Are files at rest on OneDrive really not encrypted?

If I a spreadsheet with personal information stored in it on OneDrive, is it safe, i.e., is it encrypted?  I was considering using OneDrive for backup, but without encryption, it is a deal breaker.  Storing my business documents there seems risky too, without encryption.

-Thanks

 

Question Info


Last updated November 28, 2018 Views 9,391 Applies to:

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Hi Bernie,

As of the end of 2014 OneDrive content is encrypted at rest and in transit – details were announced in 2013 here.

Should you need more help, do let us know.

13 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

That is horrendous, Microsoft. Because its REALLY going to hurt you to encrypt your clients' data at rest??? Telling people to use third-party encryption lol.... I'm an IT engineer so I know 100% for sure that there is NO "GOOD" reason or cost-determining-factor as to why Microsoft couldn't/shouldn't encrypt personal OneDrive data other than to try to force savvy customers into using the Business plans. Man, I could write an entire dissertation on how stupid it is that Microsoft isn't encrypting personal OneDrive storage from a business standpoint (losing tons of would-be customers who realize their data isn't secure with Microsoft), to the obvious security standpoint (and major lack thereof). Microsoft must be working for the NSA now, leaving everyone's files wide-open for a look-see whenever someone feels like it...  This is literally like Microsoft saying, "Hey everyone! we don't care about your data, and to prove it, we won't encrypt it on our servers either!" haha. Typical Micro$oft.

44 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Microsoft has extensive documentation on their data center security:

Microsoft Trust Center - Security - Encryption

In that documentation they mention Office 365 and OneDrive for Business/SharePoint multiple times. The part in question though is whether or not their free product (OneDrive, not OneDrive for Business or SharePoint) is subject to the same security as their paid products.

3 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Unfortunately, as Jess Can from Microsoft support already replied, "Data are synced to a personal OneDrive storage as is." Worded another way, Microsoft is telling Personal OneDrive users, "If you don't encrypt it yourself before copying it into OneDrive, then don't expect us to encrypt it for you once it lands on our storage array." I discovered that this info can be found elsewhere as well online, because I wanted to quadruple-check this response and lack of file security before I decided against signing-up for 5TB of personal OneDrive storage. This means that all paid-for Personal OneDrive accounts, and more than likely the free accounts as well, all have zero encryption on the files once they get copied to Microsoft's own OneDrive storage. The file-copying between your home/work PC and Microsoft is encrypted over SSL in terms of a file transfer over the web; however the file itself is not encrypted once it hits the Micro$oft servers and lives there.

This also means that despite all of Microsoft's other security measures, IF some unscrupulous Microsoft employee(s), or a hacker, or any other malicious enterprise were to breach Microsoft's perimeter and gain access to the OneDrive personal account storage, then those malicious parties can see ALL of your files plain as day because they're simply not encrypted. Not encrypting the files for ANY paid storage service these days is basically a massive slap in the face to all customers using that service and paying for it, even if a Personal OneDrive account costs less than a Business OneDrive account (are we living in 1997 again?)...This especially coming from a "best practices" company such as Microsoft who clearly knows better that ALL file data should be encrypted...although Microsoft clearly chooses to only encrypt "business OneDrive accounts". 

That's a pretty risky gimmick by Microsoft. Just because someone is using a Personal OneDrive account, doesn't mean that all of the data people want to backup to the cloud is just music files and school work...people quite often store their tax returns as PDFs and back them up, and they store their banking information, possibly social security info, personal photos, etc on their PC and they like to back it up. These same people are paying for a service where they likely ASSUME there are some good extra layers of privacy, when in fact, this doesn't really exist for their data if they're using a Personal OneDrive account. Tax returns, pay stubs, personal contracts, all of this is still personal information and doesn't make it "Business account level" information per-se. Microsoft is basically telling their customers "if you store personal stuff with us using a Personal OneDrive account, we sure hope it isn't tax returns or anything, because that data isn't safe with us...UNLESS you spend more money and upgrade a Business OneDrive account!"

