Drive Encryption is a wonderful feature. You can be confident that your data is safe, even if your device is lost or stolen. But if you lose your encryption key, you’ll never be able to access your data. Here’s how you can back up your encryption key somewhere safe.
What Is Encryption?
Encryption is a means of obfuscating data such that it is unreadable without the proper key to “unlock” it. In practical terms, that means that your encrypted messages can’t be intercepted and read by third parties, your sensitive medical data is safe to be transmitted digitally, and the files you encrypt before you upload them to the cloud are safe from prying eyes.
Encryption is essential for safety in the digital world, whether you’re a single person sending iMessages back and forth or you’re the biggest financial institution on the planet.
Windows has been slow to adopt drive encryption, but that is gradually changing. All Windows 11 devices will be capable of either device encryption or full BitLocker encryption, depending on which version of Windows 11 you’re running. Generally speaking, that is a good thing — that means even if someone steals your computer and rips out the storage drive, they will not be able to access anything on it.
Of course, that also means that you won’t be able to access your data either if you need to access your data and you don’t have your encryption key handy.
How to Back Up Your Recovery Key
Most users who are running Windows 11 will have created their PC user account with a Microsoft login. In that case, your recovery key is stored on Microsoft’s servers. It is also saved locally — if you set up a local account, you’ll only have a local copy. We’ll cover both scenarios.
Note: Users that have the Professional version of Windows 11 will have additional options associated with BitLocker. These instructions are designed to be one-size-fits-all and will work regardless of your Windows version.
Find Your Local Recovery Key
The most universal way to get your recovery key is with PowerShell. Launch Terminal as Administrator—the easiest way is by right-clicking your Start button or pressing Windows+X and clicking “Terminal (Admin)”—and make sure you have a PowerShell profile open.
(If you don’t have a PowerShell profile open, click the down arrow in the tab bar and select “Windows PowerShell.”)
Copy and paste the following command into the Terminal, and then hit Enter:
(Get-BitLockerVolume -MountPoint C).KeyProtector
You’ll see your recovery key displayed on the page. You can copy and paste it, screenshot it, or write it down.
Alternatively, you can make PowerShell write the information to a text file instead. This writes it to a “TXT” file on the Desktop named “recoverykey.txt.” Here’s the command:
(Get-BitLockerVolume -MountPoint C).KeyProtector | Out-File -FilePath $HOME\Desktop\recoverykey.txt
If the commands don’t do anything, nothing is displayed in the console, or nothing is written to the file, that means your drive is not encrypted and does not have a recovery key.
Warning: If you are using a local account and you try to enable Device Encryption, you’ll get a message that says “Sign in with a Microsoft account to finish encrypting this device.” That message would seem to imply that your device is not encrypted until you log into a Microsoft account. That impression is wrong. Your device will be encrypted, and you must be sure to manually back up your recovery key.
Find The Recovery Key Stored By Microsoft
Microsoft saves the recovery keys of all Microsoft logins online by default. Just head over to Microsoft’s recovery key page, and you’ll see a screen like this:
You can copy and paste that information into a text file, print the page, save it as a screenshot or photo on your phone, or do anything else that works for you.
Where Should I Store My Recovery Key?
The best place to store your key is up to you, as there are any number of good places you could store it, but they all carry some risk. Do not store it as a sticky note attached to your computer — that is probably the worst place to save it. Don’t just save it onto your PC’s hard drive either. It is completely useless there, since you wouldn’t be able to access it when you need it.
On Your Cellphone
Modern cellphones can create encrypted notes that can only be read with another password or the device’s PIN. You could save the recovery key there, that way it is always with you, and it is unlikely that someone could steal your phone and bypass the encryption.
You could also take a photo of it with your cellphone.
In the Cloud
You can always save the recovery key in a text file or screenshot and then upload it to the cloud — that is basically how Microsoft handles the situation automatically, anyway. However, you can upload it to any reputable cloud service you like. If you’re concerned about storing it in the cloud, you can always double up on your security by putting it in a password-protected ZIP file first.
A Physical Copy
You can always make a physical copy of the key, either by printing it out or writing it down on a piece of paper. If you have a safe for important files, documents, or photos, you could put it there. Alternatively, you could just file it away with the rest of your paperwork. Just don’t lose it.
Regardless of which options you choose, you should save your recovery key in a few locations. Things happen — phones go for a swim or a tumble accidentally, cloud logins get forgotten, and papers are easily lost or damaged. Losing access to your files because you lost your recovery key is entirely preventable if you plan in advance.