It’s 2026. Do you know where your encryption keys are?
A recent Forbes investigation revealed something that should concern every organization using Microsoft Windows: The company has allegedly been quietly handing over BitLocker encryption recovery keys to law enforcement when served with valid warrants. While the company reportedly receives only about 20 such requests annually, the investigation uncovered the first publicly confirmed case and exposed a fundamental flaw in how Microsoft approaches data security.
This isn't a story about a security breach or a sophisticated hack. It's about data sovereignty, or, rather, the illusion of it. It's about an architectural choice; one that prioritizes Microsoft's convenience over customer control, and one that stands in stark contrast to how competitors like Apple and Google handle encryption keys.
True data sovereignty means more than just encrypting your data. It means separating your encrypted data from the keys that unlock it; and, ideally, hosting your keys in a way that gives you exclusive control over who can access that data, and under what circumstances. Without key control, you don't have data sovereignty.
According to Forbes' reporting, in early 2025, the FBI served Microsoft with a search warrant requesting BitLocker recovery keys for three laptops involved in a COVID unemployment fraud investigation in Guam. Microsoft complied, providing the keys that unlocked the encrypted data.
BitLocker is Microsoft's disk encryption software, automatically enabled on many modern Windows PCs. It's designed to protect all data on a computer's hard drive by scrambling it so only those with the proper key can decode it. It's a solid encryption technology when implemented correctly.
Forbes' review of court documents found that federal investigators have stated they "do not possess the forensic tools to break into devices encrypted with Microsoft BitLocker." So, the encryption itself works.
The problem is Microsoft's key storage recommendations.
While BitLocker users can store their recovery keys locally, Microsoft's default recommendation is for users to back up keys to their Microsoft account in the cloud. The rationale is user convenience: account recovery after lockouts or forgotten passwords.
But this design decision means Microsoft retains the technical ability to decrypt your data. And when Microsoft has that ability, law enforcement can obtain court orders compelling the company to exercise it. Even worse: Microsoft doesn’t have to tell its customers when their data has been requested or turned over.
Microsoft spokesperson Charles Chamberlayne confirmed to Forbes that the company provides BitLocker recovery keys when served with valid legal orders, noting they receive approximately 20 such requests annually. He added that in many instances, users haven't stored keys in the cloud, making it "impossible for Microsoft to assist."
That last phrase reveals the core issue of data sovereignty: When Microsoft doesn't have your keys, they truly cannot assist law enforcement in accessing your encrypted data, even when compelled by a warrant. You, as a Microsoft customer, don’t have to worry about whether or not Microsoft will decide to hand over the keys to your data, because they physically don’t have them. The data remains secure because the keys, and therefore sovereignty over that data, remain under the customer’s control, and encrypted content remains encrypted.
This is the difference between encryption as a security feature and encryption as a sovereignty guarantee.
Recommended Reading: What Is a Blind Subpoena, and How Can You Protect Your Data?
What makes this story particularly frustrating is that Microsoft has the capability to do better, and chooses not to.
Matt Green, a cryptography expert and associate professor at Johns Hopkins University, told Forbes: "If Apple can do it, if Google can do it, then Microsoft can do it. Microsoft is the only company that's not doing this."
What exactly can Apple and Google do that Microsoft won't?
Both companies allow users to back up recovery keys to the cloud, but in an encrypted format that the companies themselves cannot access. The keys are protected by information only the user possesses, rendering law enforcement requests ineffective.
By any retaining access to customer encryption keys, Microsoft has made itself the authority over customer data, not the customer. This fundamentally undermines the concept of data ownership. You may own the information, but Microsoft controls access to it.
Green's assessment, as reported by Forbes: "This is private data on a private computer and they made the architectural choice to hold access to that data. They absolutely should be treating it like something that belongs to the user."
The implications of Microsoft's approach extend far beyond individual cases. Here's why this should concern security leaders:
When law enforcement obtains BitLocker keys, they gain access to entire hard drives, not just files relevant to an investigation. Jennifer Granick, surveillance and cybersecurity counsel at the ACLU, explained to Forbes that "the keys give the government access to information well beyond the time frame of most crimes, everything on the hard drive," adding that we must then "trust that the agents only look for information relevant to the authorized investigation, and do not take advantage of the windfall to rummage around."
This violates a core principle of proportionate response in legal proceedings. A warrant for specific evidence shouldn't provide unfettered access to years of personal or business data.
