the cloud is E2EE. Think about not using Windows if you value encryption. Instead, use Apple products and enable Home Vault, or Chromebooks, which have encryption enabled by default (and can only be decrypted by you logging in to your Google account). Don’t use insecure services for private or sensitive communication (like SMS or email). Use E2EE services like the following for any sensitive or private communication. Signal iMessage Whatsapp

E2EE is only as secure as the person you are corresponding with. So make sure you send the message to the right person. Remember that the person you are talking to can always take a screenshot of your communication.

Stay safe!

Tate