Bitlocker Drive Encryption Recovery Key Generator

Bitlocker Drive Encryption Recovery Key Generator 6,5/10 1788 votes
  1. Microsoft Bitlocker Recovery Key
  2. Bitlocker Drive Encryption Recovery Key
  3. Bitlocker Recovery Key Generator
  1. BitLocker Self-Service Key Recovery. Occasionally, something happens on a BitLocker protected device that makes it necessary to use a BitLocker Recovery Key to access the encrypted volume on the device. Systems that have been configured with UVM's Microsoft BitLocker Administation and Monitoring (MBAM) agent will have stored a copy of the recovery key in our central database.
  2. The Bitlocker Active Directory Recovery Password Viewer helps to locate BitLocker Drive Encryption recovery passwords for Windows Vista- or Windows Server 2008- based computers in Active Directory Domain Services (AD DS).
  3. How to Backup BitLocker Recovery Key for Drive in Windows 10 A BitLocker recovery key is a special key that you can create when you turn on Bitlocker Drive Encryption for the first time on each drive that you encrypt.
June 8th, 2016 by Vladimir Katalov
Category: «Security», «Software», «Tips & Tricks»
  • 10
  • 10

Aug 28, 2012  Another key piece of info is that it was Symantec Endpoint Encryption that facilitated the encryption of the OS drive. SEE is installed by my company by policy. Since my company, Veritas, used to be Symnatec I even contacted a few SEE support guys who say that the issue is.

Investigators start seeing BitLocker encrypted volumes more and more often, yet computer users themselves may be genuinely unaware of the fact they’ve been encrypting their disk all along. How can you break into BitLocker encryption? Do you have to brute-force the password, or is there a quick hack to exploit?

We did our research, and are ready to share our findings. Due to the sheer amount of information, we had to break this publication into two parts. In today’s Part I, we’ll discuss the possibility of using a backdoor to hack our way into BitLocker. This publication will be followed by Part II, in which we’ll discuss brute-force possibilities if access to encrypted information through the backdoor is not available.

Exploiting the Backdoor

We love tools. We have lots of them. Some tools we have will seemingly do the same job, while achieving the result via different paths. One question we’re asked a lot is why ElcomSoft has two different tools for breaking BitLocker encryption. Really, why?

We offer Elcomsoft Forensic Disk Decryptor to decrypt BitLocker volumes, and we offer Elcomsoft Distributed Password Recovery to break BitLocker passwords. (EDPR for short). We also have a small tool called Elcomsoft Disk Encryption Info (part of Distributed Password Recovery) to display information about encrypted containers. What are these tools? What do they do, exactly, and which one do YOU need in YOUR investigation? It is time to unveil the secrets and shed light on these questions.

The Tools

Elcomsoft Forensic Disk Decryptor and Elcomsoft Distributed Password Recovery. Which one should you choose for your investigation?

To put it briefly, Elcomsoft Forensic Disk Decryptor and Elcomsoft Distributed Password Recovery use different approaches when gaining access to encrypted volumes. The choice primarily depends on whether or not you have certain bits of information extracted from the computer’s volatile memory (RAM). If you do, your job can become much easier.

Elcomsoft Forensic Disk Decryptor is designed to instantly decrypt disks and volumes using the decryption key extracted from the computer’s volatile memory (RAM). In addition, you can decrypt for offline analysis or instantly mount BitLocker volumes by utilizing the escrow key (BitLocker Recovery Key) extracted from the user’s Microsoft Account or retrieved from Active Directory. Elcomsoft Forensic Disk Decryptor works with physical disks as well as RAW (DD) images.

Elcomsoft Distributed Password Recovery, on the other hand, attempts to break (recover) passwords to disks and volumes by running an attack.

Did you get the impression that the two tools complement each other? We’ll be happy if you buy both, but in fact you’ll be probably using just one. The two tools attack different links in the security chain of BitLocker, PGP and TrueCrypt. We’ll discuss the two methods separately.

Let’s start with Elcomsoft Forensic Disk Decryptor. When we launched this product in 2012, we posted this article: ElcomSoft Decrypts BitLocker, PGP and TrueCrypt Containers. The publication describes the tool’s functionality and unique features. Since then, the world has witnessed the end of TrueCrypt, whereas PGP and BitLocker continue to exist with several updates (including a big security update for BitLocker in Windows 10 build 1511, the “November Update”). Today, Elcomsoft Forensic Disk Decryptor is in even greater demand than three years ago.

Elcomsoft Forensic Disk Decryptor has the ability to extract the original decryption key stored in the computer’s volatile memory (RAM). By extracting this key from a memory dump, the tool can use it to either mount the encrypted volume for on-the-fly access to files and folders (which is instant), or for decrypting the whole disk or volume at once in order to work with decrypted content (slower but bearable).

