BitLocker is a preinstalled Windows feature that comes with Windows 11 and Windows 10 (only Pro and Enterprise editions) used to secure your data on the drive from getting into the wrong hands. Since BitLocker locks up your data by encrypting it, it can only be accessed by the person with the security key, which is usually a Personal Identification Number (PIN) or a password. It also automatically generates a digital Recovery Key in case you forget your PIN or password, or when your system detects something suspicious.
If you have set up BitLocker on your Windows device yourself, then you would know that the setup wizard makes it mandatory to save the Recovery Key in a secure location and it simply would not allow drive encryption without it. The purpose of the Recovery Key is to ensure that only authorized personnel can unlock the data since only they would know where the Recovery Key is kept.
Table of Contents
Your system may ask for the key if there have been too many wrongful attempts to unlock it, or the hard drive may have moved to another computer. If such happens, you will be required to provide the associated Recovery Key, without which you will be unable to access the data in that storage drive. Since it is not every day that users are asked to provide a Recovery Key, it can be very easily misplaced.
Before we begin discussing how you can locate the Recovery Key, let us see what it exactly is.
What is BitLocker Recovery Key
The BitLocker Recovery Key is a 48-digit combination of numbers that is generated automatically when BitLocker encryption is configured. It is used to unlock the drive’s content that has been encrypted using BitLocker.
The key is associated with a 32-character alphanumeric identifier, also known as BitLocker ID, which is unique for each drive that is encrypted. Therefore, the Recovery Key will only work on that particular drive with a unique ID.
If the drive is moved from one device to another, BitLocker immediately picks it up and asks the user for the Recovery Key instead of the regular PIN/password, as an added security measure. The computer may also need the Recovery Key if there have been too many incorrect attempts at unlocking the drive, or if it detects unauthorized access in any way.
Let us now go through the process of setting up BitLocker on a Windows device. This will assist you in determining where you may have possibly saved the Recovery Key if it was lost.
How to Turn On BitLocker in Windows
Before we begin, there are a few things you need to ensure before configuring BitLocker on your device.
First, you must ensure that you have either the Professional, Enterprise, or Education editions of Windows 10 or 11, as these editions come with BitLocker pre-installed. You can check which version you have by typing in winver in Run.
Here is a list of alternatives for BitLocker if you have a different edition of Windows.
Next, you must ensure that your device has at least a TPM 1.2 chip in its hardware. Here are 5 ways to check if your PC has a TPM module installed in it.
Once checked and the prerequisites are met, you can now proceed to the steps below to enable BitLocker on your system.
- Open the File Explorer and right-click on the volume that you want to encrypt. Click Turn on BitLocker from the context menu.
- BitLocker Drive Encryption Wizard will now open. You will be asked where you wish to save the Recovery Key.
If you want to Save to your Microsoft account, you must be signed in using a Microsoft account. You can also Save to a file. However, it will need to be on a partition other than the one being encrypted, such as on another volume, a USB flash drive, or a drive mapped over the network. You can also choose to Print the recovery key where you can print it out on a hard paper, or choose Print to PDF to save the Recovery Key in a PDF file. When saved, click Next. - On the next screen, select “Encrypt used disk space only” and then click Next.
- Next, choose “New encryption mode” if you are enabling BitLocker on a partition on the hard drive, or “Compatible mode” if enabling it on a removable drive. Click Next when done.
- On the next screen, click Start encrypting.
- The encryption process will now begin. This step may take some time depending upon the amount of data present in the drive. Once it is finished, click Close from the pop-up dialog box.
The data inside the drive will now be encrypted. However, you will not be asked to configure a PIN or a password just yet. Configuring a PIN or a password for BitLocker requires a few additional steps which are discussed further down this post.
That said, through step 2 above, it becomes clear where you may have possibly stored the Recovery Key while setting up BitLocker. Let us now discuss where you may want to look for it.
How to Find BitLocker Recovery Key
If you are required to put in your BitLocker Recovery Key, BitLocker makes sure that you have it backed up at the time of configuration in a secure, safe place. Try the following methods to look for your missing Recovery Key, keeping in mind that the BitLocker Identifier in the Recovery Key file needs to match the one being displayed on the BitLocker recovery screen, like the one highlighted in the image below.
In Microsoft Account
One of the 3 options to save the Recovery Key while setting up BitLocker is in your Microsoft account. It may be possible that it was saved in OneDrive.
There is a location assigned (by default) particularly for BitLocker Recovery Keys for devices in OneDrive, which you can access by clicking on the link below. From there, sign in to your Microsoft account and see if you find a Recovery Key. If so, match your BitLocker ID before entering the 48 digit Recovery Key.
