BitLocker is a built-in encryption feature available in all versions of Windows, starting from Vista. Its primary function is to secure your files and data from unauthorized access by encrypting the entire hard drive. Access to the encrypted drive is granted only through a password or smart card set up during the activation of BitLocker Drive Encryption on that particular drive. Without the correct authentication, access is denied.
In the event of forgetting your password/PIN or losing your smart card, the BitLocker Recovery key comes into play. This unique 48-digit code, automatically generated when enabling BitLocker Drive Encryption, allows you to access the drive encrypted by BitLocker.
For detailed instructions on enabling or disabling BitLocker, as well as backing up your BitLocker recovery key on Windows 11, refer to our comprehensive guide on BitLocker. During the BitLocker setup process, the recovery key is stored in your Microsoft account, printed on paper, or saved as a file.
Options to Retrieve your BitLocker Recovery Key
There are several places you can check for the saved BitLocker Recovery keys depending on where and how you backed up the recovery key:
- In your Microsoft account
- On a printout document
- On a USB flash drive
- In a Text File
- In an Active Directory
- In an Azure Active Directory account
- Using Command prompt
- Using PowerShell
The format of the recovery key file name is usually looks something like this:
BitLocker Recovery Key E41062B6-9330-459D-BCF0-16A975AE27E2.TXT
‘BitLocker Recovery key’ word followed by a random combination of numbers and letters as shown above.
When encrypting a drive, the BitLocker Drive Encryption wizard will give you four options to back your recovery.
Besides that, you can also use Active directory, command prompt, and PowerShell to retrieve recovery keys.
How to Find the Correct Recovery Key?
If you only saved one to two recovery keys on a specific location you know, then it’ll be easier to retrieve them. However, if you saved multiple Recovery keys for multiple encrypted drives, it will be difficult to locate the right recovery key. That’s why Windows helps us find the recovery key by providing the Key ID. You can search for the recovery key files (‘.TXT’ or ‘.BEK’) with filenames that match the Key ID.
For instance, let’s say you tried to unlock a drive with a password, but you forgot the password and tried to unlock the drive using the recovery key. To unlock a drive using the recovery key, click ‘More options’.
Then, click the ‘Enter recovery key’ option.
Now, BitLocker will ask you to enter your recovery key, but it will also show you the part of the Key ID to help you find the right recovery key password.
Each recovery key has an Identifier (ID) and recovery key password with which you can unlock the drive. Identifiers (ID) are a combination of letters and numbers while key passwords are 48-digit numbers.
The Key ID is also part of the name of the recovery key files.
1. Retrieve Bitlocker Recovery Key from Microsoft Account
If you chose to store/backup your recovery key in your Microsoft account during the BitLocker setup process, you can easily retrieve it from your Microsoft account.
To get the recovery key that was stored in your Microsoft account, first, visit the Microsoft website and sign in with your Microsoft account. Enter your username and password and click ‘Sign in’.
This will open the ‘Devices’ page on your Microsoft account where you can track and manage the devices connected to your Microsoft account. On your Microsoft Account’s Devices page, click the ‘Info & support’ option under your Device name.
On the next page, click the ‘Manage recovery keys’ setting under the Bitlocker data protection section.
Microsoft may ask you to verify your identity with an OTP code sent to your phone or a security code. You will see the ‘Text’ option with the last two digits of your phone number. Click on that to verify.
Then, enter the last 4 digits of your phone number and click ‘Send code’.
When you click Send code, Microsoft will send a text message with a security code (OTP) to your phone. Type the OTP code in the code field and click ‘Verify’.
Once the identity is verified, it will take you to the BitLocker recovery keys page where you can see a list of recovery keys information including Devie name, Key ID, Recovery key password, drive, and Key upload date. With the help of the respective Key ID, device name, and date, you can find the right recovery key for the specific drive.
You can then use that recovery key to unlock an encrypted drive.
2. Find the BitLocker Recovery key on a File Saved on the Same Computer
When backing up your recovery key, if you chose the ‘Save to a file’ option, you might have saved the recovery key as a text file (.TXT) or a ‘.BEK’ file on your computer. If you did, it’s probably on the same computer on a different drive or a network drive, so look for that file.
The BitLocker recovery keys are usually named and saved some like ‘BitLocker Recovery Key 4310CF96-5A23-4FC0-8AD5-77D6400D6A08.TXT’ (if not renamed to something else by you). You can look for the all Recovery keys in the file explorer by searching for “BitLocker Recovery Key” in the search bar.
