Surface, BitLocker, and the future of encryption

Surface, BitLocker, and the future of encryption

Summary: Is encryption ready for mainstream use? It's always going to add complexity but that doesn't mean it can't be usable


If you use Windows RT 8.1 on a Surface or other RT device, your files are automatically encrypted using BitLocker whole disk encryption.

You never have to set it up or create a special password, you don't have to wait for the disk to get encrypted; the system is preset to use encryption and as soon as you sign in with a Microsoft account the encryption is turned on and the recovery key is saved to your SkyDrive account.

So far, so safe; if your device is lost or stolen, no-one can get at your files, even if they break it open and connect the SSD to another computer. If RT takes off, this could be the biggest adoption of encryption for consumers.

This isn't new; encryption has been in RT since it first came out with Windows 8. But since 8.1 came out, a number of RT users have run into an irritating problem. For some reason, for some people, when you power cycle your RT device - by restarting to apply a Windows Update patch or just by running out of power completely - when it turns back on, it won't start until you type in the BitLocker recovery key.

This is confusing, because most people don't know they have a BitLocker recovery key. (because they didn't have to do anything). And while the instructions tell you exactly what to do, you have to be able to use another computer or a phone to go online and get the recovery key - and that has to be what Microsoft calls a trusted device.

If you haven't already signed in to your Microsoft account on that device, you'll have to sign in and then get a code sent to a phone or email address you trust to confirm you want to trust the device as well. It's a good idea to set that up anyway, so you'll get a warning if someone is trying to take over your account.

If all that is done already, you just have to go to and type in the number on your Surface (as it's over 20 digits long, you might want to get a friend to read it out to you) and in a few moments your device should turn itself back on normally

It's not too complicated once you know what to do, but it's a bit of a palaver when you just wanted to turn on your Surface to play a game of Solitaire - and if you don't have another device or connectivity, you're stuck until you can get to them. And the fact that it happens at all is a bad experience.

When it first hit my Surface 2 a couple of months back, I was somewhere between upset and furious, because I had no idea if the recovery key would work. Now I've bookmarked the recovery key site on my phone (remember if you succumb to the temptation to screengrab, print out or write down the key, you need to keep it safe) and it's three minutes of irritation after an update restart or if I manage to run down the battery completely, which is rare.

I haven't had an official response from Microsoft on the problem, but one of the users discussing the problem on the Microsoft community support site was told by Microsoft Sweden that a fix is in development.

Until then, you can try refreshing your device; for some users, that fixes the problem but others have seen it recur a few weeks later. Some users have found the problem fixes itself; after a couple of times, they can restart normally and don't get asked for the key any more.

Clearly this is a problem Microsoft needs to get a fix out for. It would help if the moderators in the support forums were better trained in the differences between Windows 8 and Windows RT and didn't post suggestions that only apply to Windows 8.

In Windows RT you can't turn BitLocker off and you shouldn't try to, and you don't have to ask an administrator for your recovery key because it's on SkyDrive; telling RT users to do either of those things will only add to their confusion and frustration and if Surface is going to take off, Microsoft needs to up its game on support it used to fob off on the OEMs.

But the BitLocker bug is also about as painless as a cryptography failure could be (you don't lose any files, just time and patience), because the recovery key is automatically stored in SkyDrive for you.

It proves it is possible to have encryption for ordinary users who know nothing about public-private key pairs if you design for failure like this. That's no comfort if you're looking at an error screen when you have better things to do, of course. But it shouldn't discourage other providers from using encryption on devices by default as long as they get the recovery right.

We don't leave our houses unlocked or send important paperwork on the back of a postcard in the physical world, but when it comes to computers the default is to leave everything unlocked, open and insecure.

If encryption becomes the norm for file storage, we can start making it normal for other things like email as well.

The same hardware that secures the key for encrypted files can tell a shopping web site that this is your computer and the operating system hasn't been tampered with, so it doesn't have a virus. Security doesn't have to make things so complicated that ordinary people can't be protected. So I'll take a deep breath, type in my recovery key again and keep chasing Microsoft to get a proper fix out.

Further reading


Topics: Windows 8, Security, Microsoft Surface

Mary Branscombe

About Mary Branscombe

Mary Branscombe is a freelance tech journalist. Mary has been a technology writer for nearly two decades, covering everything from early versions of Windows and Office to the first smartphones, the arrival of the web and most things inbetween.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • NSA

    Hard to even consider taking an article about "the future of encryption" seriously when it has no reference to the NSA/Five-Eyes. One would now assume that there are backdoors in every single closed-source encryption technology. Open source is the only way to be totally secure.

    Who knows when the next leaker is going to come out of the NSA and tell the world exactly where these backdoors are.
    • Think of the ramifications...

      If the verbosity of the current situation anything to go by then a backdoor would certainly give to interesting times. Every tom dick and harry will be looking and monitoring encryption so as to be the first to expose the practice. As for a leaker, nah, they would not be game enough. Anyway don't you think that would have been exposed this time around?
    • whole disk encryption secures against in-the-hand access

      The NSA issues are primarily about remote access; if the NSA has physical access to your device, you're already past the point of OS security being an issue ;)
    • The NSA is part of the open source community

      Who are all these thousands of people, companies, groups that make up the "open source" community? Not only has the Snowden leaks noted big companies like MS and Google being complacent, they have also revealed how the NSA joined open source communities and standards boards and contributed code that were deliberately weak. A lot of this stuff is so complex that, yes, you can go over the code but that just does not help.

