Home > Wiki Tips

BitLocker Startup Key: What Is It & How to Enable?

Published/Updated on Saturday, October 12, 2024

M3 Software author Wilsey Young

Written by

Wilsey Young

English

Summary: This post revolves around the BitLocker startup key and introduces the steps to enable it. The difference between BitLocker startup and recovery key is also discussed in the post.

BitLocker startup key

BitLocker is a special encryption peculiar to the Windows operating system, and it protects your precious data by encrypting the entire drive or specific partition, ensuring that only authorized users can access the encrypted content.

BitLocker supports multifactor authentication, providing an extra protection layer on the encrypted drives. This post mainly discusses what the BitLocker startup key is and how to set it up on Windows. You will also understand the difference between the BitLocker startup key and the recovery key.

Reddit discussions on BitLocker startup key

Quite a lot of people know little about the BitLocker startup key and they are curious about what would happen if the startup key is enabled, and they are confused about the difference between the BitLocker startup key and other authentication ways.

The discussions in the following post on Reedit epitomize the situations above. The questioner asked if the BitLocker startup key means users will need to type the 48-digit recovery key if any intrusion is detected.

Bitlocker TPM startup key vs. no startup key
by u/ReverenceForLife in sysadmin

What is the BitLocker startup key?

BitLocker startup key is a type of key stored on a USB flash drive, and the USB flash drive must be inserted every time your PC starts, which means your PC system will only boot successfully if the USB flash drive containing the startup key in inserted.

BitLocker startup key aims to provide another factor of authentication and add a higher level of security, as the BitLocker encrypted drive will not be accessed if the required physical USB drive is provided, even if the computer or drive is stolen or tampered with.

 Note: You must have a BitLocker startup key to use BitLocker on a non-TPM computer.

You can share this post by clicking the buttons below!

 

BitLocker startup key vs recovery key

We list some differences between the BitLocker startup key and the recovery key for your reference:

Where are they from?

  • If you enable the BitLocker startup key, a BEK file(namely the startup key) will be generated and stored on the inserted USB flash. drive.
  • BitLocker recovery key is automatically generated during the setup of BitLocker, and you'll be prompted to save the recovery key.

What do they look like?

  • Essentially, the BitLocker startup key is a BEK file stored on the USB flash drive, and it's only visible when the "Shown hidden files" option is set. 
  • BitLocker recovery key contains 48 digits divided into 8 groups, and you'll be prompted to print it out, save it to a file, save it to a USB flash drive, or save it to your Microsoft account.

Where are they used?

  • A USB flash drive containing the BitLocker startup key must be inserted every time the computer starts, making the operating system boot as usual.
    BitLocker preboot startup key
  • BitLocker recovery key serves as a fallback mechanism used to unlock the encrypted drive when BitLocker detects significant hardware changes, Windows updates, or possible unauthorized access. When a normal authentication method, such as a password, fails, a recovery key is a last-resort way to regain access to the encrypted drive.

How to enable startup key BitLocker?

You can follow the steps below to set the BitLocker startup key:

  1. Enable BitLocker
  2. Press the "Win+R" keys to open the "Run" dialog box, type "gpedit.msc" in the box, and hit the "Enter" key on your keyboard.
    open Local Group Policy Editor
  3. Go to: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
  4. Double-click "Require additional authentication at startup" on the right.
    require additional authentication at startup
  5. Click the "Enabled." 
  6. Expand the "Configure TPM Startup Key" options and select the "Require Startup Key With TPM".
  7. Click "Apply" and "OK."
    configure TPM startup key
  8. Connect a USB flash drive to your PC. 
  9. Type "cmd" in the Windows search box and select "Run as administrator."
    cmd run as administrator
  10. Copy and paste the command and hit the "Enter" key, and you need to replace the letter x in the command with the actual USB drive letter(shown in File Explorer): manage-bde -protectors -add c: -TPMAndStartupKey x:
    enable BitLocker startup key via cmd

You can share this post with your friends!

 

M3 Software author Wilsey Young
Wilsey Young

Wilsey is a columnist who has learned and accumulated professional knowledge in Windows, BitLocker encryption, data recovery, etc. at M3 Software. His solid knowledge and abundant expertise in data recovery, data backup, hard drives, and more enable him to produce informative and easy-to-read articles.

About | Refund Policy | Privacy Policy | Uninstall | Contact Us
Copyright© 2024 M3 Software. All Rights Reserved.