Windows 10 and disk encryption

Hard disk encryption prevents access to your confidential files if your PC or laptop is stolen. Without disk encryption, retrieving your files from a stolen machine is trivial - your Windows password is of no value whatsoever in preventing data from being copied. Hard disk encryption renders this impossible - there is nothing that can be done to retrieve the data.

By default, both Windows 8.1 and Windows 10 support disk encryption - known as device encryption - provided certain conditions are met.

Firstly, the computer's hardware must include a TPM chip, or Trusted Platform Module. This is used to generate and securely store cryptographic keys, and is used to store the key used for disk encryption. Most modern PCs have a TPM chip.

Secondly, the user must log in with a Microsoft account (e.g. a Hotmail, Outlook or Live email address) with administrator privileges, or join the PC to a domain.

If these conditions are met, Windows will encrypt your hard drive on first login - but there is an important caveat.

If you login via a Microsoft account to enable disk encryption, a copy of your encryption key is sent to Microsoft, to be stored in OneDrive. This means Microsoft possesses the means to decrypt your hard drive, and there is a risk that Microsoft could provide keys to law enforcement authorities or itself be compromised and the keys stolen.

For domain users, the encryption key is backed up on the domain server - not sent to Microsoft. If a local user is chosen, the disk is not encrypted at all.

For the average user, Microsoft holding a copy of their encryption key is an acceptable risk, and may be quite useful for backup purposes, as it is no doubt intended for. After all, the alternative is an unencrypted hard drive accessible to anyone with physical possession of the disk.

There are some solutions. You can login to your Microsoft account, view the encryption key, and even delete it. This isn't a guarantee that Microsoft has actually deleted the key though.

The best approach for users of Pro and Enterprise editions of Windows 10 (not the Home Edition) is to generate a new key by decrypting and re-encrypting the drive.

This is done via BitLocker, which isn't part of the Home Edition. BitLocker gives better control than the default device encryption.

First, you'll need to decrypt your drive by turning off BitLocker. Once the drive has been decrypted, turn BitLocker back on, and you'll be prompted to save your encryption key to a file or to print it out. Make sure the file is stored on an external USB drive - it won't be much use if it is stored on your encrypted drive, when it is required to access the drive! And it won't be stored in your Microsoft account, so you'll be unable to retrieve it from there.

There actually is a way Home Edition users can get around this issue despite not having BitLocker. The instructions are shown here, and step 4 should be skipped. Use at your own risk!

Posted by John Faulds in