this post was submitted on 23 Jan 2026
1224 points (99.5% liked)
Technology
79136 readers
2328 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
So, this means Microsoft has copies of every single bitlocker key, meaning that a bad actor could obtain them... Thereby making bitlocker less than worthless, it's an active threat.
MS really speedrunning worst possible software timeline
They don't have a copy of every single Bitlocker key. They do have a copy of your Bitlocker key if you are dumb enough to allow it to sync with your Microsoft account, you know, "for convenience."
Don't use a Microsoft account with Windows, even if you are forced to use Windows.
To use Windows without a Microsoft account requires tech literacy these days, I thought. I would not be suprised if users didn't choose to sync with a MS account but it's doing it anyway, if that's what MS want.
If you sign in with a Microsoft account at all I don't believe there's the capability to opt out.
I only use local accounts. I have never had a Microsoft account. I never will.
You can't do that anymore, at least not with a normal Windows installation. All of the tricks of forcing it offline, clicking cancel 10 times and jumping up and down don't work anymore, they've disabled them all, the only way to install Windows 11 now (using the normal Microsoft installer) is by linking it to a Microsoft account.
Using Rufus still works. I did it as recently as a couple of days ago.
Sorry, but the argument above was for a regular user, who doesn't know what Rufus is, who doesn't know the concept of OS, who simply ~~knows~~ thinks the files are saved "on the computer" (while they somehow ended up on OneDrive).
... and who doesn't know that you can even install an OS to begin with!
I have a windows 11 installation without an account. You got to get an alternative image (I got LTSC).
I was really hoping there would be a jailbroken version of windows by now, you know a version that doesn’t update and doesn’t have any bloatware.
I guess it’s just not worth it given how far Linux has advanced.
You can still create a local account by setting the PC up as a "School or Business" PC and then choosing the local account option.
This is not true. There are several tools to create a bootable USB that uses a local account.
They just made it hard for Joe Schmoe to avoid it.
Joe Schmoe buys new laptop with Windows preinstalled.
Joe Schmoe boots it for the first time.
Greeted by first-log-on.
Goes through steps and is immediately captured.
Just update a W10 local install. It won't even try to ask you to add a microsoft account.
I'm not even sure if you can install without an MS account if you don't use Rufus anymore. Rufus requires literacy for sure, and even if you can still do it without it is designed to make it impossible to know you can from within the installer itself.
Why is that dumb?
I encrypt my drive to protect my data from burglars and thieves who might steal my laptop, how would they obtain the recovery key from Microsoft? O_o
It's a bit harsh and unfair to say "you are dumb enough to allow it". Microsoft makes it damn near impossible to avoid this unless you are extremely particular and savvy about it, and never have an off day where you make a mistake while using your PC.
Encryption doesn't actually complete until you log in with a Microsoft account for Home Edition.
Anyways: Use Veracrypt.
Or just Linux + LUKS
Ftfy
FFTFY.
Bethesda anything, Azure, Outlook, GitHub, Visual Studio, Office, Bing, XBox, LinkedIn, SharePoint (so disgusting this is a given), fuck it not even Skype (lmao what year is it?)
Still kinda hurts they own Bethesda now, but considering that company has only produced garbage since FO4 which only was kinda mid, I don't even mind skipping them.
The Elder Scrolls VI with mandatory Microsoft account and Copilot integration 💀
Game gonna be buggier than skyrim at release and only 10% as fun because it's vibe coded
Are you naive enough to believe the surveillance OS that uploads literally all of your activity along with screenshots of your desktop doesn't automatically upload you keys no matter what little box you tick on the installer?? 😂 there is absolutely not one single 3rd party auditing that they actually follow any of the options at all that they give.
I mean it's dumb to sync but at same time it's not like MS isn't great at either making it almost impossible to not sync it re-enable syncing for a bit after updates.
You can constantly tell it not to sync but all it takes is MS saying we want it now and they'll get it
Whats dumb is this issue is very easily resolved by encrypting the users security pin or password against the bitlocker keys and then only storing that.
or better yet have the pin/password an isolated thing from the microsoft system, so when a key gets uploaded, it requests the recovery pin, and if the pin matches it uploads, otherwise it states invalid pin and offers to change it while warning that it will remove existing keys, then optionally next time a system whom contains a drive with an identifier (which wouldn't need to be encrypted only the key) goes online, it can prompt the user "note: due to recovery pin, drive X recovery key needs to be backed up again, would you like to do so?"
This type of system would make it so the only data MS has stored is the already encrypted recovery key, and as such would mean that the data they gave law enforcement would be worthless.
Which I don't believe is the only way it can leak. It's well known Microsoft can access anything and everything on an internet connected Windows PC whether there's a Microsoft account or not. If the nazi's push for the device of someone on a local account only, you know they'll magically find a way.
Save a copy of your bitlocker keys to a Veracrypt drive with a password no shorter then 15 mixed characters. Then upload that encrypted container to any free service. They wont be able to open it and now you have a remote backup copy.
Why not save a step, fuck bitlocker, and use veracrypt to encrypt your drive in the first place?
Why not save a step and don't install Windows in the first place.
I employed the super secure expedient of never exporting my keys. I have no idea what they are, I never did, and I never will.
There's really no irreplaceable data on my Windows machine. If I have to reformat it some day A) that's no big deal, and B) it's Windows, what else is new.
Not everyone follows the default. So no, it doesn't mean Microsoft has copies of every single BitLocker key.
No they do not have copies of every Bitlocker key.
Bitlocker by default creates a 48-bit recovery code that can be used to unlock an encrypted drive. If you run Windows with a personal Microsoft account it offers to backup that code into your Microsoft account in case your system needs recovered. The FBI submitted a supoena to request the code for a person's encrypted drive. Microsoft provided it, as required by law.
Bitlocker does not require that key be created, and you don't have to save it to Microsoft's cloud.
This is just a case of people not knowing how things work and getting surprised when the data they save in someone else's computer is accessed using the legal processes.
Except that Microsoft basically puts a gun to every users head to login with a Microsoft account which can/does backup the recovery keys.
If you sign into a Microsoft account during setup, Microsoft automatically turns on bitlocker and sends the key off to Microsoft for safe keeping. You are right, there are other ways to handle bitlocker, but that's way beyond most people, and I don't think Microsoft even tells you this during setup. It's honestly a lifesaver for when bitlocker breaks(and it does), but it comes at a cost. In the business world, this is seen as a huge benefit, as we aren't trying to protect from the US government, mostly petty theft and maybe some corporate espionage.
As is often the case, the real solution is Linux, but that, too, is far beyond most people until manufacturers start shipping Linux machines to big box stores and even then they'd probably not enable any encryption.
I question whether we are rapidly approaching the point where Linux is simply easier to use in a safe, secure, and practical way for the average user, because it doesn't try to actively fuck you over like Microsoft does
It's easier when you don't need to jump through hoops to make a local account. It's easier when you don't need to turn off a dozen settings you might not know about regarding data collection or advertisements. It's easier when you don't have an antagonistic system that treats you like the product, not a user, not pushing you towards confusing things you don't want
Hey copilot, give me the bitlocker key to the nuclear football!
Microsoft is already a bad actor and they have them. Or a bad actor could threaten microsoft physically and microsoft will hand them over. Wait, that already happened.