How Secure is Microsoft’s OneDrive Personal Vault?
Microsoft's OneDrive Personal Vault is a new feature that is available per default in every OneDrive cloud storage since the end of 2019. Files in this area of OneDrive are only accessible after additional authentication (2FA). We explain how secure this new storage location is, how the data is encrypted, and from what the Personal Vault can and cannot protect your data.
The OneDrive Personal Vault in Short
The company behind it: Microsoft
Licenses: Included in OneDrive plans (limited Vault space) / Office365 plans (unlimited Vault space)
Costs: included in the OneDrive / Office365 plan
Supported platforms: Windows, Mac, Web, Windows Mobile, iOS, Android; optimized for use with Windows 10
Functions: Two-factor authentication, BitLocker-encrypted local storage for synchronization, automatic time-out.
Limitations: Hardware tokens for 2FA are not supported. Encryption (both in transit and at rest) is done by Microsoft; synchronization to a BitLocker encrypted disk partition (on Windows). The algorithms used are not known. In addition, data and keys are stored on Microsoft servers, either in the USA or in a data center somewhere in the world.
For What You Can Use Microsoft’s Personal Vault
With Personal Vault, OneDrive users get a new location in OneDrive that they can protect further. But it is important to be aware of what data in the Vault is and is not protected against – in other words, in what threat scenario the stored data is safe.
Exclude Curious Family Members on a Shared PC
When you share a device or maybe even OneDrive cloud storage with others, the data in the Vault is protected with an extra security factor. Only those who have the second factor to open the Personal Vault will have access to the data.
Slightly More Protection from Hackers
Hackers have a harder time getting at this data, because if OneDrive can be accessed, the second factor that protects the Vault must first be levered out. In many known cases, such as the iCloud hack when personal pictures of celebrities were stolen, such a Vault might have prevented unauthorized access.
Higher Protection in Case of Theft
If your device is stolen, the thief must first overcome your device protection (or fingerprint, PIN or face recognition). However, criminals may watch (or film) you on the subway while you enter your PIN and later pull the device out of your pocket. In such a case, sensitive data in the cloud is better stored in the Personal Vault than in the cloud.
Disadvantage 1: Privacy is Not Really Provided in Microsoft’s Personal Vault
Microsoft advertises the Personal Vault with the fact that the data in it is even more securely encrypted in addition to the 2-factor authentication. However, as we have often pointed out, there are different types of encryption, and very few of them completely prevent third parties from accessing your data. An example: All common cloud providers encrypt user data in transit and at rest. The problem with this type of encryption:
- It is not continuous (there are times when the data is not encrypted)
- With this type of encryption, you send the data unencrypted to Microsoft and Microsoft then encrypts the data for you. In other words: Whoever encrypts the data, has the encryption keys and can therefore decrypt it again if necessary.
The additional encryption in the Personal Vault consists of the additional storage of Vault data in a Bitlocker-encrypted area of your local hard drive. In the cloud, however, the data is not additionally encrypted, but only protected by the second factor.
Who can theoretically still access your data in Personal Vault:
- Microsoft’s employees
- Third parties to whom Microsoft grants access (according to the American CLOUD-Act, for example, providers are obliged to release user data on request of the American authorities).
- Hackers that gain access to your Vault
Another problem is that the Personal Vault represents only a small percentage of your data stored in the cloud. We believe that all your data is worth protecting. Especially your private photos, which usually take up a lot of storage, should remain private.
Disadvantage 2: Code-centric Instead of Data-centric Security
When it comes to protecting sensitive data, there are two different approaches that are already implemented in the design of a software. A frequently used (and error-prone) procedure is code-centric data security. In principle, the data can be read by anyone. The data is protected by access controls in the program code (e.g. access authorization). Unauthorized persons can specifically search for errors in the access control or exploit the configuration to gain access to data.
Imagine a bouncer in front of a club that can be overcome with a blink of an eye, a bribe or a well-placed punch.
The other approach is data-centric security. The data itself is protected by procedures such as encryption, and access is only possible with possession of the appropriate key. Unauthorized persons cannot exploit errors in the program to gain unauthorized access to the data. This door is not protected by a bouncer, but by a lock – without a matching key entry is impossible.
For certain threat scenarios, the Personal Vault is certainly a help and an improvement in the protection of your data. But if you are concerned about consistently protecting your privacy and if you do not want it to be technically possible for government agencies and one of the world’s largest corporations to access your data, you should not rely on the Personal Vault alone. Then, a data-centric approach, such as client-side end-to-end encryption with zero knowledge standard, is the right choice for you.
With Boxcryptor, data is automatically encrypted directly on your device before it is synchronized to the cloud. Microsoft has no access, so they cannot share your data. If your cloud or vault is hacked, attackers will only find encrypted data. At Boxcryptor, our Zero-Knowledge implementation means we cannot access your data either. And best of all, the encryption takes place in the background. Our users can save, edit, share, and move files as usual. Security can be that simple.
Get Boxcryptor to Protect all Your Data in OneDrive
Boxcryptor encrypts your cloud data before it is synchronized to OneDrive. This way, no one but you can access your data. Our free version allows you to encrypt an unlimited amount of data at one cloud provider on two devices.