Bitlocker Recovery Key Question


newmann

Well-known member
VIP
Local time
8:25 AM
Posts
352
OS
Windows 11 Pro
I use bitlocker on a old windows 10 pro laptop. I will not be using this laptop.


I now use bitlocker on a windows 11 pro laptop and this is going to be my main laptop.


I have the bitlocker recovery key for both laptops on a usb flash drive. It is safe to save these recovery key to dropbox/gmail? Because if someone has access to my bitlocker recovery key, they still need the physical windows laptop in order to access it right?


Now I read people store their bitlocker recovery key in the microsoft account. Do most do that? Do people here do it with a usb flash drive? The issue here is if you put it in a usb flash drive, don't you need to encrypt it? Because if your laptop is there and also the flash drive, well someone can just enter the bitlocker recovery key and bypass the password?


So best location to putt he bitlocker recovery key? Should it be 2 places? Should it be encrypted? If so, what encryption?
 

My Computer

System One

  • OS
    Windows 11 Pro
Now I read people store their bitlocker recovery key in the microsoft account. Do most do that? Do people here do it with a usb flash drive? The issue here is if you put it in a usb flash drive, don't you need to encrypt it? Because if your laptop is there and also the flash drive, well someone can just enter the bitlocker recovery key and bypass the password?


So best location to putt he bitlocker recovery key? Should it be 2 places? Should it be encrypted? If so, what encryption?
I use Apricorn Aegis Secure Keys to store my Bitlocker recovery files. These are USB thumb drives hardened against physical tampering that implement AES 256 with up to a 10-digit PIN entered via physical keypad. I also back the keys up as part of my overall backup scheme to Bitlockered bare drives, one set rotated off-site monthly. Finally, I have a subset of my data including these keys I do back up to the cloud, but I used Bitlockered .vhdx files for that. I don't store anything important unencrypted to the cloud.

Using the Apricorn drives, my boot procedure is to unlock one by entering my PIN, then plug it into the PC and boot.
 

My Computer

System One

  • OS
    Windows 11
I use Apricorn Aegis Secure Keys to store my Bitlocker recovery files. These are USB thumb drives hardened against physical tampering that implement AES 256 with up to a 10-digit PIN entered via physical keypad. I also back the keys up as part of my overall backup scheme to Bitlockered bare drives, one set rotated off-site monthly. Finally, I have a subset of my data including these keys I do back up to the cloud, but I used Bitlockered .vhdx files for that. I don't store anything important unencrypted to the cloud.

Using the Apricorn drives, my boot procedure is to unlock one by entering my PIN, then plug it into the PC and boot.

Thanks for that information. Well that seem a bit complicated for me.


But is it fine to keep the bitlocker keys in the cloud though unencrypted? Because someone who has your bitlocker recovery key, they still need physical possession of those exact laptops right? Thus them having a bitlocker recovery key is useless without the device?


So what is the best option for me now. I have a regular 32gb usb flash drive that I put both my windows 10 and windows 11 bitlocker recovery key documents there. But keep it there encrypted? Would using axcrypt be good with it? But of course you need to your axcrypt password. II use to keep the usb flash drive that contained the bitlocker recovery key next to my laptop. But this is obviously useless then right since someone having access to the laptop can just enter the bitlocker recovery key if they have access to the usb flash drive? Also keeping the bitlocker recovery key in your laptop makes no sense right? Because if you can't get in your laptop and need to enter your bitlocker recovery key,
 

My Computer

System One

  • OS
    Windows 11 Pro
Thanks for that information. Well that seem a bit complicated for me.


But is it fine to keep the bitlocker keys in the cloud though unencrypted? Because someone who has your bitlocker recovery key, they still need physical possession of those exact laptops right? Thus them having a bitlocker recovery key is useless without the device?

Yes. Those keys have no meaning outside of the device they secure.

So what is the best option for me now. I have a regular 32gb usb flash drive that I put both my windows 10 and windows 11 bitlocker recovery key documents there. But keep it there encrypted? Would using axcrypt be good with it? But of course you need to your axcrypt password. II use to keep the usb flash drive that contained the bitlocker recovery key next to my laptop. But this is obviously useless then right since someone having access to the laptop can just enter the bitlocker recovery key if they have access to the usb flash drive? Also keeping the bitlocker recovery key in your laptop makes no sense right? Because if you can't get in your laptop and need to enter your bitlocker recovery key,

That's why I talked about the Aegis Secure Keys. These drives have integrated physical numeric keypads. If you don't know my 10 digit PIN, you're not able to view anything on the drive, and you're not able to use the drive to boot my computer. You seem to be talking about using an ordinary thumb drive, and for booting my PC, which uses TPM plus thumb drive for authentication, that would (a) not be secure if unencrypted and (b) not useful if encrypted with axcrypt, because there's no way to unlock it before booting.
 

