Skip to main content
Save My Disk
pro-recoveryINFO

BitLocker password lost: how to recover your data (2026)

BitLocker password lost: 48-digit recovery key, Microsoft Account, Entra ID, Active Directory. Legal framework and last-chance limits.

By Eric Gerard · Éditeur · Save My Disk16 min readPhoto via Unsplash

The blue screen appears at boot: "BitLocker Recovery — enter the recovery key for this drive." You type the usual password: rejected. You hunt for the 48-digit key: nowhere to be found. Welcome to one of the most stressful scenarios in modern computing — and one of the least well-documented.

This guide compiles, in 2026, every legal route to recover a locked BitLocker volume, the realistic odds of each method, and a clear warning about the so-called "BitLocker crackers" circulating online. Spoiler: BitLocker is cryptographically rock-solid. If the key is truly lost, so is your data — except in the specific cases we detail below.

Why BitLocker locks you out even when you know your Windows password

The major misunderstanding of users facing a BitLocker screen is to think their usual Windows password should work. This confusion comes from the fact that 95% of the time, BitLocker is invisible: your PC boots, you type your Windows password or use Windows Hello, and everything works. The encryption unlocks in the background thanks to the TPM (Trusted Platform Module) which stores the actual encryption key and releases it after verifying the boot environment is healthy.

The BitLocker recovery screen appears precisely when this TPM verification fails. Which can happen in several common situations: BIOS/UEFI update that changes boot measured state, modification of boot configuration in BIOS (drive order, Secure Boot enabled/disabled), OS reinstall, physical removal and reinsertion of the hard drive, or more rarely TPM detection of suspicious hardware behavior. In all those cases, the TPM refuses to release the key and BitLocker falls into recovery mode requiring the 48-digit manual recovery key — not your Windows password.

It's exactly this dissociation that causes panic: you've always used the same Windows password for years, you type it and it's rejected, and you conclude you've lost your data. In reality, in most cases the key exists somewhere — either in your Microsoft account (microsoft.com/recoverykey), or printed in a forgotten folder, or in Active Directory if it's a corporate machine — and the real question is finding it, not recovering it by brute force (which is impossible). Our method describes the six most likely locations to look before considering any other option.

1. BitLocker in 60 seconds: what you're up against

BitLocker is Microsoft's full-disk encryption, introduced with Windows Vista in 2007 and now standard on Windows 10 Pro, Enterprise, Education, Windows 11 Pro, and above. On Windows 11 24H2, Microsoft even activates automatic Device Encryption upon first Microsoft account sign-in on compatible hardware.

Technically, BitLocker encrypts the entire partition sector by sector with AES-XTS 128-bit by default (with an AES-XTS 256-bit strict mode option). Before Windows 10 1511, it used AES-CBC 128 or 256; legacy volumes retain that scheme. XTS-AES, standardized by NIST in 2010 (publication SP 800-38E), has no exploitable cryptographic weakness known as of 2026 (Microsoft Learn — BitLocker overview).

Each volume's master key is protected by one or more Key Protectors:

  • TPM-only (Trusted Platform Module 1.2 or 2.0) — boots with no interaction as long as hardware is unchanged.
  • TPM + PIN — a 4-20 digit code requested at boot.
  • TPM + USB key — physical key to insert.
  • Password (without TPM, requires GPO configuration).
  • 48-digit recovery key — ALWAYS generated, always valid.

That recovery key is your last line of defense. It's formatted as 8 groups of 6 digits, separated by dashes — 48 digits total. Example: 123456-789012-345678-901234-567890-123456-789012-345678. It's preceded by a unique Key Identifier of 32 hexadecimal characters, whose first 8 show on the recovery screen to help you match the right key.

2. Where your key is probably already backed up

Before panicking, methodically check all 5 possible sources. Very often the key exists somewhere — the user simply forgot where it was saved. Work through each location below before concluding it is lost.

Source 1: Microsoft Account (consumer)

If you set up Windows 10 or 11 with a personal Microsoft account (Outlook, Hotmail, Live, Gmail-linked), this is the most likely place to find the key. When Device Encryption is enabled on a device signed in to a Microsoft account, Windows uploads the recovery key to that account (Microsoft Support — Finding your BitLocker recovery key).

Procedure:

  1. From a phone or another PC, open account.microsoft.com/devices/recoverykey.
  2. Sign in with the Microsoft account used on the locked PC.
  3. Match the first 8 characters of the Key ID shown on the BitLocker screen to the Key IDs listed.
  4. Copy the matching 48-digit key.

