A BitLocker recovery key is a 48-digit number, created when a drive was encrypted and saved in one of a handful of places — your Microsoft account, a printed or saved file, a USB stick, or your work account. Here is every place to look, how to match the right key, and what is (and isn’t) possible if it is genuinely gone.
BitLocker never encrypts a drive without first escrowing the key. On a normally set-up PC it exists — almost always in your Microsoft account. The task is knowing where to look.
A 48-digit number, tied to one drive, that is not your password or PIN.
A BitLocker recovery key is a 48-digit numerical password — eight groups of six digits — created automatically the moment a drive was encrypted. It is separate from the PIN or password you type day to day: those unlock the drive normally, and the recovery key is what Windows falls back to when something changes. You only meet it on the blue ‘enter the recovery key’ screen, which appears when BitLocker senses a new motherboard, a firmware or TPM update, a change to Secure Boot, or a drive that has started to fail.
Because the key belongs to the drive rather than to you, the question is never really ‘what is my key’ — it is where did Windows put it when the drive was encrypted. The reassuring part: BitLocker will not switch on without saving the key somewhere first. So on a drive that was encrypted normally, the key exists — it is a matter of knowing the handful of places to look.
There are really only five. Your Microsoft account, where Windows silently escrows keys on personal PCs. A printout or a saved text file from the day BitLocker was turned on, named BitLocker Recovery Key followed by a long ID. A USB flash drive the setup wizard offered to save it to. A work or school account — Microsoft Entra, formerly Azure AD — on a managed laptop. And Active Directory, where an organisation’s IT team holds keys for domain-joined machines. On a drive encrypted normally, the key is in at least one of these — more often the first than people expect.
This resolves most home lock-outs. From any phone or computer, go to aka.ms/myrecoverykey (or account.microsoft.com → Devices → the locked PC → ‘manage recovery keys’) and sign in with the Microsoft account that was used to set up or sign in to that PC. That is the catch worth underlining: it has to be the account that was on the machine when BitLocker turned on, which is not always the one you use now — try an older personal address, or a family member’s, if the obvious one comes up empty. The page lists every key Windows has escrowed, each tagged with a Key ID.
If the machine belongs to an employer, college or school, the key lives with them, not with you — and that is by design. For an Entra-joined (Azure AD) laptop you can often find it yourself at myaccount.microsoft.com → Devices, but the reliable route is to ask IT support, who can pull the key from Entra or on-premises Active Directory in seconds. Don’t spend an afternoon fighting a managed device alone; a two-line email to the service desk is usually the whole job.
If more than one key comes up, the blue recovery screen tells you which to use. Near the prompt it shows a Key ID — the first eight characters of a longer identifier — and every stored key is listed beside its own ID. Match the two and enter that key; a key from a different drive or a different encryption simply will not take. The key itself is the full 48 digits, in eight blocks of six, typed exactly as shown.
Two very different situations hide behind the same lock screen.
Be wary of anyone who promises to ‘crack’ a BitLocker drive. If the key is in none of those places and the machine had no organisational Data Recovery Agent set up in advance, the encryption itself cannot be undone — AES-256 has no back door and brute-forcing a 48-digit key is not feasible in any human timescale. That is the whole point of the encryption, and we will tell you so plainly rather than take a job we can’t finish.
But separate two things that feel identical. If the drive is healthy and only the key is lost, no lab on earth can decrypt it — ourselves included. If instead the drive has failed — it won’t mount, it clicks, it isn’t detected — but you still have the key or password, that is squarely recoverable: we image the failing drive first, then apply your key to decrypt the recovered image. Found your key but the drive still won’t open? That is a hardware fault, not a key problem — exactly the kind of job for the bench.
No. The recovery key is a separate 48-digit number generated when the drive was encrypted. Your PIN or password unlocks the drive day to day; the recovery key is the fallback Windows asks for when it detects a hardware or firmware change, or a failing drive.
On a personal PC signed in with a Microsoft account it is escrowed to that account at aka.ms/myrecoverykey. On a work or school laptop it is held in Microsoft Entra (Azure AD) or on-premises Active Directory. BitLocker will not switch on without saving the key somewhere first.
If the drive is physically healthy, no — and neither can anyone else; AES-256 has no back door, and we will say so upfront rather than take payment. If the drive has failed but you still have the key or password, yes: we image the drive and decrypt the recovered image.
48 digits, shown as eight groups of six. The blue recovery screen also shows a shorter Key ID — the first eight characters of a longer identifier — which tells you which stored key to use if you have more than one.
Free 48-hour diagnostic on the Belfast bench — encrypted drives imaged first, decrypted second, and a written quote before any work begins.