My Computer

System One

  • OS
    Windows 11
As you say, even if one has your key, it won't do them any good without having the physical drive/device. IMO if you choose to use the usb method, store the usb drive safely some place else. I can see from both a safe and convenient standpoint, why would it not make sense to put your keys into a file, password protect the file, then store the file into a cloud account protected by 2-step verification. I don't think you could get much safer than that. But in gmail, no I would not suggest that. Email accounts get hacked all the time.

I don't even use bitlocker because for me I have nothing to gain by using it and nothing to lose by not using it. There's nothing on my drive of any great importance. The most someone might get would be pictures of my dogs. My important stuff is stored in a safe deposit box in case my house burns down. My passwords are handled by a password manager that uses AES-256 bit encryption and protected with a 15 digit master password rather than saved in my computer

Really, it all comes down to choice, personal needs, and how far one wants to go with it.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
The problem when you ask this question, you get a range of answers, and often people go OTT with overcomplicated rmethods.

You do not need to be overcomplicated.


1) store bitlocker key on a usb drive. Store usb somewhere a thief is unlikely to look e.g. sock drawer. Remember usb drives can fail.

2) Optional - store it on cloud or MS account (in case usb gets lost or fails). Ignore paranoia of anti-cloud brigade. Even if a hacker got the key, it is no use without the PC.

3) put PIN on PC (preferably 6+ digits, letters and numbers) and also create a Bitlocker PIN. This is the crucial step. You cannot even get to options to enter recovery code without the Bitlocked PIN.

4) optional - also put in a bios password, so a guy who has access to pc could not boot from a usb drive for example (this also stops your children bypassing standard account if they share pc). Always a good plan on a multi-user pc regardless of bitlocker.

Now hackers would have to have got your bitlocker key, know both your pins, and have access to pc.

Chances of this are vanishingly small.

Obviously, do not disclose passwords/pins to anybody else, even family.
 

My Computer

System One

  • OS
    Windows 10 Pro + others in VHDs
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 14
    CPU
    I7
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    N/A
    Screen Resolution
    1920x1080
    Hard Drives
    1 TB Optane NVME SSD, 1 TB NVME SSD
    PSU
    Yep, got one
    Case
    Yep, got one
    Cooling
    Stella Artois
    Keyboard
    Built in
    Mouse
    Bluetooth , wired
    Internet Speed
    72 Mb/s :-(
    Browser
    Edge mostly
    Antivirus
    Defender
    Other Info
    TPM 2.0
I store my Bitlocker Keys in two places.
1. My Microsoft Account
2. LastPass encrypted Note
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell XPS 15 9510 OLED
    CPU
    11th Gen i9 -11900H
    Memory
    32 GB 3200 MHz DDR4
    Graphics Card(s)
    NVIDIA® GeForce® RTX 3050Ti
    Monitor(s) Displays
    15.6" OLED Infinity Edge Touch
    Screen Resolution
    16:10 Aspect Ratio (3456 x 2160)
    Hard Drives
    1 Terabyte M.2 PCIe NVMe SSD
    2 Thunderbolt™ 4 (USB Type-C™)
    1 USB 3.2 Gen 2 (USB Type-C™)
    SD Card Reader (SD, SDHC, SDXC)
    Internet Speed
    900 Mbps Netgear Orbi + 2 Satellites
    Browser
    Microsoft Edge (Chromium) + Bing
    Antivirus
    Microsoft Windows Security (Defender)
    Other Info
    Microsoft 365 subscription
    Microsoft OneDrive 1TB Cloud
    Microsoft Outlook
    Microsoft OneNote
    Microsoft PowerToys
    Microsoft Visual Studio
    Microsoft Visual Studio Code
    Macrium Reflect
    Dell Support Assist
    Dell Command | Update
    LastPass Password Manager
    Amazon Kindle
    Interactive Brokers Trader Workstation
    Lightroom/Photoshop subscription
  • Operating System
    Windows 11 Pro
    Computer type
    Tablet
    Manufacturer/Model
    Microsoft Surface Pro 7
    CPU
    i5
    Memory
    8 GB
    Hard Drives
    256GB SSD
    Internet Speed
    900 Mbps Netgear Orbi + 2 Satellites
    Browser
    Microsoft Edge (Chromium) + Bing
    Antivirus
    Microsoft Windows Security (Defender)
    Other Info
    Microsoft 365 subscription (Office)
    Microsoft OneDrive 1TB Cloud
    Microsoft Outlook
    Microsoft OneNote
    Microsoft Visual Studio
    Amazon Kindle
    Interactive Brokers Trader Workstation
    Lightroom/Photoshop subscription

Latest Support Threads

Back
Top Bottom