Abstract: A computing device can perform operations to unlock encrypted volumes of the computing device while the computing device is in a recovery environment. In some examples, the computing device can work in conjunction with a test computing device to unlock the encrypted volumes using an unlock token and a PIN. In other examples, the computing device can perform operations without a test computing device. For example, the computing device can, while in the recovery environment, use credentials associated with a user of the computing device to obtain a recovery password to unlock keys for interpreting the encrypted volumes. In some examples, the computing device can use a shortened recovery password in conjunction with anti-hammering capabilities of a Trusted Platform Module in order to unlock keys for interpreting the encrypted volumes. These and other operations can facilitate secure unlock of volumes of encrypted data on a consumer device.

Abstract: A computing device can perform operations to unlock encrypted volumes of the computing device while the computing device is in a recovery environment. In some examples, the computing device can work in conjunction with a test computing device to unlock the encrypted volumes using an unlock token and a PIN. In other examples, the computing device can perform operations without a test computing device. For example, the computing device can, while in the recovery environment, use credentials associated with a user of the computing device to obtain a recovery password to unlock keys for interpreting the encrypted volumes. In some examples, the computing device can use a shortened recovery password in conjunction with anti-hammering capabilities of a Trusted Platform Module in order to unlock keys for interpreting the encrypted volumes. These and other operations can facilitate secure unlock of volumes of encrypted data on a consumer device.

Abstract: A computing device can perform operations to unlock encrypted volumes of the computing device while the computing device is in a recovery environment. In some examples, the computing device can work in conjunction with a test computing device to unlock the encrypted volumes using an unlock token and a PIN. In other examples, the computing device can perform operations without a test computing device. For example, the computing device can, while in the recovery environment, use credentials associated with a user of the computing device to obtain a recovery password to unlock keys for interpreting the encrypted volumes. In some examples, the computing device can use a shortened recovery password in conjunction with anti-hammering capabilities of a Trusted Platform Module in order to unlock keys for interpreting the encrypted volumes. These and other operations can facilitate secure unlock of volumes of encrypted data on a consumer device.

Abstract: A computing device can perform operations to unlock encrypted volumes of the computing device while the computing device is in a recovery environment. In some examples, the computing device can work in conjunction with a test computing device to unlock the encrypted volumes using an unlock token and a PIN. In other examples, the computing device can perform operations without a test computing device. For example, the computing device can, while in the recovery environment, use credentials associated with a user of the computing device to obtain a recovery password to unlock keys for interpreting the encrypted volumes. In some examples, the computing device can use a shortened recovery password in conjunction with anti-hammering capabilities of a Trusted Platform Module in order to unlock keys for interpreting the encrypted volumes. These and other operations can facilitate secure unlock of volumes of encrypted data on a consumer device.

Abstract: A computing device can perform operations to unlock encrypted volumes of the computing device while the computing device is in a recovery environment. In some examples, the computing device can work in conjunction with a test computing device to unlock the encrypted volumes using an unlock token and a PIN. In other examples, the computing device can perform operations without a test computing device. For example, the computing device can, while in the recovery environment, use credentials associated with a user of the computing device to obtain a recovery password to unlock keys for interpreting the encrypted volumes. In some examples, the computing device can use a shortened recovery password in conjunction with anti-hammering capabilities of a Trusted Platform Module in order to unlock keys for interpreting the encrypted volumes. These and other operations can facilitate secure unlock of volumes of encrypted data on a consumer device.

Abstract: A computing device can perform operations to unlock encrypted volumes of the computing device while the computing device is in a recovery environment. In some examples, the computing device can work in conjunction with a test computing device to unlock the encrypted volumes using an unlock token and a PIN. In other examples, the computing device can perform operations without a test computing device. For example, the computing device can, while in the recovery environment, use credentials associated with a user of the computing device to obtain a recovery password to unlock keys for interpreting the encrypted volumes. In some examples, the computing device can use a shortened recovery password in conjunction with anti-hammering capabilities of a Trusted Platform Module in order to unlock keys for interpreting the encrypted volumes. These and other operations can facilitate secure unlock of volumes of encrypted data on a consumer device.

Abstract: Content on a device is encrypted and protected based on a data protection key. The protected content can then be copied to cloud storage, and from the cloud storage the protected content can be transferred to various other ones of the user's devices. A key used to retrieve plaintext content from the protected content is associated with an identifier of a particular device that provides the key, the device providing the key being the device that generated the key, or another managed device to which the protected content was transferred. A wipe command can similarly be transferred to the various ones of the user's devices, causing any keys associated with a particular device to be deleted from each of the various ones of the user's devices.

Abstract: A data protection policy is implemented on a computing device, the data protection policy indicating how organization data on the computing device is to be protected. Protection of the organization data includes encrypting the organization data, and allowing the organization data to be decrypted only by particular programs and/or under particular circumstances (as indicated by the data protection policy). When implementing a data protection policy, files already stored on the computing device are encrypted using a passive encryption technique. The passive encryption technique can include one or more of an encrypt on close technique, an encrypt on open technique, an encrypt without exclusive access technique, and an encrypt location technique.

Abstract: Content on a device is encrypted and protected based on a data protection key corresponding to a particular identity of the user of the device. The protected content can then be stored to cloud storage, and from the cloud storage the protected content can be transferred to various other ones of the user's devices. A data protection key that is used to retrieve the plaintext content from the protected content is maintained by the user's device. This data protection key can be securely transferred to other of the user's devices, allowing any of the user's devices to access the protected content.