You can also look for the BitLocker Recovery key with Key ID prompted by the BitLocker password dialog box. Search for the text file name with the first 8 characters followed by the words ‘BitLocker Recovery Key’ that matches the Key ID.
Once you locate the recovery key file, open it. And you will find the Key ID (Identifier) line and the recovery key.
3. Find BitLocker Recovery Key on a USB flash drive
If you backed up your recovery key on a USB flash drive, insert that USB flash drive into your computer and view it. It might also be saved as a text file same as in the previous section. This is the preferred way for saving recovery keys when you are encrypting the operating system drive, so you can use a different computer to read the text file.
4. Find the BitLocker Recovery Key in a Printed Document
If you printed out the recovery key instead of saving digitally on the computer, USB, or in the Microsoft account, then look for the paper document with the BitLocker Recovery key and use that to unlock your drive.
You can also save the recovery key as a PDF file, by choosing the ‘Microsoft print to PDF’ in the Print options. If you saved your key as a PDF file, then look for that PDF where you saved it.
5. Find the BitLocker Recovery Key in your Azure Active Directory account
If you are signed in to an Azure Active Directory (AD) account using a work or school email account, the BitLocker recovery key might be saved in that organization’s Azure AD account associated with your email. In such cases, you need to log in to the appropriate account to get the recovery key from the account profile or you may need to contact your system administrator to get it.
6. Find the BitLocker recovery key in Active Directory
If your PC is connected to a domain, such as a school or work domain network, the BitLocker recovery key may be stored in Active Directory (AD).
If you are a domain user, you need to install BitLocker Recovery Password Viewer and view the BitLocker recovery key that is stored in Active Directory (AD).
Open Active Directory Users and Computers in your domain computer and click the ‘Computers’ container or folder. Then right-click the computer object and select ‘Properties’.
When the Computer Properties dialog window opens, switch to the ‘BitLocker Recovery’ tab to view the BitLocker recovery keys for your computer.
7. Get the BitLocker Recovery Key from the Command Prompt
You can also use the Command prompt to find the BitLocker Recovery key on your computer. Here’s how you do this:
First, open the Command prompt as an administrator. To do this, search for ‘Command prompt’ or ‘CMD’ in the Windows search and select ‘Run as Administrator’ for the top result.
In the Command Prompt, type the following command and press Enter to see your recovery key:
manage-bde -protectors H: -get
In the above command, make sure to replace the drive letter ‘H’ with the drive you want to find the recovery key for. Once you enter the above command, you’ll see the recovery key under the password section. It is a string of 48 digit long numbers as shown below.
Then write or note down the recovery and keep it safe, so you can use it later when it’s necessary.
If you want to save the recovery key in a text file on a different drive, run the following command:
manage-bde -protectors H: -get >> K:\RCkey.txt
Where replace ‘K:\RCkey.txt’ to the location where you want to save the file and its file name.
8. Get BitLocker Recovery Key using the PowerShell
First, launch PowerShell as an Administrator. Search for ‘PowerShell’ in the search bar and select ‘Run as administrator’ to open an elevated PowerShell.
To find the BitLocker Recovery Key for a specific drive, run the below command:
(Get-BitLockerVolume -MountPoint C).KeyProtector
Where replace, drive letter ‘C’ with your BitLocker encrypted drive to find its recovery key.
To save the Bitlocker recovery key you found to a text file on a specific location, use the following command:
(Get-BitLockerVolume -MountPoint D).KeyProtector > G:\Others\Bitlocker_recovery_key_H.txt
Where replace ‘G:\Others\’ to the location where you want to save the file and ‘Bitlocker_recovery_key_H.txt’ to the file name you want to use.
To find BitLocker Recovery Key for all encrypted drives in your computer, run the below command:
Get-BitLockerVolume | ? {$_.KeyProtector.KeyProtectorType -eq “RecoveryPassword”} | Select-Object MountPoint,@{Label=’Key’;Expression={“$($_.KeyProtector.RecoveryPassword)”}}
If the above command doesn’t work, use the next command to view the Recovery Key password for all encrypted drives in your computer:
$BitlockerVolumers = Get-BitLockerVolume
$BitlockerVolumers |
ForEach-Object {
$MountPoint = $_.MountPoint
$RecoveryKey = [string]($_.KeyProtector).RecoveryPassword
if ($RecoveryKey.Length -gt 5) {
Write-Output ("The BitLocker recovery key for the drive $MountPoint is $RecoveryKey.")
}
}
That’s it.
Member discussion