Last year, Microsoft handed over encryption keys for its hard drive encryption software BitLocker to the FBI. The company says it simply complied with a search warrant related to a fraud investigation in Guam, but the news has raised alarm among the cybersecurity community.
Early in 2025, the FBI wanted to find proof that individuals handling Guam’s COVID unemployment assistance program were part of a plot to steal funds.
For that, they needed Microsoft to unlock encrypted data stored on three laptops and served the tech giant with a search warrant. Inexplicably, the company complied and handed over the encryption keys to the FBI.
The FBI asked, Microsoft complied
The BitLocker software is automatically enabled on many modern Windows laptops to safeguard all data on the computer’s hard drive. BitLocker scrambles the data so that only those with a key can decode it.
It is, of course, possible for users to store those keys on a device they own, but Microsoft also recommends that BitLocker users store their keys on its servers for convenience.
That helps someone access their data if they forget their password or if the device is locked, but it also makes them vulnerable to law enforcement subpoenas and warrants. That’s what happened in this particular case, according to Forbes.
A Microsoft spokesperson told the outlet: “While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide how to manage their keys.”
While this doesn’t sound like a clear confirmation that the encryption keys were handed over to the feds, the records indeed show that Microsoft complied with the request.
The spokesperson also said that Microsoft receives around 20 requests for BitLocker recovery keys every year, but is unable to comply in cases where the keys aren’t backed up in the cloud.
This is reportedly the first known instance of Microsoft providing encryption keys for its BitLocker hard drive encryption software to law enforcement. This worries most cybersecurity and digital privacy experts, and even politicians.
Senator Ron Wyden told Forbes that it was “simply irresponsible for tech companies to ship products in a way that allows them to secretly turn over users’ encryption keys.”
A fundamental weakness?
Others say that foreign governments with questionable human rights records could also demand data from tech giants like Microsoft, especially since it’s already complied with a request at least once.
Matthew Green, a cryptography expert at Johns Hopkins, said on BlueSky that he was concerned about how easy it seemed to be for authorities to obtain the keys.
Microsoft is handing over Bitlocker keys to law enforcement. www.forbes.com/sites/thomas...
undefined Matthew Green (@matthewdgreen.bsky.social) January 23, 2026 at 3:59 PM
[image or embed]
According to Green, the problem is that these BitLocker recovery keys aren’t encrypted end-to-end in a way that prevents Microsoft from accessing them.
“So if law enforcement wants to access your encrypted drive (even without knowing your password), they can just ask Microsoft for the key. And Microsoft will hand it over,” said Green.
For comparison, Apple, with its comparable FileVault and Passwords systems, and Meta’s WhatsApp messaging app also allow users to back up data on their apps and store a key in the cloud.
However, both also allow users to put the key in an encrypted file in the cloud, making law enforcement requests for it useless. Neither Apple nor Meta is reported to have turned over encryption keys of any kind in the past.
“If Apple can do it, if Google can do it, then Microsoft can do it. Microsoft is the only company that’s not doing this,” Green told Forbes.
“It’s a little weird. The lesson here is that if you have access to keys, eventually law enforcement is going to come.”
“More broadly, this highlights a fundamental weakness of Microsoft’s design. If MS can easily produce this to law enforcement, then anyone who compromises their cloud infrastructure can potentially access that data,” he added.
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked