How to Copy an OS Drive Startup Key Encrypted by BitLocker in Windows

  • by Bea Fernandez
  • Last updated
How to Copy an OS Drive Startup Key Encrypted by Bitlocker blog banner image
  • Last updated

As the built-in encryption feature of Windows, BitLocker safeguards your data in the event of drive loss or decommission by encrypting it so that unauthorized users are denied access to your drive offline. A startup key is necessary to boot your locked drive. In this guide, we’ll detail how to copy an OS drive startup key encrypted by BitLocker in Windows 10/11, why this process is important for data security, and the best practices for storing and handling your BitLocker startup key.

Methods to copy the OS drive startup key

Now that we’ve defined what the startup key is and listed various ways to access encrypted volumes, the next question is “Where is the BitLocker startup key stored in Windows?” Let’s walk through the different ways we can locate and copy the BitLocker key in the following step-by-step guides.

Using the BitLocker management interface to copy the startup key

  1. Open the Control Panel. You can do this by either searching for it in the Start menu or pressing the Windows key + R, typing “control,” and pressing Enter.
  2. Click on the BitLocker Drive Encryption icon and choose the OS drive you wish to encrypt.
  3. Next to your chosen OS drive, click Copy startup key.
  4. Insert a USB flash drive into your computer. Select the flash drive displayed in the window and click Save.

Aside from a USB flash drive, you can back up your startup key via the following tools:

  • File: Your startup key can be saved as a BEK file and stored in any offline device or drive; just make sure that this location is secure and even password-protected.
  • Microsoft account: It can also be automatically stored in your Microsoft account if you are signed into it on your device.
  • Active Directory: Lastly, if Active Directory Domain Services (AD DS) is enabled on your device, your startup key can be saved here.

Using the command prompt to retrieve the BitLocker startup key

  1. Open an elevated command prompt. To do this, press the Windows key + X, and select Command Prompt (Admin).
  2. Type the command “manage-bde -protectors -get [drive letter].” Replace [drive letter] with the actual letter of the OS drive whose startup key you intend to copy.
  3. Under External Key File Name, your startup key’s file name will be displayed. From here, you can save your key by following the steps in the previous section.

Using PowerShell to back up the BitLocker startup key

  1. Open an elevated PowerShell by pressing the Windows key + S, typing “powershell,” and clicking on Run as administrator.
  2. Check the BitLocker status of the drive whose startup key you wish to back up. This is done by typing “Manage-BDE -Status [drive letter]:” and replacing [drive letter] with the actual letter of your BitLocker-encrypted drive. Remember to make this replacement in the next few steps as well.
  3. Next, type “Manage-BDE -Protectors -Get [drive letter]:” to list all the BitLocker protectors for this drive, including the startup key.
  4. Insert a USB flash drive into your computer. Then type “Manage-BDE -Protectors -Add [drive letter]: -StartupKey [USB letter]:\” and make sure to replace [USB letter] with the letter of your connected USB flash drive.

In a scenario where countless devices and drives contain sensitive information—such as the patient records of a clinic or the contact details of a company’s customers—the automation of BitLocker key backup ensures that such data is kept secure and that BitLocker-encrypted volumes are protected from unwarranted access.

Understanding the BitLocker startup key

Before we get into how to export the BitLocker startup key, let’s define what this key is first and how it plays into various authentication methods for Windows encryption.

What is the BitLocker startup key?

The BitLocker startup key is a BEK file usually stored in a removable USB flash drive. This is inserted into a computer to boot the device—like using a key to unlock a padlock. Alongside the computer’s trusted platform module (TPM) chip, which acts as a crypto-processor, the Windows BitLocker startup key ensures a significant level of protection for your data.

Authentication methods: TPM only, TPM+PIN, and BitLocker startup key

The TPM is another built-in security feature for most devices, which can be used alone or with a personal identification number (PIN). In terms of pre-boot authentication, an untampered TPM and a BitLocker startup key are two halves that work together toward secure and automatic access to a locked volume.

Here are some key differences among the TPM-only, TPM+PIN, and BitLocker startup key authentication methods for encrypted drives.

  • TPM only: This method only requires the TPM to authorize access to the drive, with no other actions required from the user.
  • TPM+PIN: With the TPM, the drive prompts the user to input a PIN, usually comprising 4–20 characters, so that they can access the data in it.
  • BitLocker startup key: For this method, the user need only connect a USB flash drive containing the BitLocker-encrypted startup key to the computer—the TPM does the rest of the job automatically.

“Can I use the TPM, a PIN, and the BitLocker startup key for pre-boot authentication?” The answer is yes, and it’s actually advised to integrate as many of these methods as you possibly can for optimal data security—so long as you properly store and handle these details and tools (more on that later).

Best practices for handling BitLocker startup keys

Apart from knowing how to export your BitLocker encryption key with the proper steps, observing the best practices for handling it is crucial for any drive backup operation. Think of these practices as reliable key rings so that you don’t lose sight of your individual access tools. We’ve listed some of them below.