Now that federal agencies understand Microsoft will comply with warrant requests for encryption keys, the volume of such requests will likely increase. Green predicted to Forbes: "My experience is, once the U.S. government gets used to having a capability, it's very hard to get rid of it."
Twenty requests per year could easily become 200. The capability exists, the legal precedent is established, and the friction for law enforcement is minimal.
This isn't exclusively a U.S. concern. Microsoft operates in over 190 countries and faces legal obligations across multiple jurisdictions. When you store your encryption keys with Microsoft alongside your encrypted data, you're not just subject to U.S. law enforcement requests, you're potentially exposed to legal demands from any country where Microsoft has a legal presence.
Data sovereignty isn't just concerned with where your data is stored; it involves who can access it, under what legal framework, and whether you have any say in the matter.
For organizations using Microsoft 365 and Windows Enterprise, this revelation should trigger serious conversations. If your employees store BitLocker keys in Microsoft's cloud (which is the default, recommended option), your corporate data could be accessible via legal demand to Microsoft, potentially without your knowledge if a non-disclosure order accompanies the warrant.
At Virtru, we've long advocated for a simple principle: You should have complete control over your data, wherever it travels. That includes ownership over your encryption keys. Not the cloud provider, not the software vendor — the organization or individual who owns the data.
This is an architectural decision, not a philosophical one. Our solutions are built on the principle that the best way to ensure data security and sovereignty is to separate the content from the keys that decrypt it.
With Virtru Private Keystore, organizations maintain complete control over their encryption keys. You can host keys on-premises or in a dedicated virtual private cloud that you control. Then, when you encrypt data (whether it's emails in Microsoft 365, files in Google Drive, or data in other platforms) that data is protected with keys that only you possess.
If a cloud provider receives a legal demand for your encrypted data, they can comply with the order and hand over the encrypted content. But without your keys, that data remains unintelligible ciphertext. Even under legal compulsion, the provider literally cannot make the data readable because they don't have the means to decrypt it.
For organizations concerned about maintaining control over their encrypted data, whether stored on Windows devices or in Microsoft 365, here are concrete steps to take.
Understand where your encryption keys are stored. If you're using BitLocker with keys stored in Microsoft's cloud, you may not have true data sovereignty. The same applies to other encryption solutions where the provider holds your keys.
If shielding plaintext data is important to your business, encrypt sensitive data before it reaches cloud providers. With client-side encryption, data is encrypted on your device or within your infrastructure before it's transmitted or stored in the cloud. This ensures the cloud provider only ever sees encrypted content.
Use solutions like Virtru Private Keystore to maintain exclusive control over encryption keys. This separates the location of your encrypted data (which might be in Microsoft 365, Google Workspace, or other platforms) from the location of the keys needed to decrypt it. You can choose to host your keys on-prem, in a virtual private cloud, or public cloud.
Be selective about sensitive data access. Not everyone in your organization needs access to all sensitive data. Implement attribute-based access controls that define precisely who can access each encrypted data object, under what circumstances. This principle of least privilege minimizes exposure even if keys are compromised.
When evaluating technology vendors, ask pointed questions about their key management practices:
The answers will reveal whether a vendor prioritizes their convenience or your data sovereignty.
According to Forbes' reporting, Microsoft does offer the option to store BitLocker keys locally or on physical devices like thumb drives rather than in the cloud. But it's not the default setting, and most users follow the path of least resistance. For sensitive data, you need to actively opt out of convenience in favor of security.
Microsoft has tremendous influence in the enterprise technology landscape. Hundreds of millions of people use Windows devices and Microsoft 365 every day. The company has the resources, technical capability, and expertise to implement stronger encryption key protections, protections that competitors have already built.
The fact that Microsoft hasn't done so represents a choice, not a limitation.
As Forbes reported Green stating: "The lesson here is that if you have access to keys, eventually law enforcement is going to come." Microsoft's current architecture guarantees that keys are accessible when legal demands arrive. A better architecture would make it impossible for Microsoft to access those keys — even if they wanted to.
For organizations using Microsoft products, the BitLocker revelation should be a wake-up call. Ask yourself:
If the answers to these questions make you uncomfortable, it's time to take control of your encryption keys.
To learn how Virtru can help you maintain control over your encryption keys and protect sensitive data across Microsoft 365, Google Workspace, and other platforms, contact our team today.