Microsoft adds new encryption support to OneDrive and Outlook.com

By John Callaham
last updated

Microsoft has announced it is adding new encryption support for its OneDrive cloud storage service and its Outlook.com email website, along with the opening of its first Transparency Center.

For OneDrive, Microsoft says it is adding Perfect Forward Secrecy (PFS) encryption support. The company stated that this system will be available via the OneDrive.com website, along with its mobile apps and sync clients. Microsoft said this added level of security for files will make it "more difficult for attackers to decrypt connections between their systems and OneDrive."

Outlook.com users will also get PFS support from now on, along with Transport Layer Security (TLS) encryption. Microsoft says, "This means that when you send an email to someone, your email is encrypted and thus better protected as it travels between Microsoft and other email providers."

Finally, the company announced that it has opened its first government Transparency Center in its Redmond, Washington campus. The center has been created to give government agencies a way to review the source code for many of Microsoft's software products in order to show them there are no security issues or "back doors" that might compromise their use. Microsoft plans to open other such Transparency Centers in other locations worldwide.

What do you think about this new move by Microsoft to add new encryption support for OneDrive and Outlook.com?

Source: Microsoft (opens in new tab)

John Callaham
John Callaham
71 Comments
  • Good news. Co-owner shared folders next please :D
  • And then drop the arbitrary 2 GB file limit.
  • Right!
  • What the heck are you sending that's 2GB?  Sheesh!
  • Uploading encrypted full mobile device backup files.
  • And after the co-ownership is implemented and the 2GB file limit is lifted, OneDrive will be quite perfect for my personal and professional needs. Glad to hear of more encryption and the transparency center. I hope Microsoft keeps on this path to really differentiate themselves in the online services market.
  • Oh yes! I'd really like to see that as well!
  • Good step forward towards building trust among customers ..
  • Just if you believe in their will to please the customer rather than the government that pays millions and millions of dollars
  • I do seeing that they are better than Google and Facebook are not just handing out information when it is requested.
  • +820
  • And you do see that? Why? Do you work for Microsoft or do you read about the nice news that they said .. no no no to the NSA? THey even look themselves in Mailboxes without a legal warrant to find MS Leakers. but hey.. they are much better.. sure
  • Prove any of what you just said. Especially that last one.
  • here we go :) http://www.neowin.net/news/microsoft-snooped-through-blogger039s-email-to-find-source-of-windows-8-leaks
  • I think that's much different. he's using a service. You have no rights to that info. The simple fact Google can legally scan your email attests to that. However, Microsoft wasn't actively looking at peoples email, they did it reactively when someone was obviously privy to something they shouldn't have, breaking copyright laws.
  • You think Google actively looks through users' emails? Please. They don't have a guy sitting at a desk scanning your inbox, thinking of what ads would be best to throw at you. This is an algorithm looking for simple trigger words to decide if they'll show you that ad for window replacement or a car dealership.
  • That means they are data mining your personal info and then using that info to sell targeted ads. It might be ok with you. It's not ok with me.
  • This. People here act like MS is there nice friendly buddy rather than a massive corporation. Don't get me wrong, I love their products, but anyone who things for a second that they're any better than Facebook or Google with regards to privacy is simply ignorant.
  • They've already sent an email to their nail users a few weeks ago saying they will never use your email information and searches for targeting you with ads or selling to third parties. Better than Google already.
  • Show me a source with an example of Google actually handing user data over to a third party. And I don't see what the big deal is regarding an algorithm scanning emails for the purpose of ad targeting. Personally I think MS going through the emails of bloggers purely on a hunch is even worse.
  • Pretty sure this want a hunch. The guy clearly had something he wasn't supposed to because he literally wrote Microsoft concerning it. He probably had enough detail to make them wonder how he knew what he knew.
  • But the fact that either company doesn't treat their services as true "mail" and can just rummage through your inbox for reasons like this is terrible. I'm not saying Google is the good guy here, but Microsoft is equally as bad.
    And I'm still waiting on that source.
  • They didn't go through the email of a blogger. They went through the email of an employee they suspected of providing info. There is a difference since they do have a contract with that employee.
  • That MS Leaker was a MS employee. If you read an employee contract, most employers put a clause that they can look at any emails stored on their servers. Outlook.com is an MS server. They checked with their lawyers and hte lawyers said they have a right to look at his emails, probably based on his emloyee contract, without a warrant. You can start complaining if they start looking at regular customers account. Google will scan your email for data mining purposes to target ads to you and be able to charge more money for those ads. As of now, Microsoft scans emails just for malware and for notifications, if you opt in. I personally will trust Microsoft more than Google as long as Microsoft makes its money from selling software and Google makes almost all its money from selling ads. 
  • That's nice of Microsoft, I feel safer already.
    Maybe they will make one of those transparency centers in China to show to the Chinese government of how misinformed their previous decisions were.
  • Or maybe not, that's like giving them the knowledge to make suspicious software for future use.
  • NSA incidents has proved that no government including USA is beyond suspicion or scrutiny. Given the chance they would snoop at its own citizens. Which USA continues to do to this date. So I do not understand why you assumed that USA govt is any better than Chinese govt. It's not. As a Software maker its Microsoft's responsibility to assure its users that their code is not vulnerable or provides any back door to USA etc. It's a good move from Microsoft.
