What is BitLocker and how does it work?

Keeping sensitive files on a digital data storage always entails a risk that, at some point, they might fall into the wrong hands. In view of the constant threats associated with gadgets, especially with portable ones, like laptops or USB sticks, developers are seeking to provide their users with peace of mind by introducing diverse security measures. The Windows OS, on its part, offers BitLocker, which has become a common choice for individuals and businesses looking for strong protection of their data "at rest". Here you can find an overall explanation of this feature.

Last update: June 02, 2023

Time to read: 7 min

What is BitLocker?

BitLocker is Microsoft's encryption technology incorporated into the Windows operating system and supplied automatically as part of its installation. It secures the content of entire logical volumes by ciphering it with the help of advanced cryptographic algorithms. The encrypted information cannot be decoded and thus accessed unless the user provides proper credentials that unlock the storage. Thereby, it remains safeguarded against theft or access by unauthorized third parties. In case they are entered correctly, the storage can be further browsed as normal.

BitLocker serves to protect both the PC's internal hard drive or SSD, as well as various external storage devices – USB sticks, memory cards and other media formatted with the Microsoft's NTFS, FAT32, or exFAT file systems. The version intended for removable storage is also known as BitLocker To Go.

The technology itself is based on the Advanced Encryption Standard specification, with a configurable key size of either 128 or 256 bits. Starting from Windows 10 and later, the supported modes include cipher block chaining (CBC) and ciphertext stealing (XTS).

BitLocker can be implemented as a hardware-managed or purely software-based solution. In the first instance, it is backed by TPM (Trusted Platform Module) – a special microchip built into or added to a PC's motherboard and designed to perform cryptographic operations. TPM is responsible for generating, storing and managing the BitLocker encryption keys. It can be configured to unlock the drive on its own at boot-time or work in tandem with other security options, such as a personal identification number (PIN) or a removable device that contains a startup key.

The second implementation is intended for computers that lack TPM. In this case, the user is prompted to set up a protection mechanism upon the initialization of BitLocker for the given drive:

  • User password – a string of characters specified by the user that will be requested each time they boot into Windows or access a removable device encrypted by BitLocker.
  • BitLocker recovery key – a unique 48-digit numerical sequence that is created automatically by the system once BitLocker is activated. This key will be required to unlock the storage in case of some specific updates, security issues or when the user password is lost or unavailable. Depending on the OS version, Windows may offer different ways to save it for future use.
  • Startup key file – a hidden *.bek file stored on an external USB device as an equivalent to the BitLocker recovery key. This must device be present during the OS start for the drive's automatic decryption without a password.

After BitLocker is enabled, the data on the protected volume is scrambled into incomprehensible "gibberish". For this purpose, BitLocker employs a special key that is actually never exposed to the user (referred to as the Full Volume Encryption Key or FVEK). This key is encrypted with the help of another secret key that is also stored in a ciphered form within the volume's metadata, or even as several ciphered copies (the Volume Master Key or VMK). When the user inputs the correct password, BitLocker recovery key or Startup key, this information is applied to decrypt a dedicated copy of that secondary key. In its turn, it decrypts the primary key that allows bringing the volume's content back to in its original form. Yet, such a complex transformation procedure cannot be completed successfully unless those critical BitLocker metadata entries remain intact. If they get seriously damaged as a result of storage failure or corruption, it will be no longer possible to read the data, even with the valid credentials.

How does it get activated on a device?

BitLocker is a native function of Windows, which makes its activation seamless, with very few or even no user intervention required. There are several ways to trigger the encryption process:

  • Modern devices running Windows that meet certain prerequisites (support for Modern Standby, HSTI-compliance, etc.) are often encrypted by default out of the box. Protection comes into effect once the user signs into their Microsoft Account or Azure Active Directory account. In this case, there is no need to set up the user password, while the BitLocker recovery key is automatically saved to the respective online account.
  • The user may voluntarily switch on BitLocker through the Control Panel or Settings app. In this case, they are usually free to choose how to save the BitLocker recovery key.

Locating BitLocker recovery key

As has been stated, the creation of the BitLocker recovery key occurs automatically at the moment of its activation. It is absolutely necessary to have a backup copy of this 48-digit key and be able to retrieve it. Such a copy may be saved in several ways, depending on the user's preferences and the deployed version of Windows. In case there are troubles with locating it, the following storage options should be explored:

  • Microsoft account

The most probable place to find the BitLocker recovery key is within the Microsoft account of the user who turned on the encryption feature. One needs to log into this account online, go to the Devices section and click "View details" below the corresponding computer. Under the "BitLocker data protection" section, there will be a "Manage recovery keys" setting. After successful identity verification, it will show a list of the recovery keys available for this particular PC, along with their IDs, dates and device names.

  • Text file

The BitLocker recovery key can be stored as a *.txt file on another non-encrypted drive or in a shared network location. It is usually saved under the "BitLocker Recovery key" name, followed by a sequence of alphanumeric characters. This name can be entered into the search bar in order to look for any matches. The file will also contain the ID used to identify this very key.

  • USB stick

The Startup key is analogous to the recovery key, but it is saved to a USB flash drive as a file with a *.bek extension. Its name usually looks like a random alphanumeric sequence. Yet, such a file is concealed, and in order to make it visible, the "Show hidden files, folders, and drives" option should be enabled for File Explorer.

  • Printout

The BitLocker recovery key can be printed out and stored as a physical document. In the absence of a printer, it will be saved as a *.pdf file and may be kept in the OneDrive or Google Drive account.

  • Azure Active Directory account

In case of a corporate computer, the BitLocker recovery key may be stored in the Active Directory account. One has to sign into the Microsoft Azure portal and access "Azure Active Directory" -> "Devices" -> "All devices". After that, a search box can be used to look for the proper device by its name/serial number. When the found device is selected, the "BitLocker keys (Preview)" and "Show Recovery Key" options can be used to obtain the key.

The accuracy of the particular BitLocker recovery key can be checked by comparing the start of the BitLocker recovery key identifier to the "Key ID" value displayed for the drive.

The described technology is supported for data recovery and access by the following software products:

* Hardware-managed BitLocker encryption involves the use of physical security mechanisms that cannot be handled programmatically, and thus is not supported by the software.