IMPORTANT: Use Elcomsoft Forensic Disk Decryptor to acquire volumes encrypted with BitLocker Device Protection. BitLocker Device Protection is a whole-disk encryption scheme that automatically protects certain Windows devices (such as tablets and ultrabooks equipped with TPM 2.0 modules) when the user logs in with their Microsoft Account. BitLocker Device Protection does NOT employ user-selectable passwords, and CANNOT be broken into by brute forcing anything. In certain cases, BitLocker escrow keys (BitLocker Recovery Keys) can be extracted by logging in to the user’s Microsoft Account via https://onedrive.live.com/recoverykey. The latest version of Elcomsoft Forensic Disk Decryptor (the one we’ve just released) has the ability to use these keys in order to decrypt or mount BitLocker volumes.

The moment the encrypted disk is mounted into the system (which is when you enter the password to access it, or provide the smart card, or use any other type of authentication), the system stores the encryption key in order to simplify accessing encrypted data. And since these keys are kept in system memory (regardless of the authentication method used), one can attempt to extract them.

There are several ways to get the original keys out of the system:

  • Sometimes, the decryption key can be extracted from the hibernation file, which is created when the system is hibernated. The system dumps an image of the computer’s RAM into a file when entering hibernation. Windows uses the hiberfil.sys file to store a copy of the system memory. However, some systems (e.g. slates with Connected Standby or Modern Standby, which are very likely to employ BitLocker Device Protection) may not use hibernation at all (Connected Standby is used instead until the system reaches a very low power state, after which it can either hibernate or shut down). More information how to enable or disable hibernation is available at http://support.microsoft.com/kb/920730.
  • You can also attempt imaging a ‘live’ system using one of the many memory dumping tools (administrative privileges required). The complete description of this technology and a comprehensive list of tools (free and commercial) is available at http://www.forensicswiki.org/wiki/Tools:Memory_Imaging. We recommend MoonSols Windows Memory Toolkit (paid tool, no demo version, pricing on request with no contact form available) or Belkasoft Live RAM Capturer (free, immediately downloadable, minimal footprint and kernel-mode operation on 32-bit and 64-bit systems).
  • The last option is available on certain systems equipped with a FireWire port. It is possible to directly access the memory of a computer (even if it is locked) via a FireWire port. There are several tools that can acquire memory using this technology, e.g. Inception (yes, it’s “that Python tool”).

If you are able to image the computer’s volatile memory while the encrypted disk is mounted, or if you have access to the system’s hibernation file, you can use Elcomsoft Forensic Disk Decryptor to analyze the memory image or hibernation file, detect and extract the decryption keys. You can then use these keys to have Elcomsoft Forensic Disk Decryptor decrypt the volume or mount it.

We can break down the whole job to just three steps:

  • Obtain a memory dump or grab the hibernation file
  • Analyze the dump and find encryption keys
  • Decrypt or mount the disk

It’s worth mentioning that looking for a key can be time-consuming. Specifying the types of encryption keys (if you know what algorithm has been used) can save you a lot of time. If you don’t know what type of encryption was used, just select all of them.

Once the keys are discovered, the tool displays them and allows you to save them into a file. You can save multiple keys of different types into a single file.

Having the decryption keys, you can proceed to decrypting the disk. Specify the type of the crypto container, select the file with decryption keys, and click Next.

If proper encryption keys are there, the tool will prompt you to either do full decryption (creating a raw image that can be mounted or analyzed with a third-party tool), or mount the volume into the current system. Mounting is implemented via ImDisk virtual disk driver (installed with Elcomsoft Forensic Disk Decryptor). Normally, you won’t need to change any settings and simply press the Mount button:

As you can see, this method is convenient and efficient. Whether or not you can use it depends entirely on the possibility of acquiring the decryption key from the computer’s RAM image. Please have a look at Elcomsoft Forensic Disk Decryptor product page to learn more on acquiring the decryption keys.

You are also welcome to check a quick EFDD video tutorial made by Sethioz.

What if you don’t have access to the decryption key? Elcomsoft Distributed Password Recovery uses a completely different approach. We’ll dwell on this in the second part of this article. Stay tuned and visit us in a day or two for the second part of this reading!


  • 10
  • 10
Updated by Tim to Bitlocker Recovery on April 2nd, 2020

Table of Content

What is Bitlocker?

BitLocker is a full disk encryption feature included with selected editions of Windows Vista and later. It is designed to protect data by providing encryption for the entire volume. By default it uses the AES encryption algorithm in cipher block chaining (CBC) mode with a 128-bit or 256-bit key.

What is Bitlocker recovery key?

