BitLocker Security concerns

Inserted USB stick and I don't have the option to perform that.
But I don't have any BEK related files on my OS drive. As mentioned, I removed it from my USB stick and from the Documents folder thinking that I don't have to use this file anymore...Guess I screwed up on this one.

Perhaps re-encrypting the drive again should do re-generate fresh keys again, but no time for that.

Any other options, please, I would appreciate this.

From a security view, I cannot afford a machine booting up without any Pre-Boot Authentication anyways, so I am fine with this for now.


As long as I still have the Recovery Text file (TXT), then Its all good. At least this way I can access Windows drive again in case I get the Recovery Mode, but not the Troubleshooting interface (Safe Mode).

You see where it says Back up your recovery key. Press there and when it asks where to save it, insert your USB stick and select it as your destination. It should create both the .txt and .bek file on the USB ( as you know the .bek file will be hidden so check for it appropraitely ). If it does, make a copies of them somewhere safe.

Yep, did that too, and just gave the same recovery key 48 digit code. And no BEK file with Unhudden OS files.

I don't know why, but I just tested it and it gave me both files on a USB stick. If I tried to save it anywhere else, it only gave the .txt file. Are you sure you have ticked "Show hidden files" as well as unticked "Hide protected System files" ?

Run this command to list any .bek files on your USB stick to double check.

Command prompt
replace X with your USB stick drive

dir X:\*.bek /on/og/a/s

If it is not there I have no idea why.

{ps: Just to make sure when Bitlocker Manager says where do you want to save, DO NOT select "Save to a file", but select "Save to a USB flash drive"}

Yep, I know, I selected Save to USB. Still nothing.
I even logged in as the local admin.

dir D:\*.bek /on/og/a/s
\Volume in drive D is ESD-ISO
File Not Found

One last avenue left when you have time, is to reboot and try and save to a different make of USB stick as some people in the past had problems with some sticks and not others for some odd reason. In the mean time at least make a written note of your long recovery key somewhere safe. Whilst you are at it you could try backing up the .bek file at a command prompt to see if it makes any difference.

command prompt (Run as admin)

manage-bde -protectors -add C: -recoverykey D:

( C: is the bitlocker drive and D: is the USB drive letter )

If all this still doesn't work then may be some Group Policy needs changing which is beyond my capabilities to help with.

Good luck.

Bitlocker is a great tool. However, it’s key management needs more improvements as an average user like me that is unable to store the keys on a secure platform like Active Directory.

I am reinstalling my system.

In the meantime, I would like to know which keys to save?

Both the TXT and the BEK file or only the TXT?

Which is more secure?

They should both be as secure as the USB stick you keep them on. The BEK (startup key) file is encrypted (so you can't see the contents) and also works straight away and the TXT (recovery key) file is easily readable but requires extra steps when needing to recover a bitlocked drive. But having said I would keep both of them.

Maybe the following will help you:

Bitlocker Recovery Key and .Bek File

After reinstalling Windows and turning Bitlocker on with TPM and PIN, the BEK file is there again.

One last question below. See my original thread.

Can anyone just walk up or take a laptop, insert any USB stick and laptop would just boot without even asking for the Bitlocker PIN and just boot to the Windows logon screen assuming a laptop is encrypted with Bitlocker?

Or an attacker would have to get my USB stick to do that which contains both the TXT and the BEK key files?

In other words, can this be done with any USB sticks or would the USB sticks would need those Bitlocker keys in it?