Examples of cloud-based removable drive encryption policy enforcement and recovery key management are described. In some examples, a removable drive encryption policy is received from a cloud-based management service. A removable drive is recognized by an operating system of a client device. An encryption command causes the operating system to request user password creation and encrypt the removable drive. A recovery key is identified from a write-output of the operating system. The recovery key is transmitted to the cloud-based management service for storage in a cloud-based removable drive recovery key escrow.