Surface, BitLocker, and the future of encryption

Is encryption ready for mainstream use? It's always going to add complexity but that doesn't mean it can't be usable
Written by Mary Branscombe, Contributor

If you use Windows RT 8.1 on a Surface or other RT device, your files are automatically encrypted using BitLocker whole disk encryption.

You never have to set it up or create a special password, you don't have to wait for the disk to get encrypted; the system is preset to use encryption and as soon as you sign in with a Microsoft account the encryption is turned on and the recovery key is saved to your SkyDrive account.

So far, so safe; if your device is lost or stolen, no-one can get at your files, even if they break it open and connect the SSD to another computer. If RT takes off, this could be the biggest adoption of encryption for consumers.

This isn't new; encryption has been in RT since it first came out with Windows 8. But since 8.1 came out, a number of RT users have run into an irritating problem. For some reason, for some people, when you power cycle your RT device - by restarting to apply a Windows Update patch or just by running out of power completely - when it turns back on, it won't start until you type in the BitLocker recovery key.

This is confusing, because most people don't know they have a BitLocker recovery key. (because they didn't have to do anything). And while the instructions tell you exactly what to do, you have to be able to use another computer or a phone to go online and get the recovery key - and that has to be what Microsoft calls a trusted device.

If you haven't already signed in to your Microsoft account on that device, you'll have to sign in and then get a code sent to a phone or email address you trust to confirm you want to trust the device as well. It's a good idea to set that up anyway, so you'll get a warning if someone is trying to take over your account.

If all that is done already, you just have to go to http://www.skydrive.com/recoverykey and type in the number on your Surface (as it's over 20 digits long, you might want to get a friend to read it out to you) and in a few moments your device should turn itself back on normally

It's not too complicated once you know what to do, but it's a bit of a palaver when you just wanted to turn on your Surface to play a game of Solitaire - and if you don't have another device or connectivity, you're stuck until you can get to them. And the fact that it happens at all is a bad experience.

When it first hit my Surface 2 a couple of months back, I was somewhere between upset and furious, because I had no idea if the recovery key would work. Now I've bookmarked the recovery key site on my phone (remember if you succumb to the temptation to screengrab, print out or write down the key, you need to keep it safe) and it's three minutes of irritation after an update restart or if I manage to run down the battery completely, which is rare.

I haven't had an official response from Microsoft on the problem, but one of the users discussing the problem on the Microsoft community support site was told by Microsoft Sweden that a fix is in development.

Until then, you can try refreshing your device; for some users, that fixes the problem but others have seen it recur a few weeks later. Some users have found the problem fixes itself; after a couple of times, they can restart normally and don't get asked for the key any more.

Clearly this is a problem Microsoft needs to get a fix out for. It would help if the moderators in the support forums were better trained in the differences between Windows 8 and Windows RT and didn't post suggestions that only apply to Windows 8.

In Windows RT you can't turn BitLocker off and you shouldn't try to, and you don't have to ask an administrator for your recovery key because it's on SkyDrive; telling RT users to do either of those things will only add to their confusion and frustration and if Surface is going to take off, Microsoft needs to up its game on support it used to fob off on the OEMs.

But the BitLocker bug is also about as painless as a cryptography failure could be (you don't lose any files, just time and patience), because the recovery key is automatically stored in SkyDrive for you.

It proves it is possible to have encryption for ordinary users who know nothing about public-private key pairs if you design for failure like this. That's no comfort if you're looking at an error screen when you have better things to do, of course. But it shouldn't discourage other providers from using encryption on devices by default as long as they get the recovery right.

We don't leave our houses unlocked or send important paperwork on the back of a postcard in the physical world, but when it comes to computers the default is to leave everything unlocked, open and insecure.

If encryption becomes the norm for file storage, we can start making it normal for other things like email as well.

The same hardware that secures the key for encrypted files can tell a shopping web site that this is your computer and the operating system hasn't been tampered with, so it doesn't have a virus. Security doesn't have to make things so complicated that ordinary people can't be protected. So I'll take a deep breath, type in my recovery key again and keep chasing Microsoft to get a proper fix out.

Further reading


Editorial standards