Access Microsoft OneDrive Recovery Key for devices
In a PDF or Text File
It may be possible that you saved the Recovery Key in a file. It may be a text file or a PDF. Moreover, the location of the file can be very uncertain as there are a lot of options to save it to. It may have been saved as a text file on a different volume on the same device, or on a USB flash drive. If you have any drives mapped across the network, we suggest that you also look for the Recovery Key there.
By default, the name of the file includes your BitLocker Recovery ID. If it was not changed manually at the time of saving it, you can search for it through File Explorer and it may just show up.
We must also warn you that the Recovery Key can be saved on the same volume being encrypted in PDF format (through Print as PDF). If that were the case, it is very unlikely that you may be able to access the Recovery Key PDF file without being able to get past your BitLocker Recovery screen.
On a Printout
Since one of the options to save your Recovery Key was by printing it, it may be possible that you have the Recovery Key on a printout in your drawer or your box files. Check your prints for the Recovery Key which should include both the key as well as the identifier.
In Active Directory (AD)
If your device is connected to an organization’s domain, it is very much likely that your system administrator has backed up your Recovery Key on the Active Directory (AD). You can ask them to look for it through the following steps:
- From the Active Directory Users and Computers console, click on the Organization Unit (OU) containing your computer.
- Now right-click on your computer and click Properties from the context menu.
- From the Properties window, switch to the BitLocker Recover tab to look for the BitLocker Recovery Key.
In Azure Active Directory (AAD)
If you log into your computer account using a work or school email account, your Recovery Key may likely be stored in your organization’s Azure Active Directory (AAD). If so, ask your system administrator to look it up.
If you are unable to find your Recovery Key, there is a high risk that it may no longer exist and has been accidentally deleted. If that is the case, there is no simple way to recover your data. By normal means, you must reset your hard drive, where all data will be lost. However, if your data is crucial for you, you can try to recover the encrypted data using tools that are readily available online.
If you did find your Recovery Key, we suggest that you log into your system using that Recovery Key and then set up a PIN or a password login upon system boot, so that the system asking for a Recovery Key each time is unlikely.
How to Enable BitLocker Pre-Boot PIN Authentication
If you have enabled BitLocker on the boot drive (the one that contains the operating system) on your Windows device, you can then perform these additional steps to enable PIN authentication which needs to be entered each time your system boots up. This way, the operating system will not unlock your encrypted data until the correct PIN, password, or Recovery key is provided.
- Open the Group Policy Editor by typing in gpedit.msc in Run.
- Navigate to the following using the left pane:
Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives
- On the right, double-click “Require additional authentication at startup.”
- In the pop-up window, select the Enabled radio button. Then, in the Options box, set the following configurations from the drop-down menu (for PIN configuration):
- Configure TPM Startup: Do not allow TPM
- Configure TPM Startup PIN: Require startup PIN with TPM
- Configure TPM Startup key: Do not allow startup key with TPM
- Configure TPM Startup key and PIN: Do not allow startup key and PIN with TPM
Click Apply and Ok when done.
- Now paste the following into the Command prompt with administrative privileges for the changes to take effect.
gpupdate /force - Now open the file explorer and right-click on the boot right. Click Manage BitLocker from the context menu.
- On the next screen, click Change how drive is unlocked at startup in front of the encrypted boot drive.
- BitLocker Wizard will now launch. Click Enter a PIN.
- On the next screen, enter the PIN that you want to set (6-20 numericals) and then click Set PIN.
Now each time your device boots up (or reboots), you will be asked to enter your PIN to unlock the data.
If you want to make your credentials more complex, you can enable the Group Policy to set 8-20 character long passwords, which can include alphabets and special characters. To do so, navigate to the following within the Group Policy Editor:
Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives
Double-click Configure use of passwords for operating system drives and Enable it. Leave the Options section to its default value and click Apply and Ok.
How to Disable BitLocker in Windows
If you find that you no longer need your data encrypted, you can turn off BitLocker in a few simple steps.
- Open File Explorer and right-click on the drive that you wish to turn off BitLocker for. Click Manage BitLocker from the context menu.
- On the next screen, click Turn off BitLocker in front of the drive.
- In the pop-up confirmation box, click Turn off BitLocker again.
- The decryption process will now start. This step can take a few minutes.
Once the decryption is completed, you can reboot your computer to check that it no longer requires you to enter a PIN or a password.
Final Thoughts
Although BitLocker is a great security feature in Windows, it comes with its drawbacks. Users may keep their data secure from unauthorized access, but accessing that very same data becomes nearly impossible if the hard drive fails, or develops bad sectors.
If such a scenario occurs, you can try to recover your encrypted data using the BitLocker Repair Tool.