What type of keys are used for disk decryption but are managed outside of BitLocker?

The correct answer is BitLocker recovery keys. These keys serve as a safeguard for accessing encrypted data on a device in scenarios where users may have lost access to their primary unlocking methods, such as a password or smart card. Recovery keys are critical for data recovery processes and are designed to be stored securely outside the BitLocker management system. This separation ensures that the keys remain accessible during potential recovery situations but are not compromised through the same channels as the encryption itself.

In practical terms, recovery keys can be printed, saved to a file, or stored in a recovery service, adding an essential layer of data protection in environments where data security is paramount. They provide a means for administrators and users to regain access to encrypted volumes while still maintaining advanced security measures.

In contrast, encryption keys are typically part of the encryption process managed by BitLocker itself, and encryption certificates pertain to establishing secure communications, rather than directly managing disk encryption. Access keys are not a defined category in the context of BitLocker's mechanisms for disk encryption. Thus, focusing on the specific role of recovery keys in facilitating access to encrypted data underscores their importance in a BitLocker-managed environment.