In the end, this is Micro$oft finding another way to move the customer up to a higher-cost tier. Mind you, Microsoft has curiously chosen to do this is a very competitive cloud-storage industry where 95%+ of all cloud-storage companies are offering file encryption for "at-rest" data for ALL paying accounts whether its a personal OR business account. I am just baffled as to where this logic comes from at Microsoft. Someone should be fired or written-up for this lack of oversight or customer care. Not only does it make Microsoft look bad (especially if there ever IS a breach in the future and lots of personal data gets stolen), but this oversight will certainly keep me from using a Personal OneDrive product, and I'll be sure to advise ALL of my hundreds of clients (that totals thousands of users) that I consult for, to avoid Personal OneDrive storage as well (at least until Microsoft learns that protecting Personal OneDrive cloud storage is important).

If Microsoft would just fix this one issue instead of forcing the customer to encrypt the files on their PC BEFORE uploading it to Personal OneDrive, then they would have the best-priced 5TB of cloud storage on the market, that also includes free Microsoft Office and I'm pretty sure that would put them ahead of all of the other cloud storage services at this point. UNTIL Microsoft fixes this big security risk to their Personal OneDrive customers, then I will stay faaaaar away from it.

Sorry for my rant...but considering I'm an MCSE and I work with Microsoft products every day, I would LOVE to actually use a Personal OneDrive account for myself to the price they're asking. Unfortunately, seeing as how I'd never be able to copy any personally identifiable data onto a Personal OneDrive account in good-conscience now that I know the data isn't encrypted (unless I manually encrypt the data first)...I can't justify it. I'm just both dumbfounded and kind of offended that Microsoft would do this with Personal OneDrive accounts considering users are still PAYING for the service. Encrypting data on-the-fly at Microsoft's-end costs them nothing but maybe .1ms more of processing per file that gets copied onto their SANs.

Anyways, thanks for your taking the time to post that link regarding Microsoft's security and encryption info. Have a great day!

45 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

The best advice a Microsoft employee could give is to say use a 3rd party encryption.   That's a good answer.  

Google Docs Glitch that locked out users underscores privacy concerns:
https://www.nytimes.com/2017/10/31/technology/google-docs-glitch-bug.html?smid=pl-share 
An erroneous “code push” caused a small percentage of Google Docs to be incorrectly flagged as abusive on Tuesday, according to Google. 

2 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Encryption of files at rest where the keys are handled by the user is more risky for a free file service. I actually think it's a poor assumption to make that every OneDrive user would successfully implement encryption at rest and would know how to securely manage their encryption keys. If Microsoft has to handle the keys then there's no point since the scenario you described of a rogue employee reading your info is just as viable and likely as without encryption. Customers would have to know the importance of encryption keys in order for their information to be successfully encrypted at rest on Microsoft servers. Imagine millions of people turning on encryption, given their encryption keys, and then losing them. Oops, data gone! You can try to mitigate that risk by making an obvious popup screen that says, "OMG DO NOT LOSE THIS KEY!" but that won't help; people will lose that stuff in droves. Imagine the PR nightmare...pretty soon the service or feature would go away. Think the Files on Demand feature was awesome in Windows 8.1? Yeah, people were confused about that feature too and that went away until recently with the Windows 10 FCU. All that took was a simple misunderstanding of a OneDrive feature, imagine what would happen with billions of encrypted files and lost keys.

Second, offering free cloud storage and sharing capabilities is a huge liability because it can easily by used to distribute illegal content. If that information is encrypted for free (and the user managed the encryption keys) then Microsoft would never been able to monitor that content. It's a legitimate reason to not encrypt data at rest for personal, free OneDrive accounts. That obviously changes when you have a paid OneDrive for Business subscription and are paying to have that feature turned on, but the "free" OneDrive personal accounts is an incredible risk so monitoring your content is absolutely necessary for the service to continue.

I think the authentication tools Microsoft has available are capable of protecting data from others outside of the company (passwords, two-factor authentication, etc.), however the risk of an internal Microsoft employee going rogue and stealing my information is low enough for me to deal with. Also, a Microsoft data center is far more secure than anything I can possibly attempt to implement in my own home. In fact, you can argue that it's almost safer, even without encryption, to store files purely in OneDrive. 

