Windows enables device encryption on many Windows 10 and 8.1 PCs out-of-the-box. It also uploads your recovery key to Microsoft’s servers, allowing you to regain access to you encrypted drives even if you forget their passwords.
If you’re not comfortable with this, though, it’s possible to delete the recovery key from Microsoft’s servers or even create a new key. This process even works on Home editions of Windows, even though they don’t have access to the full BitLocker encryption provided by the Professional versions.
You Probably Shouldn’t Do This
Realistically, you probably shouldn’t do this. It’s unusual that Microsoft is silently uploading recovery keys to its own servers, but it isn’t actually worse than the previous status quo. Previous versions of Windows — and the many current Windows PCs that still don’t ship with device encryption enabled — are just unencrypted. That means anyone could access their files if they can get their hands on the computer. Enabling encryption and giving Microsoft a recovery key is a big help against laptop thieves and other people who might want to snoop on your files.
The recovery key allows you to regain access to your computer’s files even if you forget your password, or upgrade the hardware on your system (which can sometimes lock you out of the encrypted drive). You just log into your Microsoft account online, find the recovery key, and type it into your computer to access the locked hard drive. This is a huge boon for home users who wouldn’t necessarily back up their recovery keys in a safe place, and might forget their passwords. Home users wouldn’t be happy if they lost all the files on their computers over something so silly.
Of course, the other side of the coin here is that Microsoft could be forced to give your recovery key to the government. Or, alternately, that someone could gain physical access to your computer and somehow get into your Microsoft account to access the recovery key and bypass the encryption. The tips below will take that recovery key away from Microsoft. But if you do this, you have to keep a copy of it yourself and store it somewhere safe. If you lose it, and you forget your password or update your hardware without disabling encryption first, you’ll be locked out of your computer for good.
Delete the Recovery Key From Microsoft’s Servers
To check if Microsoft is storing a recovery key for one or more of your PCs, open the https://onedrive.live.com/recoverykey page in your web browser. Sign in with the same Microsoft account you first signed in with on that Windows PC.
If you don’t have any keys stored on Microsoft’s servers, you’ll see a “You don’t have any BitLocker recovery keys in your Microsoft account” message.
If you do have recovery keys stored on Microsoft’s servers, you’ll see one or more recovery keys here. Click the name of your computer and then click the “Delete” link that appears to delete your recovery key from Microsoft’s servers.
Warning: Write down this recovery key or print it out and keep it somewhere safe before deleting it! You’ll need the recovery key in case you ever need to regain access to your encrypted files.
Generate a New Recovery Key
Microsoft promises they’ll quickly delete any recovery keys you remove from their servers. However, if you’re a bit paranoid, this probably won’t be good enough for you. You can instead have Windows generate a new recovery key that will never be uploaded to Microsoft’s servers.
This doesn’t require re-encrypting your entire drive. Basically, BitLocker encryption uses two keys. The first key is stored only on your computer and is used for encrypting and decrypting your files. The second key is used to decrypt the key stored on your computer. This process just changes the second key, which is the only one that ever leaves your computer anyway.
To do this, right-click the Start button and select “Command Prompt (Admin)” to open a Command Prompt window as administrator.
Type the following command and press Enter to temporarily “suspend” BitLocker protection:
manage-bde -protectors -disable %systemdrive%
Run the following command to delete the current recovery key:
manage-bde -protectors -delete %systemdrive% -type RecoveryPassword
Then run this command to generate a new recovery key:
manage-bde -protectors -add %systemdrive% -RecoveryPassword
Important: Write down or print out the recovery key displayed after you run this command and keep it in a safe place! This is your new recovery key, and you’re responsible for safeguarding it.
Lastly, re-enable the BitLocker protection:
manage-bde -protectors -enable %systemdrive%
You’ll see a message saying no drives in the computer support device encryption. However, they are encrypted. If you want to undo all your changes, you’ll need to disable encryption in a command prompt window.
Or Just Use BitLocker Instead
If you have the Professional edition of Windows — or if you’re willing to pay another $99 to upgrade to the Professional edition of Windows — you can skip all this and just set up normal BitLocker encryption. When you set up BitLocker, you’ll be asked how you want to back up your recovery key. Just don’t select the “Save to your Microsoft account” option and you’ll be fine. Be sure to write down the recovery key or print it out and keep it somewhere safe!
This is also the only official way to encrypt your Windows system drive if your computer didn’t ship with device encryption enabled. You can’t just enable device encryption later — on Home Windows PCs without device encryption, you need to pay for Windows Professional so you can use BitLocker. You could try using TrueCrypt or a similar open-source tool, but a cloud of uncertainty still hangs over those.
Again, most Windows users won’t want to do this. With device encryption, Microsoft moved from all Windows PCs being unencrypted by default to many Windows PCs being encrypted by default. Even though Microsoft has the recovery key, that’s a big win for data security and a big improvement. But, if you want to go farther, the tricks above will let you take control over your recovery key without paying for a Professional edition of Windows.
Image Credit: Moyan Brenn on Flickr