Common trap: multiple Microsoft accounts. Many users unknowingly created a default account at unboxing. Also try secondary accounts (family, Xbox, account created for Office).

Source 2: Microsoft Entra ID (formerly Azure AD)

For a work PC joined to Entra ID (M365 Business, Enterprise), the key is centralized on the corporate side. The admin retrieves it in under 2 minutes.

Admin procedure:

  1. Portal entra.microsoft.comDevicesAll devices.
  2. Search the device by name (visible in Settings → System → About).
  3. Tab BitLocker keys → copy the key matching the Key ID requested.

If you're the end user, never try to unlock a work PC with a third-party tool: it violates your acceptable use policy and may be a crime under the Computer Fraud and Abuse Act (18 U.S.C. § 1030) in the United States and equivalent statutes elsewhere.

Source 3: On-premise Active Directory

On a classic Windows domain with an AD server, the key is stored on the computer object if the GPO "Choose how BitLocker-protected operating system drives can be recovered" was enabled with "Save BitLocker recovery information to Active Directory Domain Services" turned on.

Admin procedure:

  1. Tool Active Directory Users and Computers (ADUC) on the domain controller.
  2. Enable View → Advanced Features.
  3. Navigate to the computer object → tab BitLocker Recovery → copy the key.

The tab extension requires the RSAT-Feature-Tools installed. If the tab isn't showing, install with Add-WindowsCapability -Online -Name Rsat.BitLocker.Recovery.Tools~~~~0.0.1.0.

Source 4: MBAM (legacy, deprecated 2024)

Microsoft BitLocker Administration and Monitoring (MBAM) was the centralized BitLocker management system from 2011 through April 2024 (end of extended support). If your organization still uses it in 2026, the MBAM HelpDesk portal allows key retrieval by Key ID. Microsoft now pushes Configuration Manager or Intune as replacements.

Source 5: Paper copy or .BEK file

When manually enabling BitLocker, Windows offers 4 backup options: Microsoft account, .BEK file on USB, text file on another drive, or printed copy. Methodically check:

  • Documents, Downloads, and Desktop folders for a file named BitLocker Recovery Key [Key ID].txt.
  • Old USB drives and external disks (the .BEK file is hidden by default; enable hidden file display).
  • Paper binders, safe, tax folder (yes, really — many users file the key with administrative paperwork).
  • Email inbox: search BitLocker in Gmail, Outlook, old addresses (sometimes auto-sent as an attachment).

3. Entering the key: technical pitfalls

You found the key. Here's how to enter it without error:

  1. At the BitLocker prompt, type the 48 digits as 8 groups of 6. Dashes are inserted automatically — don't type them.
  2. The screen shows nothing during entry (not even asterisks). This is normal.
  3. On AZERTY/QWERTZ international keyboards, check the numeric layout: no mapping issue in pre-boot mode (US default, but digits remain identical).
  4. On the 1st mistake: immediate retry. After 5 or 6 attempts, BitLocker doesn't introduce a progressive delay (unlike iOS), but may switch to a more restricted screen.
  5. If you have multiple BitLocker volumes (C:, D:, BitLocker To Go), each volume has its own key. Check the Key Identifier at each prompt.

Once the system boots, temporarily suspend BitLocker (Control Panel → BitLocker → Suspend protection) to copy your data to a healthy alternate drive before reconfiguring cleanly.

Editorial pick
4.5 / 5

Recover deleted decrypted files

Founded in 200430-day guaranteeFree 2 GB version
See the offer

4. BitLocker To Go: USB drives and external disks

BitLocker To Go protects removable media (USB sticks, external drives, SD cards) with the same cryptographic model. At unlock time, two typical protectors: a user password AND a 48-digit recovery key.

If you've lost the password:

  • Check the Microsoft account first (the key is also stored there for To Go volumes encrypted via Windows 11 Pro with a linked account).
  • If To Go was set up with a local account and no cloud backup: only a paper key or .BEK file saves you.

Tip: .BEK files weigh just a few hundred bytes. Search with dir /s /a *.BEK at the root of all your drives.

5. Third-party tools: myth, reality, and legal framework

An external hard drive on a desk
An external hard drive on a desk

If you searched "crack BitLocker" on Google, you've encountered three tool families. Here's the technical truth in 2026.

M3 BitLocker Decryption

Commercial software at $39-$79. Does not break BitLocker: it takes as input either the user password, the recovery key, or a .BEK file. Its purpose is to mount a BitLocker volume from macOS or Linux, or from a Windows install that can't (volume corruption, exotic BIOS). Without password or key, it does absolutely nothing.