13 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

No offense but I think you missed my point and therefore most of what you wrote is a moot point. I never one suggested that end-users manage their own keys, in fact Microsoft excepts users to do so with Personal OneDrive accounts which is certainly risky to unsavvy users (althought it would be a nice option to enable at-rest encryption on the Microsoft server side or even client side if the customer desired...of course if a user really wanted to they could enable Microsoft Windows encryption, veracrypt etc).

Most importantly though, I dont know where you got that Im talking about a service.

I am referring to the OneDrive Personal service that you pay for each month (versus the OneDrive Business service ehich does offer at-rest file ecryption amd protection). Based on what you wrote, it sounds like you are possibly not aware of the OneDrive Personal storage service as being a paid offering by Microsoft. If I was merely talking about a freebie service this would all be a moot point as I dont care about free stuff, and certainly Microsoft would justifiably want to mitigate their risk on free stuff.

Almost every other home-grade commercial cloud storage provider now offers encryption-at-rest which can be handled in a multitude of ways without the customer breaking it on themselves, nor do they lose their key, and most SANs even offer hardware encryption, or file-based that is simply tied to the users' own password. You can poke holes around how a Microsoft-based encryption key can still be compromised...but it still doesnt change the fact that Microsoft should be offering encryption at-rest for all of their paid storage accounts including the Personal accounts. Even Dropbox offers at-rest file encryption...you dont hear about their customers losing their encryption keys, right?

Thanks again for your time.

8 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

By suggesting that there be encryption at rest without access by Microsoft implies there be encryption keys handled by users. All of my points are relevant and valid. Even though DropBox offers encryption at rest, do they still have access to their users data? If yes, then their encryption is worthless according to your own scenario you provided. 

I did review the upgrade plans on OneDrive.com and they're really confusing on this point. They sell Office 365 plans in two of the three tiers without any indication of encryption at rest on their "Improved Security" bullet points, however there are dedicated security pages in other Microsoft sites that just say "Office 365" and they do specify encryption at rest. There's no explicit documentation that states there's no encryption at rest for OneDrive.com files, yet there are multiple sources stating that Office 365 uses it, and Office 365 uses OneDrive. More confusion...

3 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

No offense but I think you missed my point and therefore most of what you wrote is a moot point. I never one suggested that end-users manage their own keys, in fact Microsoft excepts users to do so with Personal OneDrive accounts which is certainly risky to unsavvy users (althought it would be a nice option to enable at-rest encryption on the Microsoft server side or even client side if the customer desired...of course if a user really wanted to they could enable Microsoft Windows encryption, veracrypt etc).

Most importantly though, I dont know where you got that Im talking about a service.

I am referring to the OneDrive Personal service that you pay for each month (versus the OneDrive Business service ehich does offer at-rest file ecryption amd protection). Based on what you wrote, it sounds like you are possibly not aware of the OneDrive Personal storage service as being a paid offering by Microsoft. If I was merely talking about a freebie service this would all be a moot point as I dont care about free stuff, and certainly Microsoft would justifiably want to mitigate their risk on free stuff.

Almost every other home-grade commercial cloud storage provider now offers encryption-at-rest which can be handled in a multitude of ways without the customer breaking it on themselves, nor do they lose their key, and most SANs even offer hardware encryption, or file-based that is simply tied to the users' own password. You can poke holes around how a Microsoft-based encryption key can still be compromised...but it still doesnt change the fact that Microsoft should be offering encryption at-rest for all of their paid storage accounts including the Personal accounts. Even Dropbox offers at-rest file encryption...you dont hear about their customers losing their encryption keys, right?

Thanks again for your time.

Thank you for your response.  I am encrypting files with a password which Microsoft says is secure, so, from what you say, I have nothing to worry about.  I do appreciate you responding.  I didn't understand the terminology.  My questions get me routed to an IT Professionals site, but I admit I am anything but.  I do appreciate your time and wisdom.  Thanks again!

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

So when you download this password protected file does it ask for a password in order to open it?  It may or may not depending on your installed encryption software.

If you share the file to another account that is not yours does it ask for the password in order to open the file?  

Normal files at rest on OneDrive are encrypted from outsiders getting in but not to the Microsoft insiders who can see your data.

I don't think Microsoft offers encryption for files that they themselves cannot open but I may be mistaken.

I don't have a business account.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.