Windows 10 disk encryption is lacking compared to OS X FileVault
December 29th 2015
Micha Lee for The Intercept:
One of the excellent features of new Windows devices is that disk encryption is built-in and turned on by default, protecting your data in case your device is lost or stolen. But what is less well-known is that, if you are like most users and login to Windows 10 using your Microsoft account, your computer automatically uploaded a copy of your recovery key - which can be used to unlock your encrypted disk - to Microsoft's servers, probably without your knowledge and without an option to opt-out.
Compared to OS X:
This policy is in stark contrast to Microsoft's major competitor, Apple. New Macs also ship with built-in and default disk encryption: a technology known as FileVault. Like Microsoft, Apple lets you store a backup of your recovery key in your iCloud account. But in Apple's case, it's an option. When you set up a Mac for the first time, you can uncheck a box if you don't want to send your key to Apple's servers.
First of all, by nature, disk encryption protects the physical computer, so this is only a concern if someone managed to both access your key and have your computer.
Also, it's a really good idea to utilize FileVault. It transparently protects your data in case the computer is lost or stolen. While you may have an account password on the computer, without encrypting the data on the drive, someone could access for data by simply booting from another drive or removing your drive and plugging it into different computer. (Note setting a firmware password on your Mac can prohibit someone from booting your Mac from another startup disk or just erasing your drive)
The issue outlined above is if your encryption key is stored with a vendor like Microsoft, anyone with access to that account could use it to gain access your computer storage. Someone could, for example, gain access to your Microsoft account, whether hacking your login credentials, compromising Microsoft's security, or simply improper access from within Microsoft. Microsoft would also be obligated to pass your key on to law enforcement, if that's important to you.
The same is true with Apple if you choose to store your key with iCloud. The difference from Windows 10 is when encrypting your disk using FileVault, you have the option to either store the key on your iCloud account or use a recovery key code. Storing the key on iCloud would be convenient to unlock your encrypted drive if you forgot your login, but it also poses the same security concerns as outlined above. Instead, you should save your recovery code in a safe place so you may unlock your disk if you happen to get locked out of your drive. (I store my recovery key in my 1Password vault.) Without your password or the recovery key it, would be impossible for anyone to access your data without first breaking the encryption.