A BitLocker recovery key, is also called Microsoft recovery key or Windows recovery key by some users. It is a special key that was automatically generated when encrypting the specific drive with Bitlocker drive encryption.

Bitlocker recovery key is stored in a .BEK file named like BitLocker Recovery Key 444C8E16-45E7-4F23-96CE-3B3FA04D2189.BEK as below:

Bitlocker recovery key format: 419595-387156-44334-315590-197472-399399-320562-361383

Bitlocker recovery key is used to unlock your Bitlocker drive when you forget the password or the password is not working.

What is Bitlocker recovery key ID?

Bitlocker recovery key ID is Bitlocker recovery key identifier. If recovery key ID matches the one displayed on your drive, you can unlock that drive. If recovery key ID doesn't match the one displayed on your drive, you need to find the correct recovery key. Otherwise, you cannot unlock that drive.

Where is Bitlocker recovery key stored?

Recovery key may be saved in a number of locations depending on the version of Windows OS you installed:

For Windows 7, where is Bitlocker recovery key stored?

  • Recovery key may be stored as a txt file
  • Recovery key may be stored to a USB flash drive
  • Recovery key may be physically printed

For Windows 8, where is Bitlocker recovery key stored?

  • Recovery key may be stored as a txt file
  • Recovery key may be stored to a USB flash drive
  • Recovery key may be physically printed
  • Recovery key may be stored to your Microsoft account

    • For Windows 10, where is Bitlocker recovery key stored?

  • Recovery key may be stored as a txt file
  • Recovery key may be stored to a USB flash drive
  • Recovery key may be physically printed
  • Recovery key may be stored to your Microsoft account
  • Recovery key may be stored to your Azure Active Directory account

So if you are a non-domain user, recovery key may be stored in your Microsoft account, USB flash drive, a txt file or printed paper.

If you are a domain user, Bitlocker recovery key may be stored to Active Directory (AD), contact your administrator to get it.

How/Where to find Bitlocker recovery key?

There are 6 locations to find Bitlocker recovery key:

Option 1: In your Microsoft account

To retrieve the recovery key that was stored to onedrive, visit the site:https://account.microsoft.com/devices/recoverykey (The previous page: http://windows.microsoft.com/recoverykey has not been working), sign in with your Microsoft account and then you will see the recovery key.

Option 2: Find Bitlocker recovery key on a USB flash drive

To find the recovery key, insert that USB flash drive into your computer and view it.

Option 3: Find the Bitlocker recovery key in a txt file

Recovery key may be saved as a txt file in your computer. If you have not deleted it, search Bitlocker Recovery Key.txt in your computer.

Option 4: Find the Bitlocker recovery key in a document

If you printed Bitlocker recovery key to a 'Microsoft Print to PDF', search for pdf file on your computer.

Microsoft Bitlocker Recovery Key

Option 5: In Active Directory

If you are a domain user, the recovery key may be saved to Active Directory (AD), contact your administrator to get it.

Bitlocker Recovery Password Viewer can locate and view BitLocker recovery key that is stored in Active Directory (AD).

In Active Directory Users and Computers, locate and then click the container in which the computer is located. For example, click the Computers container.

Right-click the computer object, and then click Properties.

In the ComputerName Properties dialog box, click the BitLocker Recovery tab to view the BitLocker recovery keys that are associated with the particular computer.

Option 6: In your Azure Active Directory account

For work PCs where you sign in with an Azure Active Directory account, see the device info for your Microsoft Azure account and get recovery key.

Option 7: Using a Bitlocker password brute-force cracking tool

Refer to: How to unlock Bitlocker drive without password and recovery key?

How to verify if the Bitlocker recovery key is correct?

To verify if Bitlocker recovery key is correct, compare the start of the full Bitlocker recovery key identifier with recovery key ID value. See below example:

How to find Bitlocker recovery key ID value?

For the Bitlocker encrypted operating system volume, Bitlocker recovery key ID is displayed on the BitLocker recovery screen.

For Bitlocker encrypted data drive, BitLocker recovery key ID is displayed when users click on 'More options' and then on Enter recovery key in the wizard to unlock a Bitlocker drive.

How to get Bitlocker recovery key with key ID?

If you can find Bitlocker recovery key txt file or saved the Bitlocker recovery key in your Microsoft account, AD, Azure AD, you can find the correct Bitlocker recovery key according to key ID. Otherwise, there is no way to get Bitlocker recovery key. More details to find Bitlocker recovery key...

To verify if it is the correct Bitlocker recovery key, compare the start of the full Bitlocker recovery key identifier with the recovery key ID value that is displayed on your Bitlocker drive, see below example:

Can't find Bitlocker recovery key, what to do?

If you cannot get Bitlocker recovery key with key ID, there are two Bitlocker brute-force cracking tools you can try.