Abstract: A program on a device communicates with services of an organization and obtains data associated with the organization (also referred to as organization data). The organization data is optionally encrypted using one or more encryption keys, in which case the program has access to one or more decryption keys allowing the organization data to be decrypted and used at the device. Situations can arise in which the organization data stored on the device is to no longer be accessible to a user and/or the device, which is also referred to as the data being revoked. In response to organization data being revoked at the device, various techniques are used to intelligently delete the data, which refers to determining, based on the revocation that occurred and the nature of the data on the device, which data on the device is to be deleted from the device.

Abstract: Data files are encrypted based on a key associated with an entity that sets a data protection policy controlling access to the data files. The data protection policy identifies various restrictions on how the plaintext data of the encrypted data in the data files can be used. The data files have corresponding metadata identifying the entity that sets the data protection policy, and processes that are running instances of applications that are allowed to access the plaintext data are also associated with the identifier of the entity. These identifiers of the entity, as well as the data protection policy, are used by an operating system of a computing device to protect the data in accordance with the data protection policy, including having the protection be transferred to other devices with the protected data, or preventing the protected data from being transferred to other devices.

Abstract: A computing device can perform operations to unlock encrypted volumes of the computing device while the computing device is in a recovery environment. In some examples, the computing device can work in conjunction with a test computing device to unlock the encrypted volumes using an unlock token and a PIN. In other examples, the computing device can perform operations without a test computing device. For example, the computing device can, while in the recovery environment, use credentials associated with a user of the computing device to obtain a recovery password to unlock keys for interpreting the encrypted volumes. In some examples, the computing device can use a shortened recovery password in conjunction with anti-hammering capabilities of a Trusted Platform Module in order to unlock keys for interpreting the encrypted volumes. These and other operations can facilitate secure unlock of volumes of encrypted data on a consumer device.

Abstract: A data protection policy is implemented on a computing device, the data protection policy indicating how organization data on the computing device is to be protected. Protection of the organization data includes encrypting the organization data, and allowing the organization data to be decrypted only by particular programs and/or under particular circumstances (as indicated by the data protection policy). When implementing a data protection policy, files already stored on the computing device are encrypted using a passive encryption technique. The passive encryption technique can include one or more of an encrypt on close technique, an encrypt on open technique, an encrypt without exclusive access technique, and an encrypt location technique.

Abstract: A program on a device communicates with services of an organization and obtains data associated with the organization (also referred to as organization data). The organization data is optionally encrypted using one or more encryption keys, in which case the program has access to one or more decryption keys allowing the organization data to be decrypted and used at the device. Situations can arise in which the organization data stored on the device is to no longer be accessible to a user and/or the device, which is also referred to as the data being revoked. In response to organization data being revoked at the device, various techniques are used to intelligently delete the data, which refers to determining, based on the revocation that occurred and the nature of the data on the device, which data on the device is to be deleted from the device.

Abstract: Content on a device is encrypted and protected based on a data protection key. The protected content can then be copied to cloud storage, and from the cloud storage the protected content can be transferred to various other ones of the user's devices. A key used to retrieve plaintext content from the protected content is associated with an identifier of a particular device that provides the key, the device providing the key being the device that generated the key, or another managed device to which the protected content was transferred. A wipe command can similarly be transferred to the various ones of the user's devices, causing any keys associated with a particular device to be deleted from each of the various ones of the user's devices.

Abstract: Content on a device is encrypted and protected based on a data protection key corresponding to a particular identity of the user of the device. The protected content can then be stored to cloud storage, and from the cloud storage the protected content can be transferred to various other ones of the user's devices. A data protection key that is used to retrieve the plaintext content from the protected content is maintained by the user's device. This data protection key can be securely transferred to other of the user's devices, allowing any of the user's devices to access the protected content.

Abstract: Data files are encrypted based on a key associated with an entity that sets a data protection policy controlling access to the data files. The data protection policy identifies various restrictions on how the plaintext data of the encrypted data in the data files can be used. The data files have corresponding metadata identifying the entity that sets the data protection policy, and processes that are running instances of applications that are allowed to access the plaintext data are also associated with the identifier of the entity. These identifiers of the entity, as well as the data protection policy, are used by an operating system of a computing device to protect the data in accordance with the data protection policy, including having the protection be transferred to other devices with the protected data, or preventing the protected data from being transferred to other devices.

Abstract: Techniques for providing revocation information for revocable items are described. In implementations, a revocation service is employed to manage revocation information for various revocable items. For example, the revocation service can maintain a revoked list that includes revoked revocable items, such as revoked digital certificates, revoked files (e.g., files that are considered to the unsafe), unsafe network resources (e.g., a website that is determined to be unsafe), and so on. In implementations, the revocation service can communicate a revoked list to a client device to enable the client device to maintain an updated list of revocation information.

Abstract: A computing device analyzes digital certificates received from various different sites (e.g., accessed via the Internet or other network) in order to automatically detect fraudulent digital certificates. The computing device maintains a record of the digital certificates it receives from these various different sites. A certificate screening service operating remotely from the computing device also accesses these various different sites and maintains a record of the digital certificates that the service receives from these sites. In response to a request to access a target site the computing device receives a current digital certificate from the target site. The computing device determines whether the current digital certificate is genuine or fraudulent based on one or more of previously received digital certificates for the target site, confirmation certificates received from the certificate screening service, and additional characteristics of the digital certificates and/or the target site.

Abstract: A computing device analyzes digital certificates received from various different sites (e.g., accessed via the Internet or other network) in order to automatically detect fraudulent digital certificates. The computing device maintains a record of the digital certificates it receives from these various different sites. A certificate screening service operating remotely from the computing device also accesses these various different sites and maintains a record of the digital certificates that the service receives from these sites. In response to a request to access a target site the computing device receives a current digital certificate from the target site. The computing device determines whether the current digital certificate is genuine or fraudulent based on one or more of previously received digital certificates for the target site, confirmation certificates received from the certificate screening service, and additional characteristics of the digital certificates and/or the target site.