BitLocker - how to create recovery key?

Bitlocker can unlock your drive with various types of Protectors such as TPM, Password, and Recovery Key.

To see the available types, run:

    manage-bde -protectors d: -get
    

You’ll see the 48-digit password that is the BitLocker recovery key under “Numerical Password”:

A “Recovery Key” or “Startup Key” has a corresponding “External Key”, which is saved in a .BEK file. These two Protectors are not mandatory, so your drive may not have one assigned.

To save the .BEK key file you need an “External Key” protector listed when you run the above command.

If missing, you can add a Recovery Key to the drive with the command below, which will also back it up to a .BEK file in, for example f:\folder:

    
    manage-bde -protectors -add d: -RecoveryKey f:\folder
    

Then, when you run the command below it will save a .BEK file to the directory f:\folder:

    manage-bde -protectors -get d: -sek f:\folder
    

Finally the problem was that the Numerical Password protector, also known as RecoveryPassword was missing, as it was probably not specified when the volume was locked.

An example of a command to enable BitLocker on the C drive, store the recovery key on the Y drive, and generate a random recovery password, is:

    manage-bde -on C: -RecoveryKey Y: -RecoveryPassword
    

If the paramater RecoveryPassword was not specified when enabling BitLocker, this protector can later be added by using the command:

   manage-bde –protectors –add C: -RecoveryPassword