What is a BitLocker Drive Encryption startup key or PIN?

When you use BitLocker Drive Encryption, you need a BitLocker Drive Encryption startup key or personal identification number (PIN) to start your computer.

BitLocker stores its own encryption and decryption keys in a hardware device called the Trusted Platform Module (TPM) security hardware, which is a special microchip in some newer computers that supports advanced security features. The keys are not stored on the computer’s hard disk. The TPM must be accessible by the basic input/output system (BIOS) during startup. When you start your computer, BitLocker will get these keys from the TPM automatically.

Note

  • Some of the following BitLocker features and settings can be enabled by Group Policy settings.

If your computer was not manufactured with TPM version 1.2 or higher, you can create a BitLocker startup key using a USB flash drive to store the encryption keys and decryption keys. You will have to insert the flash drive each time you start the computer.

In addition to the option of creating a startup key, you have the option of creating a startup personal identification number (PIN). You can create either the startup key or the startup PIN, but not both. The startup PIN can be any number that you choose from 4 to 20 digits in length. The PIN is stored on your computer. You will have to type the PIN each time you start the computer.

You can only create a startup key or PIN when you turn on BitLocker for the first time. After you create the startup key or PIN, you can use the BitLocker Manage Keys feature to change the PIN. You can also make additional copies of the startup key to use in case you lose the original.

The following table describes important BitLocker terminology.

Term
What it means

TPM ownership password

This is a password that is set up to associate the TPM chip with your computer. This is done automatically by the BitLocker wizard, unless you have set it up ahead of time. You will only need this password if your TPM chip was set up before you enable BitLocker.

Recovery password

This is a user-readable 48 digit number that can be stored on a USB flash drive, in a folder on another drive, or printed out. You will only need the Recovery password if you have a problem with your computer (such as a defective power supply), or you move your hard disk to another machine. When BitLocker saves the Recovery password to a USB flash drive, it also saves a machine-readable version so you can just plug in the drive rather than typing a long password. If the USB flash drive is not available, you will have to type in the 48 digit password.

Notes

  • If you create a backup for your startup key or PIN, or you create a recovery password, make sure you store them on separate removable media.

  • Assistive technology software that runs on Windows, such as screen reading software, cannot read BitLocker startup screens because they are displayed during BIOS startup and before Windows runs. This includes screens used when you type a PIN or recovery password, and any BitLocker error messages.

To copy your BitLocker keys or change your startup PIN

  1. Open Bitlocker Drive Encryption by clicking the Start button Picture of the Start button, clicking Control Panel, clicking Security, and then clicking Bitlocker Drive Encryption. Administrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

  2. Click Manage keys, and then follow the instructions.