Secure storage recommendations for your BitLocker startup key

First, make sure that you store your Windows BitLocker startup key in a well-protected location, including but not limited to the following:

  • External USB: If you opt to save your startup key in external USB storage, such as a portable flash drive, we advise keeping this on your person at all times (e.g., hanging from a lanyard next to your company ID) or in a hidden but cool compartment (such as a locked desk drawer), away from prying eyes and direct sunlight.
  • Password manager: With third-party password managers becoming increasingly reliable in an era of constant cyberattacks, we recommend using one to keep your BitLocker startup key safe as well.
  • Cloud storage security: You can also upload your startup key to the cloud using a trustworthy cloud storage service, preferably with a password-protected account.

Keep multiple copies of your BitLocker startup key in separate locations

Just as we recommend using multi-factor authentication to access and copy the BitLocker startup key, we also advise keeping multiple copies of this key in case of loss or theft. When storing these copies in separate locations, try out the 3-2-1 backup rulethree copies of your startup key stored in two different types of media (e.g., two distinct external hard drives) and one offsite location (e.g., cloud storage).

Common mistakes to avoid when copying and storing your startup key

Being proactive in optimal BitLocker key backup means avoiding the following errors:

  • Not securing your startup key location: Avoid leaving your OS drive startup key where others can easily steal it. Use a password- or PIN-enabled cloud storage. Keep the USB flash drive containing your startup key in a lock box or hidden drawer.
  • Not using the right key for the right drive: Ensure that the BitLocker startup key you use matches the drive you wish to boot. It would be handy to write down the encrypted drive’s letter on your flash drive with a permanent marker, for instance.
  • Not making multiple copies of your startup key: Losing your only startup key to boot your encrypted drive could mean losing access to the data in that drive entirely. You can avert this by storing multiple copies of the key in separate locations.

Troubleshooting and common issues when copying the BitLocker key

What to do if you can’t access the startup key

Before creating a startup key for an OS drive, always make sure that BitLocker is turned on and that BitLocker Drive Encryption is enabled. This encryption key is automatically generated when you insert a USB flash drive into your device. Just in case, ensure that the flash drive can be formatted using the NTFS, FAT, or FAT32 file system.

If you can’t access the startup key on your flash drive, try manually doing so via File Explorer using the following steps:

  1. Open File Explorer on your computer, and then open Folder Options.
  2. Select Show hidden files, folders, and drives and uncheck Hide protected operating system files (Recommended). Click OK.
  3. Insert your USB flash drive and open it on File Explorer.
  4. The startup key file should now be visible on your screen. You may back up this file on any other location and restore your default folder options if you prefer.

Recovering a lost BitLocker startup key

First, check all your storage options—both online and offline—to confirm whether your BitLocker encryption key is indeed missing: from your personal belongings and physical storage (e.g., drawers and lock boxes) to your password managers, Microsoft account, organization account, and cloud service account.

If your startup key isn’t in any of these locations, you may have to resort to BitLocker recovery mode to access the files in your encrypted drive. This entails finding and using a BitLocker recovery key to decrypt the volume.

Resolving BitLocker startup errors after key changes

Following any change to a BitLocker-encrypted drive’s authentication methods, always reboot your drive and safeguard your access details and tools. For PINs and passwords, maximize the use of your password managers and cloud storage. For external storage devices, follow the storage recommendations listed above.

FAQs

Can I copy the startup key to multiple locations?

Yes, and this is highly encouraged. Try using the aforementioned 3-2-1 backup rule. Wherever you store your BitLocker key backups, ensure that these locations are password- or PIN-protected.

What happens if I lose my BitLocker startup key?

BitLocker provides various options for encrypted drive access via recovery mode. Simply follow the instructions on the BitLocker recovery screen.

Is it safe to store the startup key in a cloud service?

Yes, but as with any storage volume or service, adding layers of protection to your cloud account to keep your keys safe (e.g., passwords, biometric authentication) is recommended.

On proper BitLocker key backup

Backing up your OS drive startup key—via the BitLocker management interface, the command prompt, PowerShell, or the File Location function—can go a long way in securely booting your encrypted drive. Keep multiple copies of your encryption key in distinct and well-protected locations, and you’ll hardly ever worry about losing access to these keys and to your sensitive data.

Next Steps

Building an efficient and effective IT team requires a centralized solution that acts as your core service deliver tool. NinjaOne enables IT teams to monitor, manage, secure, and support all their devices, wherever they are, without the need for complex on-premises infrastructure.

Learn more about Ninja Endpoint Management, check out a live tour, or start your free trial of the NinjaOne platform.

Start your Free Trial

You might also like

How to Configure Password Expiration for Local Accounts in Windows blog banner image

How to Configure Password Expiration for Local Accounts in Windows 10 and Windows 11

How to Use Bitlocker Repair Tool to Revocer Encrypted Drives in Windows blog banner image

How to Use BitLocker Repair Tool to Recover Encrypted Drives in Windows

How to Unlock an OS Drive Encrypted by Bitlocker in Windows 10

How to Unlock an OS Drive Encrypted by BitLocker in Windows 10

How to Change Windows Defender Exploit Protection Settings in Windows blog banner image

How to Change Windows Defender Exploit Protection Settings in Windows

How to Configure Protected Folders for Controlled Folder Access blog banner image

How to Configure Protected Folders for Controlled Folder Access in Windows 10

How to Use the Program Install and Uninstall Troubleshooter in Windows blog banner image

How to Use the Program Install and Uninstall Troubleshooter in Windows

Ready to simplify the hardest parts of IT?
Start a Free Trial
Get a demo
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
I Accept