Passware Kit Forensic

Professional forensic suite, license starting at $1,095/year (Standard 2026 edition), up to $3,995/year for Forensic Pro. Capable of attacking BitLocker via:

  • Dictionary (most common passwords, leaks, Rockyou lists).
  • GPU brute force accelerated on NVIDIA RTX cards (up to 8 GPUs in parallel).
  • Key extraction from hibernation/RAM dump (assisted cold boot attack).

The reason this almost never works is the BitLocker key-derivation function: each password guess requires a deliberately expensive computation, so even high-end GPU rigs only test a modest number of candidates per second compared to simpler hashes. An 8-character alphanumeric password already represents roughly 62^8 (about 218 trillion) combinations — far beyond what an exhaustive search can cover in a human lifetime. Conclusion: Passware is realistically viable only for very short passwords or known/guessable targets (it is mainly used by law enforcement and private investigators), not against a strong passphrase.

Hashcat + bitlocker2hashcat

Open-source solution. Steps:

  1. Extract the disk image of the encrypted volume with dd or FTK Imager.
  2. Convert to hashcat format using bitlocker2hashcat (community Python script).
  3. Run Hashcat in mode 22100 (BitLocker AES-128 / 256).

Same effective speed as Passware (both leverage identical GPU shaders). Hashcat is free but requires solid forensic skills and adequate hardware. Useless against a long password.

Cold boot and memory attacks

For a system powered on or in sleep, the master key resides in RAM. A physical attacker can extract memory (DMA over Thunderbolt, liquid nitrogen cooling, LPC/SPI bus attack on the TPM) and recover the key. CISA documents these in its hardware security guidance (CISA — Cybersecurity advisories). In practice, such attacks demand prolonged physical access and hardware costing several thousand dollars — out of reach for an end user who just forgot a password.

Legal framework

Warning: these tools are legal only:

  • On your own hardware, with proof of purchase (invoice, serial number).
  • As part of a forensic mission ordered by a court or company.
  • With written consent of the owner.

Attempting to unlock a work PC or someone else's device without authorization falls under the Computer Fraud and Abuse Act (18 U.S.C. § 1030) in the United States, up to 10 years in prison for a first offense, and equivalents elsewhere (UK Computer Misuse Act 1990, EU NIS2 directive, French Code pénal article 323-1).

6. Why BitLocker is so solid: a bit of cryptography

BitLocker isn't a lightweight consumer product. Its AES cryptographic modules ship in Windows builds that hold FIPS 140 validations from NIST's Cryptographic Module Validation Program, and it is widely deployed across enterprise and government environments. Its robustness comes from:

  • AES-XTS: encryption mode purpose-built for storage, no public cryptographic weakness in 2026 after 16 years of scrutiny.
  • 128-bit salt unique per volume — prohibits any rainbow table.
  • PBKDF2-SHA256 with 1,048,576 iterations (or more depending on version) to derive the key from the password — each attempt is CPU-expensive.
  • TPM: the master key never leaves the hardware chip, which refuses to release it if the bootloader has been altered (PCR integrity measurement).

The only realistic attack, aside from finding the recovery key, remains a weak password or short PIN: a 4-digit PIN or a password under 8 characters is short enough that a dictionary or brute-force attack becomes feasible, whereas the AES cipher itself has no practical weakness. In other words, when BitLocker is "broken" it is almost always the user's password that gave way, not the encryption.

7. Prevention: never live this stress again

If you're reading this guide in panic, also read it when calm. BitLocker prevention boils down to 5 rules:

  1. Enable a Microsoft account during Windows installation (or link one afterward via Settings → Accounts). This activates automatic key backup to account.microsoft.com.
  2. Print the 48-digit key and file it in a safe, administrative folder, or bank deposit box. Cost: $0, reliability: 100%.
  3. Store it in a password manager: 1Password Family ($4.99/month), Bitwarden Premium ($10/year), KeePassXC (free, open source). Create a dedicated entry with Key ID and full key.
  4. Document: device name, encryption date, Windows version, linked Microsoft account. When reselling or donating the machine, properly decommission BitLocker.
  5. Share a backup copy with a trusted person — partner, parent, notary. Many BitLocker disasters happen at a loved one's death, when nobody knows the key.

See also our automatic backup guide for Windows and Mac 2026 to combine encryption with redundant copies under the 3-2-1 rule.

