Remove Windows Disk Encryption Key - Microsoft Account
Device Encryption and Recovery Keys in Windows
Many Windows 10 and 8.1 computers have device encryption enabled by default. This feature secures your data and protects it from unauthorized access.
Alongside encryption, Windows automatically transmits your recovery key to Microsoft’s servers. This allows users to restore access to their encrypted drives, even in the event of a forgotten password.
Managing Your Recovery Key
However, users who prefer greater control over their data can remove the recovery key from Microsoft's servers. Alternatively, a new recovery key can be generated.
This functionality is available across all Windows editions, including the Home versions. It’s important to note that even Home editions benefit from encryption, despite lacking the complete BitLocker functionality found in Professional versions.
Key Considerations
- Deleting the recovery key means you'll need another method to regain access if you forget your password.
- Creating a new key replaces the existing one stored on Microsoft’s servers.
- Ensure you securely store any newly generated recovery key.
Understanding these options allows Windows users to balance security with personal privacy preferences. Managing your recovery key is a crucial step in maintaining control over your encrypted data.
Why You Might Want to Avoid This Practice
Related: An Examination of Concerns Surrounding Encryption in Windows 8.1 and FBI Access
In practice, attempting this procedure is generally not recommended. While Microsoft’s silent uploading of recovery keys to its servers isn't demonstrably more problematic than existing conditions, it's a noteworthy change. Older Windows iterations – and a significant number of currently used PCs lacking device encryption – remain entirely unencrypted. This means file access is readily available to anyone with physical possession of the machine.
Activating encryption and providing Microsoft with a recovery key represents a substantial improvement in security against laptop theft and unauthorized file access. The key facilitates regaining access to your data should you forget your login credentials or perform hardware upgrades that might otherwise render the encrypted drive inaccessible.
Accessing your files is straightforward: simply log in to your Microsoft account online, locate the recovery key, and enter it into your computer to unlock the drive. This feature is particularly beneficial for home users who may not diligently back up their recovery keys or reliably remember complex passwords. Data loss due to a forgotten password or oversight would be a frustrating experience for many.
However, a potential drawback is the possibility of Microsoft being compelled by legal authorities to disclose your recovery key. Alternatively, unauthorized physical access to your computer, coupled with compromised Microsoft account credentials, could allow an attacker to retrieve the key and circumvent the encryption. The following guidance details how to remove the key from Microsoft’s control. However, doing so necessitates maintaining a secure, personal copy of the key; its loss, alongside a forgotten password or unmanaged hardware change, will result in permanent data inaccessibility.
Removing BitLocker Recovery Keys from Microsoft Servers
You can verify whether Microsoft has stored a recovery key for your computers by visiting the page located at https://onedrive.live.com/recoverykey within your web browser.
Ensure you log in using the identical Microsoft account that was initially used when setting up Windows on the specific PC.
Should no recovery keys be present on Microsoft’s servers, a message stating "You don't have any BitLocker recovery keys in your Microsoft account" will be displayed.
Conversely, if recovery keys are stored, they will be listed on this page.
To remove a key, select the computer name associated with it, and then click the "Delete" link that becomes visible.
Important Caution:
Before deleting any recovery key, it is crucial to record it or create a printed copy for safekeeping.
This key will be essential should you ever require access to your encrypted data.
Creating a Fresh Recovery Key for BitLocker
While Microsoft asserts that recovery keys removed from their servers are promptly deleted, some users may prefer an extra layer of security. It’s possible to instruct Windows to create a new recovery key that remains exclusively on your system, never being uploaded to Microsoft’s infrastructure.
This process doesn’t necessitate a full re-encryption of your drive. BitLocker utilizes a dual-key system. One key resides solely on your computer, handling the encryption and decryption of your data. The second key is employed to unlock the first key, and it’s this second key that potentially leaves your device.
To begin, access the Command Prompt with administrative privileges. This can be achieved by right-clicking the Start button and selecting "Command Prompt (Admin)".
Enter the following command and press Enter to temporarily suspend BitLocker’s protective measures:
manage-bde -protectors -disable %systemdrive%
Next, execute this command to remove the existing recovery key:
manage-bde -protectors -delete %systemdrive% -type RecoveryPassword
Subsequently, run this command to generate a brand new recovery key:
manage-bde -protectors -add %systemdrive% -RecoveryPassword
Crucially, immediately record or print the recovery key displayed after executing this command. Store it securely, as this is your new key and your responsibility to protect.
Finally, reactivate BitLocker protection with this command:
manage-bde -protectors -enable %systemdrive%
A message indicating that no drives support device encryption may appear. However, your drive remains encrypted. Should you wish to revert these changes, disabling encryption via the command prompt is required.
Employ BitLocker as an Alternative Solution
Related: A guide on configuring BitLocker Encryption on Windows systems.
For users possessing the Professional version of Windows, or those prepared to invest $99 for an upgrade, a simpler approach exists. You can bypass the preceding steps by directly implementing standard BitLocker encryption. During BitLocker setup, you will be prompted to choose a method for recovery key backup.
Avoid selecting the option to "Save to your Microsoft account" to maintain complete control. It is crucial to record the recovery key, either by writing it down or printing it for secure storage.
BitLocker: The Official Encryption Method
This method also represents the sole officially supported way to encrypt the Windows system drive on computers that were not originally equipped with device encryption. Retroactively enabling device encryption isn't possible on Home edition Windows PCs lacking this feature.
Users in this situation must purchase Windows Professional to utilize BitLocker. While alternative open-source tools like TrueCrypt exist, their security remains a subject of debate.
The majority of Windows users will likely find the default settings sufficient. Microsoft's shift to encrypting many Windows PCs by default, through device encryption, represents a significant advancement in data security.
Even with Microsoft retaining the recovery key, this constitutes a substantial improvement in overall data protection. However, for those seeking greater control, the previously described techniques allow for independent management of the recovery key without requiring a Professional Windows license.
Image Source: Moyan Brenn on Flickr