BitLocker is a built-in full-disk encryption solution by Windows for securing your data in case your PC or laptop is stolen or otherwise ends up in the hands of a third party. Recent news that Microsoft routinely hands over BitLocker backup keys(nové okno) to law enforcement agencies (such as the FBI) has put a spotlight on whether its safe to use BitLocker (and its cut-down version, Device Encryption).
- What is BitLocker?
- BitLocker vs. Device Encryption
- How does BitLocker work?
- What is a BtitLocker recovery key?
- Where is the recovery key stored?
- Is BitLocker safe?
- Can the FBI get my data?
- Alternative encryption solutions
- Final thoughts
What is BitLocker?
BitLocker is a full-disk encryption feature built into Microsoft Windows. It encrypts your entire system drive so that your critical data is protected if your device is lost, stolen, or accessed without authorization.
Full-disk encryption means that all files on the disk are encrypted. It doesn’t encrypt individual files, but you can (optionally) use it to encrypt your other (non-system) drives.
Strictly speaking, BitLocker is only available on Windows Pro, Enterprise, and Education editions. However, Windows Home includes Device Encryption (enabled by default on supported hardware and when signed in with a Microsoft account). This uses the same technology as BitLocker, but is much less configurable.
BitLocker vs. Device Encryption
Device Encryption is a simplified, automatic BitLocker configuration with fewer options. With BitLocker:
- You get full BitLocker controls
- You can choose how keys are protected (PIN, USB key, etc.)
With Device Encryption:
- You cannot manage encryption settings in detail
- You cannot require a startup PIN
- The recovery key is automatically backed up to your Microsoft account
- Requires a Trusted Platform Module (TPM) (see below)
- Encryption may turn on automatically when you sign in with a Microsoft account
How does BitLocker work?
When your Windows PC is powered off, or the disk is otherwise offline, the entire drive remains encrypted. On most modern Windows systems, the encryption key is protected by a small security chip on the motherboard called a Trusted Platform Module (TPM), which only releases the key if the system hasn’t been tampered with. This hardware-based protection is one of the main reasons Microsoft requires TPM 2.0 support for Windows 11.
When you start your PC, the TPM performs integrity checks before Windows loads. These checks look for signs of tampering and can also be triggered by significant changes to your device’s hardware, firmware, or boot configuration.
If everything looks normal, the TPM automatically releases the encryption key and BitLocker unlocks the drive, allowing Windows to start normally. This process happens in the background, so you usually don’t notice it.
An important difference between BitLocker and Device Encryption is flexibility. Device Encryption is a simplified version of BitLocker that requires a TPM and works automatically, while BitLocker can also be used without a TPM by relying on alternatives such as a password, PIN, or USB security key.
If the TPM detects an issue (or if your alternative security measures aren’t met), BitLocker will ask for your recovery key. Without the recovery key, Windows won’t load and your data remains securely encrypted, preventing unauthorized access.
What is a BitLocker recovery key?
A BitLocker recovery key is a 48-digit numerical backup that lets you unlock your BitLocker-encrypted drive if you can’t access it through your normal method (password, PIN, TPM, etc.).
Where is the recovery key stored?
That depends on your Windows edition and setup:
Windows Home (using Device Encryption):
The key is automatically saved to your Microsoft account.
- To find it (on a different device if your PC won’t boot), go to account.microsoft.com/devices/recoverykey(nové okno) and sign in using your Microsoft username and password.
Windows Pro and Enterprise (using the full BitLocker)
You choose where to store it:
- Microsoft account (as above)
- USB drive
- File on another drive
- Printed copy
- Active Directory (for enterprise environments, allowing organizations to centrally manage recovery keys and encryption policies)
Is BitLocker safe?
What BitLocker protects against
| Threat scenario | Does BitLocker protect you? | Notes |
|---|---|---|
| Lost or stolen laptop (powered off) | Yes (strong protection) | Disk remains encrypted; attacker needs the recovery key or PIN. |
| Device seized by authorities (powered off) | Partially | Strong cryptography, but if the recovery key is stored in a Microsoft account, it may be obtainable via legal process. |
| Laptop stolen while sleeping or hibernating | Mostly | Protected, but some advanced attacks (e.g., cold boot(nové okno) or DMA(nové okno)) could extract keys. |
| Laptop stolen while logged in / unlocked | No | Disk is decrypted, so an attacker has full access. |
| Malware or remote hacker while Windows is running | No | Full-disk encryption does not protect against software compromise. |
| Evil maid attack | Partially | TPM detects many changes, but sophisticated attacks may bypass or mimic measurements. |
| Microsoft account hacked | No (if Microsoft has your key) | Attacker could retrieve the recovery key and decrypt the disk offline. |
| Forgetting your password or PIN | Depends | Recovery key required. Without it, your data is permanently lost. |
Technical security
BitLocker secures your data using the AES encryption algorithm. By default on modern systems, this is AES-256 in XTS mode(nové okno) for greater protection of data at rest. This is very secure.
