In any case, perhaps it is useful to remember what it is: Windows 10, if the hardware allows it, automatically activates full encryption of a new device. When you log in with your Microsoft account, the key is automatically copied to the company's servers. After that you can go to a specific page and delete it. Those who have Windows 10 Pro or Enterprise, then, can also create a new key that will never be copied to Microsoft servers. The operation is active by default on new devices, not when upgrading from a previous version (unless encryption is active).
Microsoft keeps the copy online the key to facilitate recovery operations in the event of an accident; from this point of view it is a valuable tool, but many people may not like having such sensitive information online.
"Your computer," says Matthew Green (professor of cryptography at Johns Hopkins University), "is as secure as the key database in Microsoft's hands, which could be vulnerable to hackers, foreign governments, and people capable of blackmailing Microsoft employees. ".
Is there a privacy issue? It depends on your point of view: it is certainly very sensitive information and not everyone will be happy to know how it is handled, but for most of us there is probably nothing to worry about. We talk about The Intercept, probably, it is because this newspaper (among the most important investigative newspapers in the world) speaks to a public very sensitive to these topics, to people for whom this type of information is really very relevant.
How to delete recovery key from Microsoft account
- Sign in to your Microsoft account at onedrive.live.com/recoverykey. A list of all stored cryptographic keys (one per device) will be visible.
- Click on the key you want to delete to view the information
- Copy the data to a text file or manually to a sheet
- Click on the "Delete" button on the right
At this point, the encrypted device can no longer be restored simply with the owner's Microsoft account, but the encryption key must be entered separately. Those who have particularly sensitive information on their computer and want maximum confidentiality, may prefer to create a new key and not upload it to Microsoft servers. This is only possible with Windows 10 Pro or Enterprise. Windows 10 Home users can use an encryption tool other than the default.
Create a new key with Bitlocker
Prerequisite: Windows 10 Pro or Windows 10 Enterprise
- Open the start menu and write "bitlocker"
- Click on "Bitlocker Management"
- Click on "disable Bitlocker" to remove encryption from the disk, if it is already enabled
- When finished (this may take a long time), click Activate Bitlocker
- On the next screen, choose to save the encryption key locally or print it