So your computer broke. Then, you got yourself a new one and needed to get your files off the old hard drive. Then it hit you; you have an encrypted drive using BitLocker! What’s makes it worst is when you don’t know the recovery key to go past the BitLocker protection. What now?
Before you throw away that hard drive or pay to recover your files, know that you may still be able to find your BitLocker recovery keys. You just have to know where to look. In this article, you will learn the different ways to back up, manage, and find BitLocker recovery keys to save yourself from losing access to your data.
Table of Contents
Before You Begin
This article covers working with BitLocker that is included in the business editions of the Windows 10 operating system. The examples in this article do not apply to Windows 10 consumer editions.
Some examples are applicable only when using a domain user account, a Microsoft account, Azure Active Directory user account, or a local user account. So, please don’t get confused if one or more of the example does not apply to your case.
Also, if you are not familiar with BitLocker, or if you just want a refresher, you may want to read about the BitLocker Overview first.
Saving BitLocker Recovery Keys
There are several ways that BitLocker keys may be stored or backed up. In some situations, these recovery keys are backed up automatically, other times, they can be backed up manually.
In this section, you’ll learn about each of the possible ways that the BitLocker recovery keys are backed up. In turn, these backup methods should help you find your BitLocker recovery keys when you need them.
Accessing the BitLocker Management
Before you can manage your BitLocker drive encryption, you must first access the BitLocker management on your Windows 10 computer.
To access BitLocker management, go to Control Panel —> System Security —> BitLocker Drive Encryption.
Another way to get to the BitLocker management is by locating the encrypted drive from the File Explorer —> Right-Click on the Drive —> Click Manage BitLocker.
Saving the Recovery Key to a USB Storage Device
One of the options for storing your BitLocker recovery key is by exporting it to a USB storage device. Consider using this option if you have a USB storage device that you always have with you.
To export your BitLocker recovery key, you must access the BitLocker page first. Once in the BitLocker page, locate the encrypted drive from the list. Then, click on Backup your recovery key.
When asked, “How do you want to backup your recovery key?“, select Save to a USB flash drive.
You will be prompted to insert a USB flash drive and then select the drive from the list. Then, click Save.
Then, click on Finish. Now that the BitLocker recovery key is backed up to your USB drive. The contents of the recovery key backup would be similar to the one shown in the screenshot below.
Note: You cannot use a USB drive that is also BitLocker encrypted. Any attempt to use an encrypted drive to save the recovery key will result in the error shown below.
Saving the Recovery Key to a TXT File
This next method of saving the BitLocker recovery key is somehow similar to saving the recovery key to a USB drive. However, the difference is that, in this method, you can choose where the file containing the recovery key file will be saved.
This method is excellent if you want to save your recovery to a location other than your local machine, like, your network drive.
Go to the BitLocker page and click on the Backup your recovery key link. From the list of options, click on Save to a file.
You will be prompted with the dialog where you can specify where to save the file. In this example, the file containing the BitLocker recovery key will be saved to a USB drive. Click on Save.
Note: If you chose to save the file to an encrypted drive, you would get a warning that the file cannot be saved. You must save the file to a drive that is not encrypted.
Printing the Recovery Key to Paper or File
One more option for saving the BitLocker recovery key is by printing it to paper or to a file like a PDF. The process is similar to the first two methods already discussed. But, in this method, you will click on Print the recovery key option.
Then, select the printer you wish to use when you get the Print page. In this example, the Microsoft Print to PDF printer driver is used.
Then, select the location where you want to save the PDF file containing the BitLocker recovery key. In this example, the PDF file is saved to the USB drive.
Note: You will not be warned about this, but do not keep the BitLocker key backup in the same drive that is also encrypted with BitLocker.
Saving the Recovery Key to Your Microsoft Account
If you are logged in to your Windows 10 PC using your Microsoft Account, BitLocker gives you the option to save your recovery key to your account in the cloud.
The advantage of using this option is that you do need to manually take an inventory of your BitLocker keys. As long as you have access to your Microsoft account, you should be able to find the recovery keys online while logged in to your Microsoft account.
To use this option, go to the BitLocker management in Control Panel. Then, you will be presented with options, as shown below. Click on the option to Save to your Microsoft account.
After clicking on the Save to your Microsoft account option, the recovery key will be saved to your Microsoft account quickly without any more messages. Click Finish when done.
Saving the Recovery Key to Active Directory
BitLocker keys can also be automatically saved in Active Directory. This is done by deploying a group policy to select users or the entire domain.
In situations where group policy is applied, when BitLocker is turned on for a drive, there’s no action required from you to backup your drive’s BitLocker recovery key.
If you need to learn more about saving BitLocker recovery keys in Active Directory, you can visit – Store BitLocker Recovery Keys using Active Directory.
Saving the Recovery Key to Azure Active Directory
If your computer is joined to an Azure Active Directory domain, saving your BitLocker recovery key to your Azure AD domain account is possible.
