BitLocker is an excellent way to protect your storage media from unauthorized access. Whether moving a drive to another computer or dispatching your old drive, BitLocker encryption ensures that your data is safe from prying eyes.
But with all the good stuff, there’s a catch to having BitLocker enabled on your drives. In case you forget your BitLocker recovery key, you get locked out of your drive. So, it’s essential that you know how to back up and recover your BitLocker recovery keys.
If you’re looking to store and recover BitLocker recovery keys in Active Directory, check out the Store BitLocker Recovery Keys Using Active Directory post. Aside from that, this article will cover all other methods to back up and recover BitLocker keys.
How to Access the BitLocker Management Control Panel?
The control panel item called BitLocker Drive Encryption is the main console where you can manage BitLocker on your computer.
You can access BitLocker by opening the Control Panel and clicking on BitLocker Drive Encryption.
You can also run this command in PowerShell, Command Prompt, or the Run dialog box.
control /name Microsoft.BitLockerDriveEncryption
And you should see the list of fixed and removable drives and their BitLocker encryption status. As you can see below, there are two encrypted drives in this machine, C: (fixed) and E: (removable), and both are encrypted with BitLocker and BitLocker To Go, respectively.
Depending on which BitLocker drive recovery key you want to backup, click the Backup your recovery key link next to the drive.
Backup to File
One quick way to back up and recover your BitLocker recovery keys is to a text file. But be mindful that you can’t save the backup to another encrypted drive.
After you click the Backup your recovery key link, you’ll see the below. Click the Save to a file button.
Next, choose the destination to save the recovery key file. Ensure that the destination is not on an encrypted drive, otherwise, the file will not be saved.
Notice that the filename already includes the BitLocker recovery key identifier. Leave the filename as it is for easy identification, especially if you have many recovery keys to back up. Click OK to save the file.
Lastly, click Finish.
And the BitLocker recovery key is now saved to a file in your non-BitLocker USB drive.
Backup by Printing
Another option is to print your BitLocker recovery key. Printing does not only refer to paper but also to files. For example, Windows has a built-in PDF printer that lets you print to a PDF file instead of a physical printer with paper.
Click the Back up your recovery key link.
Next, choose Print the recovery key.
When the print dialog shows up, select the printer you wish to use and click Print. In this example, I’m printing to a PDF file.
Choose the location, specify the destination filename, and click Save.
Finally, click Finish.
You now have a printout or a document that looks like this:
Backup to Microsoft Account
If you’re logged in to Windows using your Microsoft account, you can save your BitLocker recovery to your cloud account. This way, you can access the BitLocker Key Microsoft account backup online.
Click the Back up your recovery key link next to the drive. On the window that pops up, click Save to your Microsoft account.
Wait for the backup to complete.
Click Finish after the backup is completed.
Repeat the same steps for your other BitLocker encrypted drives.
Recover Microsoft Account BitLocker Recovery Key
To retrieve your BitLocker key Microsoft account backup, log in to your Microsoft account at https://account.microsoft.com/devices/recoverykey.
After login, you’ll be directed straight to your list of BitLocker recovery keys.
OSV means the key is for the operating system drive, while RDV indicates a BitLocker USB drive or BitLocker external drive (BitLockerToGo).
Backup to Azure Active Directory
If you’re using a Windows computer that’s joined to Azure Active Directory, backing up your BitLocker recovery keys is just a few clicks away.
Backup Fixed or OS Drive Azure AD BitLocker Recovery Key
Note. This procedure applies only to operating system disks and fixed disks.
Like the previous methods, you can access BitLocker from the Control Panel and click the Back up your recovery key link next to an OS drive or fixed drive.
Click the Save to your Azure AD account button.
Wait while Windows saves your recovery to your Azure AD account.
Once the backup is finished, click Finish to close the window.
Backup Removable Drive Azure AD BitLocker Recovery Key
Storing BitLocker recovery keys to Azure AD is not as straightforward as with OS or fixed drives. This process requires you to use PowerShell.
Open PowerShell on your Windows computer and run the below commands. Make sure to change the $BitLockerDriveLetter value to the drive letter of your encrypted removable drive.
# Specify the removable drive letter encrypted with BitLockerToGo. $BitLockerDriveLetter = 'E:' # Get the BitLocker volume object $BitLockerVolume = Get-BitLockerVolume -MountPoint $BitLockerDriveLetter # Backup the Azure AD BitLocker Recovery Key BackupToAAD-BitLockerKeyProtector -MountPoint $BitLockerDriveLetter -KeyProtectorId $BitLockerVolume.KeyProtector.KeyProtectorId
Recover Azure AD BitLocker Recovery Key
Now, log in to your Azure AD account profile page at https://account.activedirectory.windowsazure.com/r/#/profile.
Once on the Profile page, click the Get BitLocker keys link.
And you should now see your stored BitLocker recovery keys.
Locking your drives to protect their contents from unauthorized access is one of the best security decisions you can make. However, it is equally important to make sure you do not get yourself locked out, too.
That’s why make it a standard practice to back up your BitLocker recovery keys whenever and wherever applicable.