It could mean the difference between recovering your data or losing it forever.
In some pre-configured Windows Pro or Home editions, BitLocker may encrypt the system drive without your knowledge.
Unfortunately, when encryption is on by default, you’re not prompted to save the recovery key. You need to find it and save it before you need it.
Finding your BitLocker recovery key
You can find your BitLocker Recovery key:
- When you enable BitLocker yourself.
- In your Microsoft account online.
- By copying it from the “Manage BitLocker” interface.
- Via the “manage-bde” command-line tool.
Regardless of how you get it, save it somewhere safe.
Traditional BitLocker setup
If you explicitly turn on BitLocker full-disk encryption, at some point in the process, you’ll be encouraged to save the recovery key.
It’s important to take one or more of these options. The recovery key is your way back in should you lose the ability to sign in to Windows or should you ever need to move the drive to a different machine.
It’s important to keep the recovery key somewhere safe to avoid losing access to everything on that drive should something go wrong.
Great. But what if you didn’t take this path?
Help make it permanent by becoming a Patron.
Related
How Do I Know If My Hard Disk Is BitLocker-Encrypted?
Your hard drive might be BitLocker-encrypted without you realizing it. If you don’t have the recovery key, you could lose everything. Learn how to check, why it matters, and the simple steps to protect yourself before it’s too late.#179885
BitLocker on by default
There are a few ways that BitLocker could be enabled by default. Who knew?
That has several implications.
- You may be using BitLocker right now and not even realize it.
- Your hard drive is more protected than you thought, whether or not you think you need that extra protection.
- You probably didn’t walk through the process of turning on BitLocker, and thus weren’t prompted to save your recovery key.
The last point is the most concerning. Without a recovery key, you could lose everything on the drive. Let’s explore three ways to find and save it.
The quick way: using your Microsoft account
Visit this URL and sign in, if needed, to your account.
https://account.microsoft.com/devices/recoverykey
This page lists all the BitLocker keys associated with the Microsoft account used to set up your computer(s), or the account that was in use when BitLocker was turned on.
Above is the list shown in my personal Microsoft account. There are a couple of interesting things to note.
- One machine is listed multiple times. Each likely represents a reinstall of Windows and a re-creation of the BitLocker encryption. Technically, I probably don’t need the older ones, but there’s no reason not to leave them there.
- One machine’s name is incorrect. This implies that the key was saved before I changed the name of the machine from its auto-generated default to my NOTEN-based naming scheme.
If you see keys listed here, back up this information to an additional location for safety. Take a screenshot of the page and save the image in a safe place, for example.
This is great, particularly if you suddenly need a recovery key for a drive you didn’t realize BitLocker has encrypted.
My question, though, is how do I know if these recovery keys are up to date? Like my machine listed twice above, how do I know of if the keys listed are current, or that I haven’t somehow created a new key?
I don’t.
Windows File Explorer: back up your recovery key
Windows File Explorer is sure to have the current recovery key. Right-click on the drive and look at the options in the resulting pop-up.
If the menu includes “Turn on BitLocker”, then BitLocker is not enabled for this drive. There’s nothing you need to do. (If the menu has no BitLocker option at all, then you probably have the Home version of Windows without explicit BitLocker support. See below.)
If, however, there’s an option to “Manage BitLocker”, click on that.
Click on Back up your recovery key, and you’ll have options to do exactly that. My suggestion is that you back up the key to both your Microsoft account (to be listed online, as shown above) and in some other form. Once you have that other form, store it somewhere safe where you can find it if needed.
The Command Prompt: Windows Home or Pro
Third option: if the drive is currently accessible, you can see the recovery key via the Windows Command Prompt. This is useful if you don’t use a Microsoft account, you’re running Home Edition, or if your machine isn’t shown in your account online.
In an administrative Command Prompt or PowerShell, run:
manage-bde -protectors -get C:
Replace “C:” with the drive letter of interest. If the drive is encrypted, it’ll display something like this:
The “Password” shown under “Numerical Password” is your BitLocker recovery key. Save that somewhere. Again, you can take a screenshot and save the image, or you can select the text on the screen and copy/paste it into a simple Notepad document to be saved somewhere.
You may get the message, “No key protectors found.”
This means the drive is not BitLocker encrypted, so there’s no recovery key to save.
Do this
Whole-disk encryption is a valuable approach to securing data, particularly on laptops and other mobile devices. BitLocker is a fine solution for Windows, but it’s important to make sure you have those recovery keys available should you ever need them. Particularly since BitLocker might be turned on without your knowledge, it’s doubly important to check.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I’m just a bit horrified by the intricacies around Bitlocker. My status is Bitlocker is not turned on. I believe my PC is fully able to meet the hardware requirements of TPM >1.2 (2.0), UEFI, Secure Boot, PCR7, Device Encrption Support, etc. I admit that a check of SYSINFO shows that elevation must occur before the status of PCR7 and Device Encryption can be viewed but I’m not going down that road just to find out.
What is horrifying is that OEMs would cavalierly set Bitlocker on and, I suspect given the suspect state of the art of typical system set up instructions, perhaps not fully cover the ins/outs of Bitlocker Recovery Key. I just read elsewhere that a windows update can change the Bitlocker status and Recovery Key. How’s that for a kick in the pants!?
I’m not anti-encryption and use it for password systems and selected files/folders but who is minding the store for the unsuspecting user? I think computers are getting more and more “weasely” every day. My apologies to actual weasels.
Hi there!
I am looking for any informations that could help me recovered the Bitlocker key when the computer is already locked by bitlocker. None of our microsoft accounts has a recovery key and, of curse, as we didn’t know that we have this on the computer we never trying to save a recovery key.
What could be done?
Nothing that I’m aware of. That’s kind of the point of Bitlocker: to prevent unauthorized access. Hopefully you have an image backup of the computer. Failing that I know of no way in.