      And even if you do find an encryption that the NSA does not have a key/backdoor to, part of the storage of mass amounts of data is that they know that quantum computing is coming (since DARPA is helping it along themselves) and in time they will be able to break any encryption used today. In fact if you do encrypt and pass those files on the cloud, you are sending up a flashing red light for the NSA to grab it and store it.

      The only recourse in the US is to push the government into more warrant requirements and better oversight and transparency. We also need to ensure we are not becoming a "police state" and that any data collect is not a Hover file to be used against the citizenship. Privacy on the web is over. Mourn its loss but get over it, this is simply the maturing of the tech.
      Rann Xeroxx
  • Microsoft needs to add remote wipe

    Which the other major platforms all have. Encryption is useless if the thief social engineered the device password out of you, or is someone you know.

    We had our car stolen once... The thief did not jimmy the locks; he stole our keys!
    • Remote Wipe for RT?

      I believe remote wipe for RT is available if you subscribe to InTune
      The Colin Smith
      • yes, Intune and Exchange do remote wipe

        And using a Microsoft account on RT means you have to use a password
        • InTune is fee based

          In iOS remote wipe is free.
          • Agreed

            Microsoft should provide part of InTune as a free service. Once people get use to it and there is a broad adaptation, it would help sell the expanded version to enterprises as well.
            Rann Xeroxx
  • Try taking your encrypted device out of the country.

    I sure hope you can decrypt it again when the Nice Customs Person asks you to, on your return:
    • turn it on

      Whole disk encryption decrypts your files as soon as you turn the device on.
      • That doesn't sound very secure, then.

        There must be more to it than "turn it on", or else what's the point? Someone could then unplug the device and/or remove the battery, and your unencrypted disk would be at their mercy.
  • iOS also encrypts . . .

    "If RT takes off, this could be the biggest adoption of encryption for consumers."

    Eh, iOS also encrypts the file system (since version 4, I believe?).
    • Yep

      Yes, and beefed up further in iOS 5.

      DOESNT MATTER, IF iOS 4 had it. It has no corporate use, its all toy apps
      • Why all the screaming?

        Why do you always scream out your subject lines? We can hear you.

        And personally I like RT/Full Win tablets in the enterprise but there are far far more iOS tablets represented in the enterprise than any other mobile OS. Baytrail Win tabs might change that but that is still to be seen.
        Rann Xeroxx
  • MS Support Forums

    "It would help if the moderators in the support forums were better trained ..."

    Not sure if you are aware but most of the moderators on the TechNet forums are volunteers not MS employees. Good or Bad?
    The Colin Smith
    • that may be so...

      but bad advice is bottom of the trough troll feed----
      At least Microsoft's lack of reply or help does not lead anyone astray, just upset enough to go elsewhere.
      • That's not a problem.

        On TechNet, answers are handled by the OP and up-votes.

        If a troll decides to pop up, don't expect them to be listened to.
  • Clouds by definition are unsecure and open to all

    People using clouds (voluntarily or without their consent) are opening their data up to anyone who can "see" the cloud. Just as one can look up from the ground or down from an airplane or things that fly higher and see clouds, so can people with the ability to look at the server containing the cloud software and its data.

    Who might this be?

    Any law enforcement agent who can get a court order. Thus your local police officer who golfs with the town judge can get a warrant for your data. Yeah, the company might object, but then again they might simply not care about you and not want the PR or lawyer fees.

    What about the NSA? Yeah, enough said. Then again there are then entire range of alphabet soup both inside the US and outside. Obviously companies, such as Apple and Microsoft want to do business with countries around the world (especially the UN Security Council members), so they're local representatives are more than likely to honor requests. Who knows maybe even give up data from individual who live outside the jurisdiction (for future business consideration, especially if no one knows about the request outside those at the meeting).

    Then there is are people who organize for various reasons whether that be for legal or criminal reasons. They can work together to gain access on an unrecognized basis.

    Individuals who are simply there to learn or to do more than learn.

    The company, itself, vendors, sub-contractors, employees, etc., need to be on the list (as not all entities with access to your cloud are equal in their responsibilities, morals, etc).

    Right now the only truly good encryption, is well, not there. Can there be good encryption? YES, especially when using computers! What people need to look at is updating (for the 21st century) the good old book cypher and evolving it into an Internet (using all file/data transfer protocols (e.g. ftp, http, etc) cypher. One can view the entire Internet as a book and each webpage, Flickr photo, downloadable driver, PDF file, NNTP result, etc., could be a page, paragraph, sentence, line, or (gasp) word, or even part of the key. Yeah, it wouldn't really work for embed hardware, but, of course, layered encryption is valid and useful, when not obvious or reciprocal to other encryption methods.

    Anyway, the choice is yours where your data resides and in what form.