The safest place to keep a BitLocker Key

Home  »  Solutions  »  The BitLocker Use Case – The safest place to keep a BitLocker Key

The BitLocker Use Case - The safest place to keep a BitLocker Key

SecureUSB is the Perfect Solution for backing up your Bitlocker Recovery Key.


The safest way to have access to your bitlocker encrypted information is by utilizing a usb flash drive as a backup key. Anyone who has access to this key has access to your information; which means that this key has to remain accessible only to selected individuals. If you use a regular USB flash drive your key and your information is accessible to anyone in possession of it. In order to avoid this situation it is best to use a hardware encrypted flash drive such as SecureUSB. SecureUSB is 256 AES hardware encrypted with brute force protection. This means that only individuals with the correct PIN can access your Bitlocker recovery key, giving you full control of your encrypted data.


BitLocker Key Backup to SecureUSB

What is BitLocker?

BitLocker is a built-in security feature on Windows 8 and 10 (Professional or Enterprise) versions which provides Full Volume AES 128-bit or 256-bit software encryption. By Default, it is not enabled in most computers but can easily be configured using the steps outlined below. Enabling BitLocker protects your files on non-hardware encrypted devices from getting into the wrong hands. The best way to maximize its potential is by storing the backup keys in the safest place possible, a SecureUSB Flash Drive.


BitLocker already uses a Password, why do I need a Backup Key?

A backup key is necessary if the password is not available. BitLocker protected drives can be accessed by inputting a password into the dialog box when prompted, but there is no “challenge and response” method or hint to reset the password. In an organizational setting, users may be unavailable or unwilling to provide the password. Without the Backup Key, there is no way to successfully access the data.


What is a BitLocker Backup Key?

A BitLocker recovery key is used to decrypt or gain access to the data if the Password is not available. There are several ways in which the setup process will generate this key.


  1. Save to USB Flash Drive
  2. Print it out (48 digits)
  3. Save a file
  4. Preconfigure recovery agent certificate on Active Directory
  5. Store in Microsoft Online Account


The SecureUSB hardware encrypted flash drive has secure authentication methods to make it the ideal storage solution for backup keys.


Why take extra steps to protect a Bitlocker Backup Key?

In certain situations it is necessary to protect your Bitlocker Backup Key. An employee may leave a company, a user can forget their password, pass away, or any other scenario will leave the password unavailable. In this case, the backup key can be used to access the data or device.. Alternatively, if the BitLocker Backup Key gets into the wrong hands, then your device can easily be accessible and the BitLocker can be bypassed. That is why it is important that the backup key be stored in a safe place. The best place to store your BitLocker Backup Key is a hardware encrypted storage device, such as the SecureUSB. The device is portable and easy to travel with while still being hacker proof because of its 256-bit AES XTS hardware encryption. Add in the fact that SecureUSB also offers brute force hacking protection and you can rest assured that no unauthorized users will gain access to your backup key or your sensitive information.


Why not save the backup key in the Windows Online account?

A Windows online account does not provide the same amount of protection as it:


  1. Cannot be accessed without Internet
  2. Can be compromised through Internet
  3. Password for online account can be key logged or compromised


Select a FIPS Validated Secure Storage for your BitLocker Backup Key Today

SecureDrive BT
SecureUSB BT
SecureDrive KP
SecureUSB KP

Dailies - The Secure Transport Use Case

How to configure BitLocker Encryption?

Caution: Before processing it is a good idea to create a backup of your “User Data” (pictures, videos, documents, databases, office files, etc.). We recommend backing up to a SecureUSB flash drive.


  1. Enable TPM module. Navigate to “Local Group Policy Editor” >> (under Computer Configuration) Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives. Double Click on “Require additional authentication at startup” – switch to “Enable”. Click Apply, then OK.
  2. Navigate to “This PC”.
  3. Right click on the “Local Disk (C :)”- this is the default OS drive. Click “Turn On BitLocker”.
  4. Allow a minute for it to configure and click “Next”. Depending on the size of the hard drive it may take some time.
  5. Restart your Computer.
  6. BitLocker window will appear after successful User Login, click “Next” in the dialog box.
  7. Choose how to unlock your drive at Startup, Select “Enter Password”, click “Next”
  8. Backup your recovery Key: This is not a password, it is a 48-digit key, in case the password is forgotten. For total security, we recommend you backup to “Save to a USB Flash Drive”. If you back up to a Windows Account, it can be compromised. The Save to file can become corrupt, deleted, infected with ransomware, or lost. Using the SecureUSB will provide an isolated protected vault with an independent authentication method to access the recovery key.
  9. Unlock and Insert SecureUSB into USB slot. Click “Save” in the Dialog box to save the recovery key to your SecureUSB. Click “Next”.
  10. Lastly, make the selection to encrypt the entire hard drive or just used space. (Use prompt suggestion to choose the best option). Click “Next” and “Continue”. Restart your computer.


Your drive is now encrypted. Once restart is complete it will ask you for the password.


The Method in Step 9 now becomes the only way to recover your data if your password is forgotten/unavailable or if the OS drive becomes corrupt or infected with Virus/Ransomware. It is important that your backup solution for recovering your data is a trusted method. The FIPS validated SecureUSB is the most secure storage solution that comes pre-loaded with USB antivirus.


* Please note that BitLocker on OS drives cannot be enabled on computers currently part of an Active Directory. However, external drives and removable media can still be encrypted using BitLocker following the same steps.