Written by
Wilsey YoungSummary: This post primarily discusses what BitLocker key protectors are and how important they are for enhancing the security levels of BitLocker Drive Encryption. This post also shows how to check all BitLocker key protectors via Command Prompt.
BitLocker is a full-disk encryption feature built into certain versions of Windows OS, which helps protect your data by encrypting the entire drive with Advanced Encryption Standard. The BitLocker key protectors ensure that only authorized users can access the data on the encrypted drive, effectively protecting your data against unauthorized access, tampering, or theft.
Many Windows users wonder what exactly the BitLocker key protectors refer to and how important it is to the BitLocker Drive Encryption feature and its users. Let's dive into BitLocker key protectors and their significance.
How to understand BitLocker key protectors?
A BitLocker key protector refers to a method or mechanism used to unlock a BitLocker encrypted drive, ensuring that only authorized users with legitimate and correct key protectors can access the encrypted data. Without properly configured BitLocker key protectors, your BitLocker encrypted drive may become more vulnerable to unauthorized users.
BitLocker key protectors can be configured when or after the BitLocker is enabled, and multiple types can be applied for flexibility and convenience in different situations, ensuring more key protectors are available in case the primary one fails to unlock the drive.
You can click the buttons below to share the post!
Most common BitLocker key protectors
BitLocker uses key protectors to manage access to the encryption key. Below are the most common types of key protectors:
TPM (Trusted Platform Module) chip
TPM chip is a hardware security component embedded into most modern computers. It's a nearly ubiquitous BitLocker key protector that plays a crucial role in storing the encryption key and checking system integrity.
If the TPM chip detects suspicious unauthorized access or changes to hardware, system, BIOS/UEFI, and more, the keys to unlock the drive will not be released and a BitLocker recovery blue screen will appear during Windows startup where users are required to enter the recovery key to unlock the drive so that the system can boot up. 
BitLocker recovery key
BitLocker recovery key is a 48-digit (divided into 8 groups, with 6 digits for each group) numerical password. This BitLocker key protector is so important that it can help you unlock the BitLocker encrypted drive if no other protector is available, particularly when the BitLocker recovery blue screen appears due to hardware changes, unauthorized access, and more. 
Unlike the user-defined password or PIN, the BitLocker recovery key is automatically generated during the BitLocker encryption setup and it can be backed up in different ways, especially in your Microsoft account. 
TPM with PIN
The TPM can be integrated with a PIN (Personal Identification Number) set by the user. This BitLocker key protector requires every user to input the PIN during system startup to unlock the drive and let the system boot up. Apparently, this BitLocker key protector is suitable for individuals or enterprises requiring higher levels of security.
Password
The password is a BitLocker key protector commonly used for removable storage devices (e.g. USB flash drive) that can be encrypted by users using BitLocker-To-Go. The password must be manually input each time you access the drive. 
Startup key
This BitLocker key protector is a key file stored on a USB drive, and the USB drive containing the BitLocker startup key needs to be inserted into the computer during the system boot to unlock the BitLocker encrypted drive and let the system boot up.
As a side note, the BitLocker Drive Encryption feature is allowed on a computer without a compatible TPM chip, so setting up a startup key is quite useful in this case.
Smart card
This BitLocker key protector refers to a physical smart card containing the cryptographic certificate. When the BitLocker smart card is applied, you need to insert your smart card and manually enter the smart card PIN when you unlock the drive.
It is noteworthy that BitLocker smart card cannot be applied to the system drive, as the authentication drivers to read a matched smart card can not be loaded before the system drive encrypted by BitLocker is unlocked. 
Automatic unlock (auto-unlock)
BitLocker auto-unlock is a BitLocker key protector that allows the configured BitLocker encrypted drive to unlock automatically when your PC boots up. In other words, when this BitLocker key protector is enabled, you don't have to enter the password or recovery key every time you access the encrypted drive. 
BitLocker network unlock
BitLocker network unlock feature allows the BitLocker encrypted drives to unlock automatically when the computer is connected to a trusted network. It is a BitLocker key protector more suitable for enterprises or organizations that require higher security but more flexibility at the same time.
Bonus Tips: How to check all BitLocker key protectors on Windows?
You can check all BitLocker key protectors that have been configured on Windows via Command Prompt. Here's how:
- Type cmd in the Start menu search bar and choose “Run as administrator.”
- Type the following command and hit the “Enter” key on your keyboard. Note: You can replace the letter “C” with other drive letter.
manage-bde -protectors -get c:
You can share this post with your friends!