If you’ve worked in tech for at least a couple of years, you’ve likely gone through some iterations of backup strategies and protocols, all created and implemented with the goal of preventing losses that could cost companies and individuals significant amounts of money and time. Since Windows Vista (IT pros, keep the laughter to a minimum, please), Microsoft was nice enough to provide users with their version: BitLocker.
BitLocker uses a customized chip that makes use of a Trusted Platform Module (TPM) to encrypt everything on the drive where Windows is installed, protecting that data from theft or unauthorized access. When BitLocker detects an unauthorized access attempt, the data is locked. It can only be unlocked with the appropriately named Bitlocker Recovery Key. It is very important to keep the key safe and secure. The problem is we, as humans, don’t keep the best track of these types of reference items, especially over time. If you’ve lost your BitLocker Recovery Key, you may feel like it’s possible to never unlock your drive again, without expensive IT help, that is. Don’t worry, there are other options.
Yes, data security, data loss protection, and other IT device best practices are important, but your employees may not always see that value and protect their information, especially retrieval codes, as securely as they should. Read on to learn how to find a BitLocker Recovery Key in any situation, without paying a hefty price, should you ever need to employ it.
What is a BitLocker recovery key?
According to the official Microsoft definition, your BitLocker recovery key is a unique 48-digit numerical password that can be used to unlock your system if BitLocker is otherwise unable to confirm for certain that the attempt to access the system drive is authorized.
In other words, it is a password. A long and somewhat complicated password that you are not going to want to try and commit to memory. This recovery key is issued at the time of BitLocker installation in the event that the user forgets or misplaces their password and loses access to their hard drive.
Here’s an example of how a BitLocker Recovery Key works:
- You are traveling for business or pleasure and you lose your laptop
- Your laptop is password protected and BitLocker is installed by the original hardware manufacturer, so the person who found your laptop cannot access your data because BitLocker flags their failed password attempts on your device
- As part of the Windows BitLocker protocols, a startup procedure can be prevented from starting until the user enters a PIN or inserts a removable device, such as a flash drive, that has a startup key, in addition to a TPM
- If this doesn’t happen, BitLocker locks the data and will only unlock it with your BitLocker Recovery Key
- Airport security recovers your laptop and returns it. You enter your BitLocker Recovery Key, which you have kept in a safe and secure location for just this type of situation and your data is returned, safe and sound
Common places to find your BitLocker recovery key
If you have not figured it out already, it’s important to keep your recovery key somewhere you can locate it in case you have to use it after an attempted data security breach.
If you do not currently have it in a safe place, or cannot find it, now is a good time to go through the recovery options below while your laptop, PC, or server are not locked and there is no current emergency.
Here are a few places where you can find your BitLocker Recovery Key.
Active Directory Domain Services
If you are an end user at a company large enough to have an IT department, this is probably the easiest way to find your BitLocker Recovery Key.
- Your BitLocker recovery key may be saved to Active Directory (AD), so you can contact your administrator or IT department who most likely has all end user encrypted data information on file
- If you would like to give them a push in the right direction, or you are a smaller shop, BitLocker Recovery Password Viewer can locate and view the BitLocker Recovery Key that is stored in Active Directory (AD)
Azure Active Directory
If your company uses Azure Active Directory, you can simply look up the device info for your Microsoft Azure account and get the recovery key.
If you registered all of your information with Microsoft when you purchased your device; or signed up for services like Office 365, there is a fairly simple process for you, too.
- You can retrieve your recovery key that was stored online with a Microsoft account by visiting: https://account.microsoft.com/devices/recoverykey
Once you have your BitLocker Recovery Key in hand, here are some good storage ideas for all types of encryption keys you may need to access in the future.
Print it out and file it
- Record the key in a document and print it out
- Store it in an old-fashioned filing cabinet
Store it on a separate device
- Print your BitLocker Recovery Key as a PDF
- Store that PDF file on a separate computer
Put it on a USB flash drive
- Create a file with your BitLocker Recovery Key or print it as a PDF
- Store the USB drive in a safe or other secure location with other sensitive items and documents
Old-school effective fixes
One thing to remember — besides trying to store your encryption keys in a logical place that you’ll recall in an emergency — is that even when things look quite bleak, all may not be lost. In fact, there are a couple of simple, old-school remedies to give it one last shot if you are currently looking at the blue BitLocker recovery screen with no recovery key in sight.
Reboot Your Computer
Yes, if you have heard this once you have heard it a thousand times from IT professionals, but in this specific case, it really does work (sometimes).
- Simply turn your computer off and back on again
- In a lot of instances, your laptop or PC might have reacted to what you could call a false positive if it thought there was a security issue that really was not there
- Rebooting will give the startup process and protocols another run-through and you may be able to just enter your regular password or PIN and go on with your day
If you are an IT pro, or just someone who knows enough to be reckless, something you have done to your drive or device may have triggered a security protocol, i.e. BitLocker.
- If you changed something in your BIOS or moved some hardware about, just go ahead and change it back
- You may have to restart your computer to reactivate BitLocker and trigger the false positive
How to backup your recovery key
It’s not a good idea to have too many places where you have stored your encryption keys. If you do not currently have your BitLocker Encryption Key backed up, follow these instructions on how to save it in one secure, memorable location. Pick one protocol that works for you regarding storage and safekeeping (i.e., on a flash drive or in a printed or saved document).
- Enter BitLocker by pressing Windows Key + Q
- Select the “Manage BitLocker” entry from the search results or tap the “Windows Start” button and type “BitLocker”
- Locate the drive for which you now need the recovery key in the BitLocker Drive Encryption window
- Select “Backup your Recovery Key” from the menu
wayAt this point, you have three choices for backing up your recovery key. You can save it to a text file, save it to your Microsoft account, or print a hard copy. The simplest option is to save it to a text file.
- Save the text file in a place that will be easy for you to remember, such as My Documents
- You can also save a copy onto another secure computer, as a backup to the backup
- Open the text file after saving it, then scroll down to look for the recovery key
- You have now safely stored the computer's recovery key in this manner
Each computer that has BitLocker setup will require that this process be carried out and a new, unique recovery key be created for each device and drive. Save them all in the same way and label them clearly so you know which recovery key works for each drive.
If you would also like to know a way to perform this same action from a command prompt, check out this video for more information.
Data security on endpoint devices, which are almost always going to be most vulnerable in any environment, is extremely important to any organization. Deploying easy-to-use security and encryption protocols and functions like BitLocker can adequately and effectively protect data and devices. Part of their efficacy involves quality business practices that train employees to store BitLocker Recovery Keys in safe places where they can access them when needed.
There are tools that can help companies, large and small, optimize their BitLocker encryption for the most security possible. If you want to secure data on your Windows fleet remotely by harnessing the power of Windows BitLocker and AES encryption, Prey’s Disk Encryption can easily activate (or deactivate) the service on any device from one dashboard.
Full device encryption is one of the easiest and most encompassing prevention actions you can take to avoid data theft, and enabling BitLocker has never been easier at Prey. With it, your IT team can reap the following benefits:
- Mitigate the risk of lost corporate data, user data, source code, and more by encrypting all disks and detachable drives
- Optimize your work and deter theft by creating automatic reactions upon movement in or out of Control Zones
- Schedule recurrent or timed, actions like daily curfew device locks
- Meet security certification or governmental regulations that require disk encryption, such as ISO/IEC, HIPAA or GDPR
Find out more about how you can easily maximize your data security and enhance your BitLocker encryption with Prey.