Older systems may use a minimum of AES-128 in CBC mode(nové okno). This is still strong enough to protect your data from most attackers, though highly sophisticated adversaries (such as state-level actors) could potentially try advanced attacks.
BitLocker uses a layered key management system. At the top level is the Volume Master Key (VMK), which encrypts the actual data encryption key (the Full Volume Encryption Key, or FVEK).
The VMK itself is then protected by one or more authentication methods: a TPM chip (and/or password, PIN, USB key, or a combination of these if you’re using the full version of BitLocker). This design means you can change your password without needing to re-encrypt the entire drive.
BitLocker’s safety is all about the recovery key
So as long as the recovery key is secure, your data is very secure when your Windows device is turned-off (we’ll come back to this).
Imagine BitLocker as a door protecting your valuable data, and your recovery key is a key to that door. Knocking down the door to get your data is an all but impossible task, but with the key, you can simply unlock it. The recovery key is therefore the weak point.
This is especially true when you upload your recovery key to your Microsoft account. As recent events show, Microsoft can and does hand over users’ recovery keys to third parties, who can use it to access your data.
Offline only
Another important consideration is that BitLocker only protects your data when your Windows PC is turned off. Once Windows is running, your disk(s) are decrypted and anyone with access to your computer can access your data. This could mean physical access or digital access (or example, if you’ve been hacked).
This is true for all full-disk encryption solutions (not just BitLocker), but may be worth bearing in mind depending on your threat model.
Evil maid attacks
An evil maid attack(nové okno) is when someone gets temporary physical access to your device (for example in a hotel or at a border) and secretly modifies it so they can steal your encryption key or PIN later. Instead of cracking the encryption, they trick the system into revealing it.
By default, most PCs use BitLocker with automatic unlock via the TPM, which is strong against theft but weaker against tampering. To defend against evil maid attacks, you should enable BitLocker with a pre-boot PIN or USB key, so the disk cannot be unlocked automatically. Unfortunately, this isn’t possible on Windows Home using basic Device Encryption.
Can the FBI get my data?
In short, yes. Microsoft is a US company, and must therefore comply with legally-binding court orders and other legal instruments, such as national security letters(nové okno) (NSLs) that compel companies to turn over vast amounts of personal data and metadata to government organizations without any judicial oversight. These are usually accompanied by a gag order that prevents the company from alerting their users that they’ve served with an NSL.
In 2016, Apple put up a spirited fight against court-backed FBI demands to unlock an iPhone(nové okno) belonging to a terrorism suspect, which was only resolved when the FBI employed a third party to successfully crack Apple’s encryption. To avoid a repeat of this incident, Apple has since pivoted towards implementing end-to-end encryption on its products. After all, it can’t hand over encryption keys it simply doesn’t have.
Microsoft, however, has shown no such inclination. When you upload your BitLocker recovery key to your Microsoft account, it is Microsoft that encrypts it and (should the need arise) Microsoft can decrypt it. So Microsoft can always access your recovery key.
In 2025 the FBI asked Microsoft to the provide the BitLocker recovery keys(nové okno) needed to unlock encrypted data stored on three laptops tied to an investigation into alleged fraud in Guam. Microsoft complied, and a spokesperson told Forbes that the company receives around 20 requests for BitLocker keys per year. In most such cases, Microsoft can’t comply because these keys aren’t stored in Microsoft accounts. But the implication is clear: if it can help, it will.
Alternative encryption solutions
If you’d rather not trust Microsoft with your full-disk encryption recovery key, you have a number of options.
1. Use Windows Pro
If you already use Windows Pro (or Enterprise), this is the simplest solution. If you’re running Windows Home, you’ll need to purchase a new license and upgrade.