To take advantage of this option, go to the BitLocker management in Control Panel. Then, you will be presented with options, as shown below. Click on the option to Save to your cloud domain account.
You will see a progress indicator shown briefly on your screen similar to the screenshot below.
Once the save operation is complete, you can click Finish to exit the BitLocker management.
Finding BitLocker Recovery Keys
You’ve seen in the previous sections how to save a backup of your BitLocker recovery keys. If you chose to save to a file, USB, or to a printed document, then you’d obviously know where to find those recovery keys whenever you need them.
In the next sections, you will learn how to find the BitLocker recovery keys from Azure Active Directory, Active Directory, and Microsoft Account
Finding the Recovery Key from Active Directory
Unfortunately, finding BitLocker recovery keys from the Active Directory is not readily available for users. Unless your organization’s admins provide a way for users to find recovery keys on their own, the default choice is for you to call them and ask.
Typically, when you get to a point when you need to enter the recovery key, the BitLocker recovery key ID is already displayed on your screen. You must provide your admin the first 8 characters of the BitLocker recovery key id of your encrypted drive.
Suppose that you’re unlocking the drive with recovery key ID: D79286AF. If you provide that ID to your admin, they can search for the recovery key in Active Directory using that ID.
The admin will go to Active Directory Users and Computers, click on Action and select Find BitLocker recovery password.
Then, the admin will enter the recovery key ID that you provided and start a search for it. Refer to the screenshot below. The image shows the example of searching for BitLocker recovery passwords in Active Directory.
The admin will then provide you with the recovery password, which you can then use to unlock the BitLocker drive encryption.
Finding the Recovery Key From Your Microsoft Account
Once you’ve saved your BitLocker key to your Microsoft account, it is only natural that you would want to confirm that the key was indeed saved. Lucky for you, the way to do that is simple.
First, go to the BitLocker recovery keys site and log in using your Microsoft account. Once logged in, you should see a list of the BitLocker keys that are associated with your account.
As you can see from the screenshot above, the keys are itemized based on which device they keys were generated from. You can see as well that in the example above, there are two keys associated with the Microsoft account; one for the Operating System Volume and one for the Removable Drive Volume.
Finding the Recovery Key From Azure Active Directory
There are Azure Active Directory setups that allow users to see their BitLocker keys on their own. In the example below, the screenshot shows that in the user’s Azure Active Directory profile page, there is a list of devices, and has a link to get the BitLocker keys.
After clicking on the Get BitLocker keys link, the recovery keys associated with the computer will be displayed in a pop-up similar to the one below.
If the BitLocker recovery keys are not available in your Azure AD user profile, you need to contact your admin and request those recovery keys. You must provide the first 8 characters of the recovery key ID. The admin can use it to search for your BitLocker recovery key in the Azure Active Directory Admin Center.
As you can see from the example screenshot below, the admin can find the BitLocker recovery key associated with the user’s account and device.
Unlocking BitLocker Encrypted Drives
At this point, you already know how to back up and find your recovery keys. In the next sections, you will learn how to use those recovery keys to unlock BitLocker encrypted drives.
Unlocking an Encrypted Operating System Drive
Operating system drives can become locked and require entering the BitLocker recovery key. When this happens, you are essentially dealing with a locked pc. The reasons why a drive might get locked may include the following:
- Hardware or firmware upgrade.
- Hardware drivers installation.
- Corrupted TPM module.
- Drive was transferred to another computer.
When an operating system drive got locked, you will get a prompt during boot time that is similar to the screenshot below.
As you can see from the screenshot above, the BitLocker recovery key needed to be entered to unlock the drive.
Unlocking an Encrypted Fixed or Removable Drive
There are times when you need to attach an encrypted fixed or removable drive to another computer. Before you can access the data on those encrypted drives, the drives must be unlocked first.
The image below shows what the icon of the drive looks like when it is locked.
When you try to unlock a removable or fixed drive in Windows, you will be prompted to enter the recovery key, as shown below.
After unlocking the drive, you should be able to gain access to its contents. The icon of the drive also changes to the one shown below.
In this article, you’ve learned the different ways that you can backup, manage, and find your BitLocker recovery keys. You’ve learned which way of saving the recovery key is most appropriate for every situation.
You can never go wrong with saving the BitLocker recovery keys to a USB drive, a file, or to a printed document. These three options of storing recovery keys allow for quick retrieval should you need to unlock an encrypted drive.
Saving your recovery keys to your Microsoft account gives you the flexibility of retrieving your BitLocker recovery passwords from anywhere.
Automatically saving the recovery keys in Active Directory ensures that those keys can be retrieved from a central source. Even if the users neglect to back up the recovery keys themselves.
Lastly, manually saving recovery keys to Azure Active Directory is another excellent way to ensure that recovery passwords are always recoverable.
Backup your recovery keys and never lose your access to your data again because of possible BitLocker encryption faults.