What is BitLocker?

BitLocker Drive Encryption, or BitLocker, is a Microsoft Windows security and encryption feature that is included with certain newer versions of Windows. BitLocker enables users to encrypt everything on the drive Windows is installed on, protecting that data from theft or unauthorized access.

Microsoft BitLocker improves file and system protections by mitigating unauthorized data access. It uses the Advanced Encryption Standard algorithm with 128- or 256-bit keys. BitLocker combines the on-disk encryption process and special key management techniques.

Although BitLocker first debuted with Windows Vista in 2007, beginning with Windows 10 version 1511, Microsoft updated BitLocker, introducing new encryption algorithms, new group policy settings, new operating system (OS) drives and removable data drives. This update applies to Windows 11, 10 and Server 2016 and above. BitLocker itself works on Pro, Enterprise and Education editions of Windows.

How does BitLocker work?

BitLocker uses a specialized chip called a Trusted Platform Module (TPM). The TPM stores Rivest-Shamir-Adleman encryption keys specific to the host system for hardware authentication. The TPM is installed by the original computer manufacturer and works with BitLocker to protect user data.

In addition to a TPM, BitLocker can also lock the startup process until the user inputs a PIN or inserts a removable device like a flash drive that has a startup key. BitLocker also creates a recovery key for the user's hard drive -- in case the user forgets or loses their password.

Computers that do not have a TPM installed can still use BitLocker to encrypt Windows OS drives. But this implementation requires a USB startup key to turn on the computer or resume from hibernation. Microsoft, however, states that there is more pre-startup system integrity verification when BitLocker is paired with a TPM.

BitLocker Recovery Password Viewer and BitLocker Drive Encryption Tools are two additional tools used to manage BitLocker. BitLocker Recovery Password Viewer enables users to locate BitLocker recovery passwords that are backed up to Active Directory (AD) Domain Services. This tool is used to recover data stored on an already encrypted drive. BitLocker Drive Encryption Tools are a combination of command-line tools, the BitLocker cmdlets for Windows PowerShell as well as manage-bde and repair-bde. Repair-bde, for example, is used in disaster recovery attempts where BitLocker-protected drives cannot be unlocked normally or using the recovery console. The Manage-bde command-line tool turns BitLocker on or off. Turning off BitLocker will decrypt all of the files on the drive when that data no longer needs to be protected.

How to use BitLocker

BitLocker is enabled by default. But if it is turned off, a user can go to the Windows search bar and search for Manage BitLocker. If BitLocker is on the device, it will show up in the control panel, with one of the options being to turn on BitLocker. Other options include suspend protection, back up your recovery key and turn off BitLocker.

The BitLocker Control Panel
The BitLocker Control Panel is accessible through the Windows search bar on a Windows 11 machine.

After turning BitLocker on, Windows begins checking system settings. The user must create a password, which is needed every time they access their PC or drive. The user then selects Recovery key settings. After clicking on Next, the user can select how much of their drive they wish to encrypt. The two-volume encryption options are to encrypt used disk space only or to encrypt the entire drive. Encrypt used disk space refers to only the disk space that contains data, while encrypt the entire drive means that the entire storage volume, including free space, is encrypted.

After clicking on this, the user can run a BitLocker system check which ensures that BitLocker can access the recovery and encryption keys before anything is encrypted. After the system check, the BitLocker Drive Encryption Wizard restarts the computer to begin the endpoint encryption process. Protection is only enabled after user sign-on and the device is registered to an AD domain.

To decrypt and turn off BitLocker, the user should search for Manage BitLocker in their Windows Search bar, select the option that appears and then turn off BitLocker; the process of decrypting data will begin.

BitLocker system requirements

BitLocker requires the following:

  • TPM 1.2 or later must be installed.
  • If not using a TPM, a startup key stored on a removable device is required.
  • If using a TPM, a Trusted Computing Group-compliant BIOS or unified extensible firmware interface (UEFI) is needed for a chain of trust for the OS startup.
  • BIOS or UEFI must support the USB mass storage device class.
  • Storage drives must have two or more partitions.
  • The OS drive must be formatted with NT File System (NTFS)
  • System drives that use UEFI-based firmware must be formatted with the File Allocation Table 32 file system.
  • System drives that use BIOS firmware must be formatted with NTFS.

What is a BitLocker recovery key?

A BitLocker recovery key is a 48-digit numerical password that is used to unlock a user's system when BitLocker detects a possible unauthorized access attempt. The key serves as an extra security measure to keep a user's data safe. Windows may also ask for the BitLocker recovery key if changes are made in the system's hardware, software or firmware.

How to find a BitLocker recovery key

If the recovery key is lost, the only option is to reinstall Windows. To avoid this, BitLocker recovery keys can be backed up to the following locations:

  • The user's Microsoft account. If the user signs into their Microsoft account on another device, they can view their key from there.
  • A USB flash drive. A USB flash drive can store the key, which can be inserted into the locked PC to unlock it. If the key is stored as a text file, the user can plug it into another PC to read the password.
  • The user's Microsoft Azure Active Directory (AD) account. The key may be stored in a larger Azure AD account associated with the user's device.
  • A system administrator's system. A system admin may have the recovery key if the user's device is connected to a domain.
  • The user's possession. The user may have printed or written the code out on paper.

Learn how BitLocker encryption technology has evolved to secure information, such as local and cloud resources.

This was last updated in March 2022

Continue Reading About BitLocker

Dig Deeper on Windows applications

Virtual Desktop