What is the difference between a BitLocker startup and recovery key?

bitlocker disk-encryption

I would like to encrypt a system partition using BitLocker using a password (manage-bde -protectors -add c: -pw), but (safely) store a key elsewhere if I ever forget the password.

Should I add a recovery key (-rk) or a startup key (-sk)?

It seems that I would be able to use both for accessing data in case of emergency.

Is there anything that I could do with a recovery key that I could not do with a startup key and vice versa?


I also wondered this and experimented; this is what I know so far:

  • Both commands create an external *.BEK keyfile.

  • After you have created a -StartupKey and -RecoveryKey they become inseparable in the protector-overview. (manage-bde C: -protectors -get) This lists all keys and labels the keys in question 'External key'. Only if you remember the {id}, you can tell the difference.

I cannot find any sources that can validate claims/explanations about this topic, however, part of an answer might help/trigger one:

I suspect it is a legacy issue. A command was introduced into an earlier version of Bitlocker and later one it was expanded. Nowadays it might make more sense to call it (-)ExternalKey which by the way, you can actually use to define a -type if you use the -delete command to revoke all Externalkeyfile-access from a drive.

In contrast, if we move a fixed(*) drive to another system (or Bitlocker detects system-compromising-integrity changes), it can apparently demand for a recovery password. If we expand the language, a recovery key also is able to unlock the drive:

  • I can confirm that [Load key from USB-station]-button works with both key-type. (Multiboot, unlocked system drive of other OS.) However, Bitlocker was not in 'Recovery mode' that might be triggered by certain changes.
  • I can confirm that you can boot a system from a -RecoveryKey. (Might be obvious, but just to be complete.)

So the remaining question: if the Bitlocker protection mechanism is triggered, will the Startupkey still be able to unlock a drive?

At this point I think it would be bad design if you could not, as you cannot differentiate between the key-id's nor the *.bek files. (*.sbek, *.rbek do not exist.) However, I have not been able to validate my assumptions. Nonetheless, I think the dots provide insight.


According to the documentation, one difference is that:

  • If the PC is configured to normally use a TPM to perform a measured boot, it will do so when the startup key is used, but not when a recovery key is used. So, the recovery key should only be used as a last resort.

I will update this answer with additional differences if I discover any.

Related

LibreOffice Calc - do not apostrophe-escape dates when opening a file
CMD can't run specific commands (Windows 10)
How do I show (and use) keyboard access keys in the Windows 11 Explorer new context menu?
Nested IF statements with AND or OR
IrfanView does not ask before deleting
How can I kill Firefox by console?
How to update windows 10 installed on a flash drive?
About the "tic-tac-toe squirrel challenge"
Is the Xbox One controller compatible with Xbox 360?
Is it possible to connect more than 4 Wireless Xbox 360 controllers to a PC?
Are Blackheart's cannons random?
How do win streak bonuses work in Hearthstone?