What is a BitLocker Drive Encryption startup key or PIN?

When you use BitLocker Drive Encryption to encrypt the drive that Windows is installed on, you can use a startup key or personal identification number (PIN) to start your computer for added security. If you use a PIN, you will need to remember it and type it each time you start the computer. If you use a startup key, you will need to save it on a USB flash drive and insert the flash drive each time you start the computer. Having a startup key or PIN is optional, unless your computer is at a workplace and your system administrator requires it.

You can create either a startup key or a PIN, but not both. The PIN can be any number that you choose from 4 to 20 digits in length (the minimum length of your PIN might be longer if your computer is part of a domain). The PIN is stored on your computer. You can create a startup key or PIN when you turn on BitLocker for the first time. After you create the startup key or PIN, you can use Manage BitLocker to change the PIN, but you cannot change the startup key. You can make additional copies of the startup key in case you lose the original.

Notes

• A startup key can also be used to store the encryption keys for the drive that Windows is installed on if your computer does not have the Trusted Platform Module (TPM) security hardware. BitLocker seals its encryption keys in the TPM hardware, which is a special microchip in many computers that supports advanced security features. You can only use a startup key instead of the TPM if your system administrator has set up your network to allow the use of startup keys. For more information about TPM, see What is the Trusted Platform Module security hardware?

• If you create backup copies of your startup key, make sure you store them on separate removable media.

• Assistive technology software that runs on Windows, such as screen reading software, cannot read BitLocker startup screens because they are displayed during BIOS startup and before Windows runs. This includes screens used when you type a PIN or recovery key, and any BitLocker error messages.