  • Well said!
  • Agree. What I said about china is my bad sense of humor. But in a more serious note, I hope what Microsoft does will make the industry follow their steps.
  • The very thought of this just made The Goog shudder with disgust! ;)
  • Seems securerer....
  • Nice. Now can they add file fetch again?
  • All files on onedrive.com should be scrambled with encryption. But its a start. Interesting to know how the receiving mail server decodes it.
  • I think the mail is still sent unencrypted.
  • Here Encryption means your files will be encrypted when stored in onedrive, not when you take them out.
  • Trust is a must.. I feel so safe with Microsoft services whereas Google is my spam
  • Google's makes everyone a fool. And avg ppl becomes fool. Same goes for facebook
  • You're extremely mislead, then. If you don't think MS pulls the same crap as Google with regards to privacy then you've got another thing coming.
  • Anyone know when will nokia fix the Here and Drive? 
    After the last update still does not open and the phone restarts. 
    Is happening to several people.
  • I don't seem to have that issue and HERE Drive+ has been on my L1020 since day one. I'm on WP8.1 DP now.
  • Never
  • I have a question: This seems to be just added encryption between clients and server, but do they also add encryption of the files on the server? If so, who has the keys?
  • Indeed.
  • NSA approved :D
  • where is PFS in this story? Thanks.
  • To paraphrase Steven Wright, "I'm not naked. I work in Microsoft's Transparency Center and this is our uniform."
  • +920. Best Steven Wright line ever: "The sign said Drive-thru Window.... so I did. Geez, were they pi$$ed."
  • It's a start... I think... Is there a file encryption program for WP?
  • Is this all turned on already?  Do I need to do anything to turn it on?  I'm assuming I don't need to do anything since their aren't any directions...
  • https://www.ssllabs.com/ssltest/analyze.html?d=onedrive.com&s=23.6.111.144 No, its not. Not all browsers support it, anyway. For most users this is not newsworthy.
  • PFS makes decoding harder even if someone had access to encoded data while transit and store that .Stored data can only decrypted with the key ,with some huge resource and time it can be decrypted in future using specialazed super graphics hardware and computing machine .PFS make decrypting this type of decoding in future harder.As it was revealed NSA was tapping raw digital data between datacenters and backbone routers even it was encrypted while hoping they can break into data with their huge computing
  • Has anyone received the previous outlook.com update with the in-line reply, undo, and advanced rules? This was announced nearly a month and a half ago and I still don't have it on my account.
  • When Microsoft updates the W8.x email client, I hope they fix the IMAP delete bug I can replicate all day long. It is though Mail forgets to send the delete to my IMAP provider. The deleted mail goes away on screen, then comes back immediately on refresh. Curiously, the WP8.x email client does not have this issue, so my trusty 925 is what I use to manage the mail in that account.
  • Yes now they only have to move servers for non US users outside the US and allow them some privacy instead of peeping into their data and it may even become usable to save something.
  • This is great news as I personally was worry with Microsoft insisting using one password for all its products like Google. It's a scare where e are forced to use one password for logging on pc, phone, outlook, and one drive as if one gas your login details out means they have your life. So this will be welcome move from Microsoft. Looking forward to this update.
  • Enable two-step verification
  • Is the encryption automatic and always on, it's an option users configure?
  • Anyone's OneNote having trouble syncing?
  • Nope, mine is working perfect. I mean, I use OneNote Online version from my browser to make some changes at my notes (I don't use OneNote from the MS Office 2013 Pro Suite), and right after that i open OneNote from my phone and changes are already synced. And vise versa, If i do change from my phone, changes are synced instantly on the OneNote Online version. So you are saying that OneNote doesn't sync even if you press Sync manually?
  • Well step for building transparency.
  • Just last week i was complaining about lack of encryption for Onedrive, im using Boxcrypter, how will this differ and can I use both at same time!
  • Does that mean our OneDrive files will be encrypted in storage?
  • I don't think they are mentioning encryption at REST, which is what you are referring to. I believe they are enhancing the encryption of the transfer of information to and from these services. Will have to tune in to Security Now to see what Steve Gibson has to say about it!
  • Shame really, it would be cool to have free encrypted storage. Wouldn't cost MS too much
  • No. Seems none of the repliers in here understand what PFS is. Its just a slightly more sophisticated protocol on top of TLS/SSL. It has to do with reducing the risk that a bad guy gets in the middle of your "https" connection, basically. It has nothing to do with file encryption, or (frankly) the SSL/TLS other than protecting against a class of vulnerabilities that could let someone (with a LOT of sophistication) access data in-transit.
  • Are these moves to get Microsoft to where other companies already are, or are they the frontrunners in this respect?
  • GGMicrosoft. Moar encryption and better security. No backdoors. (except where the NSA needs em).
  • What about encryption when the data is at rest? While I like the idea of better encryption in transit, I want my data encrypted at rest with me controlling the private key and no I don't want a 3rd party solution for this.
  • +1. But maybe their idea is that data is safe enought when it's stored in theirs datacenters. Who knows why Google or MS does not implemented this obvious thing yet.
  • Harder for others, just as easy for NSA... MS should do some serious imago-boosting while it's still possible. But then again it has a reputation of being highly arrogant company (disclaimer: I like their products whenever they happen to work, but fuck with their attitude).
  • I get unexpected shutdowns...