1. Recover the lost Bitlocker recovery key with Passware Kit

Passware Kit scans the physical memory image file and the system hibernation file (hiberfil.sys), extracts all the encryption keys, and decrypts the Bitlocker encrypted volume. Refer to How to decrypt Bitlocker volume with Passware Kit?

2. Recover the lost Bitlocker recovery key with Elcomsoft Forensic Disk Decryptor

Elcomsoft Forensic Disk Decryptor could extract data from a Bitlocker encrypted volume by utilizing the binary encryption key contained in the computer's RAM. It could find and extract that key by analyzing the memory dump or hibernation file.

What is Bitlocker recovery?

BitLocker recovery is the process by which you can restore access to a Bitlocker drive in the event that you cannot unlock Bitlocker drive normally.

If it is a Bitlocker encrypted operating system drive, connect it to another computer or find a Bitlocker recovery boot disk to rescue your data.

How to do Bitlocker recovery?

Unlike common data recovery, Bitlocker recovery requires intact Bitlocker metadata and password or Bitlocker recovery key to decrypt data.

Bitlocker recovery scenarios

1. If your Bitlocker drive is in good condition, just enter the password or recovery key to unlock Bitlocker drive.

2. If you forget the password or recovery key, unlocking drive is still possible. Refer to: How to unlock Bitlocker drive without password and recovery?

3. If your Bitlocker encrypted computer is experiencing Bitlocker recovery screen issue, enter recovery key to pass Bitlocker recovery screen.

4. If your Bitlocker drive keeps asking for recovery key, enter the recovery key or use M3 Data Recovery to rescue your data.

5. If your Bitlocker drive doesn't accept the correct password or recovery key, use M3 Data Recovery to recover your data.

6. If your Bitlocker drive failed, the only way is to recover data with M3 Data Recovery.

7. If your Bitlocker drive is corrupted or damaged, M3 Data Recovery can rescue your data.

8. If your Bitlocker partition is deleted or lost, M3 Data Recovery can find the previous Bitlocker partition and recover data.

9. If Bitlocker drive is formatted by Windows 7/8/10 built-in format tool, formatting has damaged Bitlocker metadata so that lost data cannot be recovered. If you formatted Bitlocker drive by other tool or other operating system, recovering data from formatted Bitlocker drive is possible.

10. If your Bitlocker drive is not recognized by Disk Management or Device Manager, send it to a local data recovery professional for help.

Bitlocker recovery software: M3 Data Recovery

Bitlocker Drive Encryption Recovery Key

Sometimes, the password and recovery key won't unlock Bitlocker drive. In this situation, a professional Bitlocker recovery software is needed.

M3 Data Recovery is a professional Bitlocker data recovery software. It can recover lost data from failed, corrupted, lost or deleted Bitlocker partition, etc. after supplying the password or recovery key.

Tutorial to recover lost data from Bitlocker drive:

Step 1: Download, install and launch M3 Data Recovery on your Windows computer.

Step 2: Choose Bitlocker Recovery module, select Bitlocker drive and click Next to continue.

Step 3: Enter the password or 48-digit Bitlocker recovery key to decrypt data from Bitlocker drive.

Step 4: M3 Data Recovery is scanning and decrypting the data from the specific Bitlocker drive.

Step 5: After all your files are found, preview the documents, photos and play the videos, audios to see if your lost files are recoverable.

Step 6: Select the needed files and click 'Recover' to start the recovery.

If you find some recovered files cannot be opened, please check 'Enable brute-force decryption' option and recover them again.

Recovery key FAQ

Q: I cannot find recovery key, how to unlock Bitlocker drive?

A: If you don't have the password either, Bitlocker password brute-force cracking tool is the only way.

Q: How to get Bitlocke recovery key with the recovery key ID?

A: If you are a domain user, contact your administrator to get Bitlocker recovery key according to the recovery key ID.

Q: Bitlocker drive doesn't accept the password and recovery key, how to unlock it?

A: In this situation, Bitlocker drive has been corrupted, try M3 Data Recovery to recover lost data.

Q: Why does Bitlocker recovery screen prompt for recovery key every boot Windows 10/8/7?

A: You may encounter an issue so that BitLocker asks for a recovery key every boot, for example, BitLocker sees a new device in the boot list or an attached external storage device, it will prompt for the recovery key for the security reasons.

Q: What causes Bitlocker to ask for recovery key?

A: Boot order is changed. The hardware has been changed. The password information has been completely erased from the Bitlocker metadata due to accidental unplugging, virus attack, etc.

Q: Is there a Bitlocker recovery key generator ?

Bitlocker Recovery Key Generator

A: No, every Bitlocker drive has its own unique Bitlocker recovery key.