About BitLocker key recovery

What is a recovery key?

A recovery key is a 48-bit string that can be used to access the contents of a computer's encrypted hard disk if the password is forgotten by the user. Also in the case of a hardware malfunction that has severely damaged the hard disk, the contents of the drive can still possibly be accessed by inserting the drive in another computer and entering the recovery key.

After a BitLocker encryption policy is deployed, the BitLocker configuration process will be initiated during PC boot. Once this process is completed, the recovery key will be automatically generated. The admin can create or modify BitLocker policies using such that the recovery key information is also updated in the domain controller.

To easily retrieve the recovery key, it is recommended that it is backed up in the domain controller. Follow these steps to back up the recovery key data:

  1. Ensure that for all managed computers, the group policy (GPO) allows the recovery key data to be updated in the domain controller.
  2. Navigate to the product console > BitLocker > Policy creation > Create policy. Enable the option 'Update recovery key to domain controller.'

Note: By enabling this option, every time a new key is generated, it will automatically be updated in the Active Directory.

How to retrieve the BitLocker recovery key?

The recovery key will be automatically generated during the BitLocker configuration process, and for domain users, it can be backed up in the AD. The recovery key is used when, for example, a user forgets their password, or a hardware failure renders a drive inaccessible. In such cases, the contents of the drive can be accessed using the recovery key obtained from the recovery key identifier.

Note: The admin can specify timeframe, post which the new recovery keys will be generated and automatically replaces the existing recovery keys.

Finding recovery key identifier: The recovery key identifier can be utilized to find the recovery key of a particular computer. The recovery key identifier is present within the console in the Managed systems section under the summary for the particular computer.

Retrieving recovery key: The recovery key of the computers removed from the Scope of Management (SoM) can be retrieved from the domain controller/Active Directory using the recovery key identifier. The period to retrieve the recovery keys is up to one year from when the computer is removed from the SoM. Once that recovery key is used, it should be replaced with a new recovery key.

The recovery key retention can be enabled/disabled based on the organization's needs. Once disabled, the recovery key cannot be retrieved for any managed computer and the recovery keys stored get erased from the server. These recovery keys cannot be retrieved by enabling recovery key retention again, as they will be erased from the server permanently.

Disabling the recovery key retention has to be proceeded with caution, as the existing recovery keys of the unmanaged computers stored in the server can also be deleted.

Download a 30-day free trial and try it out for yourself!

List of ManageEngine BitLocker Management documentation

  1. BitLocker Management
  2. BitLocker overview
  3. BitLocker Encryption Pre-requisites
  4. Complete feature list
  5. How to create a BitLocker management policy
  6. How to retrieve BitLocker recovery key
  7. How to automate BitLocker deployment for encryption
  8. Frequently asked questions

For more information on the new Endpoint Security suite products including BitLocker Management, refer here.