8. Recovering associated data: Outlook, files, photos

Once the volume is unlocked, some users find files have disappeared or Outlook is damaged (typical after a power cut during encryption). Three useful resources:

Editorial pick
4.5 / 5

Try EaseUS Data Recovery Wizard

Founded in 200430-day guaranteeFree 2 GB version
See the offer

9. Legal and ethical disclaimer

Clear reminder: this guide documents only legal recovery methods on your own hardware. Any attempt to access a third party's BitLocker volume without their written consent, or a work PC without employer approval, is a crime in most jurisdictions:

  • United States: 18 U.S.C. § 1030 (CFAA), up to 10 years for first offense.
  • United Kingdom: Computer Misuse Act 1990, up to 14 years for the most serious offenses.
  • EU: NIS2 directive, GDPR article 32 (sanctions up to 4% of global revenue).
  • France: Penal Code article 323-1 et seq. — up to 5 years and €150,000 for aggravated access.

If you bought used an encrypted PC and the seller doesn't supply the password, your only legal recourse is a full reformat with total data loss. Same applies to inheritance if the key wasn't passed down — hence the importance of including the BitLocker key in your digital advance directives.

10. Typical scenarios and how they resolve

To ground the theory, here are four common scenarios and the logical path to recovery in each.

Scenario 1 — Unplanned BIOS update. A user updates the UEFI firmware on a Dell XPS 15. On reboot, BitLocker switches to recovery mode because the TPM's PCR measurements (Platform Configuration Registers) changed — typically PCR 0, 2, 4, and 11. The fix: retrieve the key from the Microsoft account (where OEM devices signed in to a Microsoft account usually store it), enter the 48 digits, and Windows reseals new PCR measurements automatically at the next boot. This is usually a matter of minutes once the key is in hand.

Scenario 2 — Lost Microsoft account. A user changed her email address years ago and no longer remembers the original Microsoft account. The path forward is Microsoft's account recovery form (account.live.com/acsr): supply proof of ownership such as old Office 365 invoices and wait for manual validation, which can take a few days. If the account is recovered, the BitLocker key stored on it becomes accessible again.

Scenario 3 — Drive pulled from a dead PC. A user pulls an M.2 SSD from a broken laptop to mount it via USB on another PC. Windows asks for the BitLocker key because the original TPM is no longer available. The key alone is enough: no original hardware is needed to decrypt. The procedure is identical to typing at the classic prompt, performed in the new PC's BitLocker management utility.

Scenario 4 — Inheritance and digital legacy. A relative discovers a late family member's laptop is BitLocker-encrypted with no obvious key. A thorough search of old emails — including draft and sent folders, where people sometimes mail a backup copy to themselves — can surface the key. Lesson: search mail folders exhaustively; the Key ID prefix follows Microsoft's GUID hex pattern ([A-F0-9]{8}), which makes it searchable.

11. Which situations are recoverable?

Your realistic odds depend almost entirely on whether a copy of the key still exists somewhere. Ranked from best to worst:

  • Key on Microsoft account — essentially certain once you log into the right account; a few minutes.
  • Key on Microsoft Entra ID (work PC) — essentially certain via your IT helpdesk, who can pull it from the tenant.
  • Key on on-premise AD — reliable if the recovery-information GPO was enabled; needs a domain admin.
  • Paper key or .BEK file — depends entirely on whether you can find it; allow time to search drives, folders and paperwork.
  • User password only, short — only feasible against weak/short passwords using forensic tools, and even then slow and costly; usually a job for law enforcement or paid forensic labs.
  • Strong user password + no key — for practical purposes, impossible: this is exactly what the encryption is designed to prevent.
  • Pro forensic service — worth considering only when the password is weak or partially known; expensive and offers no guarantee.

The key takeaway: recovery is about locating an existing key, not breaking the cipher. Spend your effort on the sources in section 2 before anything else.

12. Specific Windows error codes to know

When BitLocker fails to unlock, Windows displays a specific error code on the recovery screen. The most frequent:

  • 0xC0000225 — boot configuration corrupted, often after a botched Windows update. Recovery key required + bootrec /rebuildbcd from WinRE.
  • 0x80310000 — BitLocker volume metadata damaged. The 48-digit key works but you must run manage-bde -repair after boot.
  • 0x8031004A — wrong recovery key entered (mismatched Key ID). Double-check the first 8 hex characters.
  • 0xC03A0005 — VHD/dynamic volume issue, common on virtualized disks. The key opens the volume but mounting needs diskpart.

In all cases, the 48-digit key remains the universal solution. Error codes only indicate what additional work is required after unlock.

Official resources

Editorial pick
4.5 / 5

Get EaseUS Data Recovery Wizard

30 jours satisfait ou remboursé

Founded in 200430-day guaranteeFree 2 GB version
See the offer
Related articles

Read next