Bitlocker Recovery Key Question

I use bitlocker on a old windows 10 pro laptop. I will not be using this laptop.


I now use bitlocker on a windows 11 pro laptop and this is going to be my main laptop.


I have the bitlocker recovery key for both laptops on a usb flash drive. It is safe to save these recovery key to dropbox/gmail? Because if someone has access to my bitlocker recovery key, they still need the physical windows laptop in order to access it right?


Now I read people store their bitlocker recovery key in the microsoft account. Do most do that? Do people here do it with a usb flash drive? The issue here is if you put it in a usb flash drive, don't you need to encrypt it? Because if your laptop is there and also the flash drive, well someone can just enter the bitlocker recovery key and bypass the password?


So best location to putt he bitlocker recovery key? Should it be 2 places? Should it be encrypted? If so, what encryption?

newmann said:

Now I read people store their bitlocker recovery key in the microsoft account. Do most do that? Do people here do it with a usb flash drive? The issue here is if you put it in a usb flash drive, don't you need to encrypt it? Because if your laptop is there and also the flash drive, well someone can just enter the bitlocker recovery key and bypass the password?


So best location to putt he bitlocker recovery key? Should it be 2 places? Should it be encrypted? If so, what encryption?

Click to expand...

I use Apricorn Aegis Secure Keys to store my Bitlocker recovery files. These are USB thumb drives hardened against physical tampering that implement AES 256 with up to a 10-digit PIN entered via physical keypad. I also back the keys up as part of my overall backup scheme to Bitlockered bare drives, one set rotated off-site monthly. Finally, I have a subset of my data including these keys I do back up to the cloud, but I used Bitlockered .vhdx files for that. I don't store anything important unencrypted to the cloud.

Using the Apricorn drives, my boot procedure is to unlock one by entering my PIN, then plug it into the PC and boot.

barreleye said:

I use Apricorn Aegis Secure Keys to store my Bitlocker recovery files. These are USB thumb drives hardened against physical tampering that implement AES 256 with up to a 10-digit PIN entered via physical keypad. I also back the keys up as part of my overall backup scheme to Bitlockered bare drives, one set rotated off-site monthly. Finally, I have a subset of my data including these keys I do back up to the cloud, but I used Bitlockered .vhdx files for that. I don't store anything important unencrypted to the cloud.

Using the Apricorn drives, my boot procedure is to unlock one by entering my PIN, then plug it into the PC and boot.

Click to expand...

Thanks for that information. Well that seem a bit complicated for me.


But is it fine to keep the bitlocker keys in the cloud though unencrypted? Because someone who has your bitlocker recovery key, they still need physical possession of those exact laptops right? Thus them having a bitlocker recovery key is useless without the device?


So what is the best option for me now. I have a regular 32gb usb flash drive that I put both my windows 10 and windows 11 bitlocker recovery key documents there. But keep it there encrypted? Would using axcrypt be good with it? But of course you need to your axcrypt password. II use to keep the usb flash drive that contained the bitlocker recovery key next to my laptop. But this is obviously useless then right since someone having access to the laptop can just enter the bitlocker recovery key if they have access to the usb flash drive? Also keeping the bitlocker recovery key in your laptop makes no sense right? Because if you can't get in your laptop and need to enter your bitlocker recovery key,

newmann said:

Thanks for that information. Well that seem a bit complicated for me.


But is it fine to keep the bitlocker keys in the cloud though unencrypted? Because someone who has your bitlocker recovery key, they still need physical possession of those exact laptops right? Thus them having a bitlocker recovery key is useless without the device?

Click to expand...

Yes. Those keys have no meaning outside of the device they secure.

So what is the best option for me now. I have a regular 32gb usb flash drive that I put both my windows 10 and windows 11 bitlocker recovery key documents there. But keep it there encrypted? Would using axcrypt be good with it? But of course you need to your axcrypt password. II use to keep the usb flash drive that contained the bitlocker recovery key next to my laptop. But this is obviously useless then right since someone having access to the laptop can just enter the bitlocker recovery key if they have access to the usb flash drive? Also keeping the bitlocker recovery key in your laptop makes no sense right? Because if you can't get in your laptop and need to enter your bitlocker recovery key,

Click to expand...

That's why I talked about the Aegis Secure Keys. These drives have integrated physical numeric keypads. If you don't know my 10 digit PIN, you're not able to view anything on the drive, and you're not able to use the drive to boot my computer. You seem to be talking about using an ordinary thumb drive, and for booting my PC, which uses TPM plus thumb drive for authentication, that would (a) not be secure if unencrypted and (b) not useful if encrypted with axcrypt, because there's no way to unlock it before booting.

As you say, even if one has your key, it won't do them any good without having the physical drive/device. IMO if you choose to use the usb method, store the usb drive safely some place else. I can see from both a safe and convenient standpoint, why would it not make sense to put your keys into a file, password protect the file, then store the file into a cloud account protected by 2-step verification. I don't think you could get much safer than that. But in gmail, no I would not suggest that. Email accounts get hacked all the time.

I don't even use bitlocker because for me I have nothing to gain by using it and nothing to lose by not using it. There's nothing on my drive of any great importance. The most someone might get would be pictures of my dogs. My important stuff is stored in a safe deposit box in case my house burns down. My passwords are handled by a password manager that uses AES-256 bit encryption and protected with a 15 digit master password rather than saved in my computer

Really, it all comes down to choice, personal needs, and how far one wants to go with it.

The problem when you ask this question, you get a range of answers, and often people go OTT with overcomplicated rmethods.

You do not need to be overcomplicated.


1) store bitlocker key on a usb drive. Store usb somewhere a thief is unlikely to look e.g. sock drawer. Remember usb drives can fail.

2) Optional - store it on cloud or MS account (in case usb gets lost or fails). Ignore paranoia of anti-cloud brigade. Even if a hacker got the key, it is no use without the PC.

3) put PIN on PC (preferably 6+ digits, letters and numbers) and also create a Bitlocker PIN. This is the crucial step. You cannot even get to options to enter recovery code without the Bitlocked PIN.

4) optional - also put in a bios password, so a guy who has access to pc could not boot from a usb drive for example (this also stops your children bypassing standard account if they share pc). Always a good plan on a multi-user pc regardless of bitlocker.

Now hackers would have to have got your bitlocker key, know both your pins, and have access to pc.

Chances of this are vanishingly small.

Obviously, do not disclose passwords/pins to anybody else, even family.

I store my Bitlocker Keys in two places.
1. My Microsoft Account
2. LastPass encrypted Note