Microsoft gave FBI set of BitLocker encryption keys to unlock suspects' laptops

Posted by bookofjoe 1/23/2026

Microsoft gave FBI set of BitLocker encryption keys to unlock suspects' laptops(techcrunch.com)

1040 points | 662 commentspage 2

MoltenMan 1/24/2026|

I think most people don't understand that 99% of people don't know what data encryption is and definitely don't care about it. If it weren't for Bitlocker, their laptops wouldn't be encrypted at all! And of course if your software (Windows) encrypts by default but you don't want to bother the average user with the details (because they don't know anything about this or care about it) you will need to store the key in case they need it.

To everyone saying 'time to use Linux!'; recognize that if these people were using Linux, their laptops wouldn't be encrypted at all!

bigyabai 1/24/2026|

> If it weren't for Bitlocker, their laptops wouldn't be encrypted at all!

And because of Bitlocker, their encryption is worth nothing in the end.

> if these people were using Linux, their laptops wouldn't be encrypted

Maybe, maybe not. Ubuntu and Fedora both have FDE options in the installer. That's objectively more honest and secure than forcing a flawed default in my opinion.

MoltenMan 1/24/2026||

> And because of Bitlocker, their encryption is worth nothing in the end.

No, it's worth exactly what it's meant for: in case your laptop gets stolen!

> flawed default

Look, in terms of flaws I would argue 'the government can for legal reasons request the key to decrypt my laptop' is pretty low down there. Again, we're dealing with the general populace here; if it's a choice between them getting locked out of their computer completely vs the government being able to decrypt their laptop this is clearly the better option. Those who actually care about privacy will setup FDE themselves, and everyone else gets safety in case their laptop gets stolen.

bigyabai 1/24/2026||

> No, it's worth exactly what it's meant for: in case your laptop gets stolen!

If my laptop gets stolen and it's worth something, the thief will wait until they can crack the management keys. We see this with corporate-locked laptops and Macbooks, iPhones and Androids, and other encrypted curiosities that get cracked at a lab in Tel Aviv for pennies on the dollar.

> Those who actually care about privacy will setup FDE themselves

This line is equivalent to forfeiting your position so I don't even know what to argue over anymore. I do care about privacy and I have no idea who you're arguing in-favor of.

tomgag 1/24/2026||

I see a lot of comments recommending TrueCrypt/VeraCrypt here, which is fine, but did you know there is something even more interesting? ;)

Shufflecake ( https://shufflecake.net/ ) is a "spiritual successor" to TrueCrypt/VeraCrypt but vastly improved: works at the block device level, supports any filesystem of choice, can manage many nested layers of secrecy concurrently in read/write, comes with a formal proof of security, and is blazing fast (so much, in fact, that exceeds performances of LUKS/dm-crypt/VeraCrypt in many scenarios, including SSD use).

Disclaimer: it is still a proof of concept, only runs on Linux, has no security audit yet. But there is a prototype for the "Holy Grail" of plausible deniability on the near future roadmap: a fully hidden Linux OS (boots a different Linux distro or Qubes container set depending on the password inserted at boot). Stay tuned!

kmoser 1/23/2026||

> The hackers would still need physical access to the hard drives to use the stolen recovery keys.

Or remote access to the computer. Or access to an encrypted backup drive. Or remote access to a cloud backup of the drive. So no, physical access to the original hard drive is not necessarily a requirement to use the stolen recovery keys.

mawise 1/23/2026||

I consider myself pretty pro-privacy, but there is so much dragnet surveillance and legitimate breaches of the fourth amendment that I have a hard time getting up in arms over a company complying with a valid search warrant that is scoped to three hard drives (and which required law enforcement to have physical possession of the drives to begin with).

This is so much more reasonable than (for example) all the EU chat control efforts that would let law enforcement ctrl+f on any so-called private message in the EU.

EasyMark 1/24/2026|

A lot of them are not really legitimate though. There's a reason that 4th amendment needs a modern version to require a warrant for tapping of any sort for things people generally assume are private. Flock, palantir, etc need to all go bankrupt, starved of data to spy on. In an ideal world of course. Maybe someday we'll wake up from the nightmare.

aeternum 1/23/2026||

Not your keys not your {thing}

cmurf 1/23/2026||

I'm certain I should encrypt my data, backup all LUKS headers, and backup all data.

But what about unsophisticated users? In aggregate it might be true data exfiltration is worse than data loss? I don't know if that's true.

But what is true is enabling encryption by default without automated backup and escrow will lead to some data loss.

It's difficult for me to separate the aggregate scenarios from individual scenarios. The individual penalty of data loss can be severe. Permanent.

WaitWaitWha 1/24/2026||

> ... The hackers would still need physical access to the hard drives to use the stolen recovery keys.

This is incorrect. A full disk image can easily obtained remotely, then mounted wherever the hacking is located. The host machine will happily ask for the Bitlocker key and make the data available.

This is a standard process for remote forensic image collection and can be accomplished surreptitiously with COTS.

dmitrygr 1/23/2026|

This is why local account setup is so important on windows, and why microsoft makes it harder and harder each update.

paulpauper 1/23/2026|

or not use microsoft products for encryption

direwolf20 1/23/2026||

or not use microsoft products

More comments...