1. On Windows 11 Pro, open the Settings app and go to Privacy & security → BitLocker drive encryption. If you’ve just upgraded from Windows Home or use Pro but have already uploaded your recovery key to Microsoft (the default behavior if you sign into Windows using your Microsoft account), you’ll need to turn BitLocker off and wait for your drive to decrypt).
2. Go to account.microsoft.com/devices/recoverykey(nové okno) and delete all keys you see there. Do please ensure your drive is decrypted before doing this!
3. You can then turn BitLocker back on again and select your preferred recovery key backup method.
2. Use VeraCrypt instead
You may quite understandably prefer to avoid Microsoft’s solution altogether (after all, who knows what it’s closed-source code is really doing?).
VeraCrypt(nové okno) is open source full-disk encryption software that has undergone several security audits (notably by QuarksLab in 2016(nové okno) and the Fraunhofer Institute in 2020(nové okno)). Issues were found, but VeraCrypt is under active development, and have therefore been fixed. It also has the considerable benefit of being 100% free (although we encourage you to donate if you can). In addition to full disk encryption, VeraCrypt can:
- Create a virtual encrypted disk (volume) which you can mount and use just like a real disk (and which can be made into a Hidden Volume)
- Create a partition or storage drive containing an entire operating system (which can be hidden). This provides plausible deniability(nové okno), as it should be impossible to prove they exist (as long as all the correct precautions(nové okno) are taken).
Data is encrypted by default using XTS-AES-256 ( the same settings used by BitLocker), but you can select from multiple alternate encryption algorithms (such as Twofish) if you prefer. Access is secured using as passphrase and/or a keyfile (which you should store somewhere very safe).
Before installing VeraCrypt, you’ll need turn BitLocker or Device Encryption off and decrypt your drive (as described above, but on Windows 11 Home open the Settings app and go to Privacy security → BitLocker drive encryption).
3. Ditch Windows
If you can’t trust Microsoft with your full-disk encryption recovery keys, why even use its operating system? To move away from Windows, you have two real options:
macOS
Macs are expensive, highly proprietary, and provide a very controlled user experience. However, they can do pretty much everything a PC can, and unlike Microsoft, Apple has a history of resisting government demands to help it access encrypted devices.
The macOS built-in full-disk encryption solution is called FileVault, which you can opt to enable when you setup your Mac. When you do this, FileVault will offer to upload your recovery key to your iClould account, where it can potentially be accessed by Apple and handed over to third parties. However, you can choose local recovery key only, generating a numeric key that you write down and store safely or add to your password manager.
Another option is to enable the optional Advanced Data Protection for iCloud(nové okno) setting, which protects your iCloud data using end-to-end encryption. This means Apple can’t access your FileVault recovery key (or any other data uploaded to iCloud). Do note, however, that Advanced Data Protection is not available for users in all regions (notably the UK(nové okno)).
Linux
Linux is a completely free open source operating system that can be installed on your existing hardware (and will almost certainly run better on it than resource-heavy Windows). With the exception of a few proprietary apps that simply aren’t available on the platform (notably anything from Adobe, although good free open source alternatives exist for most of these), Linux can do everything that Windows and macOS can.
Linux comes in many different “flavors” (called distributions, or just distros), but almost all of these use the LUKS full disk encryption system, which can selected when you install the OS.
LUKS doesn’t have a single “recovery key” like BitLocker or FileVault. Instead, it uses a random master key that stays on your device and which can be unlocked using a backup method of your choice. These include:
- A second passphrase
- A printed recovery passphrase
- A key file stored offline
- A TPM-sealed key (with fallback passphrase)
Final thoughts on BitLocker and full disk encryption
BitLocker is, from a purely technical perspective, a strong and well-designed full-disk encryption system. Its use of modern cryptography, hardware-backed key storage, and layered key management makes it highly effective at protecting your data against common threats, such as a lost or stolen device. For most Windows users, BitLocker provides meaningful and reliable protection with minimal effort. If your threat model is a stolen laptop, BitLocker is usually sufficient.
However, as recent revelations about Microsoft’s cooperation with law enforcement demonstrate, the security of any encryption system ultimately hinges on who holds the keys. Depending on your threat model, the fact that the BitLocker recovery key is stored in your Microsoft account may be deeply concerning.
Fortunately, you have alternatives. Windows Pro allows you to manage recovery keys yourself, while open-source tools like VeraCrypt provide a good free alternative. Switching platforms away from Microsoft entirely, such as to macOS with locally stored FileVault keys or to Linux with LUKS, is also a strong option.
