Microsoft confirmed they receive around 20 requests for BitLocker keys a year and will provide them to governments in response to valid court orders. My issue is not only is Microsoft able to access the key because of the way they store it but if someone would get access to your Microsoft account they could get the key.
Microsoft BitLocker, is supposed to protect your data by encrypting it automatically. On most modern Windows 11 computers this feature is enabled by default to safeguard all the data on the computer’s hard drive. BitLocker encrypts the data so that only those with a key can decode it and read it.
You can store BitLocker keys digitally or on paper which you should for backup in the event your computer crashes and you want the data off your computer. Here where the issue comes in Microsoft during the BitLocker setup recommends users store their keys to your Microsoft account for convenience and ease of use. The issue becomes if you login to your Microsoft account you can get those keys and access the data since they are stored in clear text.
While Apple does offer you the ability to get the key and write it down if you store your password in iCloud Apple can’t see it and neither can you if you login. In iCloud, the recovery key isn’t in plain text anywhere. Instead, the key is tied into behind-the-scenes account information that Apple maintains. It’s fully encrypted so that even Apple doesn’t have access to the unencrypted recovery key. Apple instead can deliver the encrypted recovery key to your Mac if you need to reset your password. The user never sees the recovery key nor have to enter it in this configuration.
Google uses eCryptfs disk encryption on ChromeOS. Keys are stored on disk in an encrypted format within the user’s home directory and are decrypted at login using the user’s login passphrase. The actual working keys are held in the Linux kernel’s memory (keyring) only while the filesystem is mounted. Google does not store these keys on its servers you must provide the key every time you need to access the data. Losing this key means Google cannot recover your data.
The Linux operating system uses a system very similar to a Chromebook using Linux Unified Key Setup (LUKS) as the standard for Linux hard disk encryption, providing a secure, user-friendly way to protect data at rest on partitions, disks, or removable media. It operates at the block level using dm-crypt, creating an encrypted container that requires a password to unlock and access data. If the key is lost the data is as well.
There have been reports of Microsoft engineers even claiming that the U.S. government approached them in 2013 to install a backdoor in the BitLocker encryption system. I would recommend on any operating system if you have data, you want secured that no one else can access use Veracrypt or Cryptomator to secure the files so only you can access them on your device or online. I can’t stress enough true encryption means only you can access the data.