How to make BitLocker use AES 256-bit encryption in Windows 10
This step-by-step tutorial will show you how to make BitLocker use AES 256-bit encryption instead of AES 128-bit encryption in Windows 10.
Windows 10 (version 1511) introduced a new disk encryption mode (XTS-AES). This mode provides additional integrity support, but it's not compatible with older versions of Windows.
You can also select the disk encryption mode (AES-CBC), which is compatible with older versions of Windows. If you're encrypting a removable drive (e.g. USB flash drive or external hard drive) that you're going to use on an older version of Windows, then you should use AES-CBC.
How to change BitLocker encryption method to AES 256 in Windows 10
- Right-click on the Windows start menu button.
-
Click on Run.
You can also press the Windows
+ R keys on your keyboard to open the Run window.
- Enter gpedit.msc.
-
Click OK or press the Enter key on your keyboard.
-
Under Computer Configuration, you double-click on Administrative Templates.
- Double-click on Windows Components.
-
Click on BitLocker Drive Encryption.
-
Double-click on Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later).
-
Select the Enabled option.
- In the Options section, you change the encryption method. For operating system drives, you select XTS-AES 256-bit.
- For fixed data drives, you select XTS-AES 256-bit.
-
For removable data drives, you should select AES-CBC 256-bit if you want to use the drive on other devices that are not running Windows 10 (Version 1511).
- Click Apply to save the changes.
- Click on OK.
BitLocker will now use AES 256-bit encryption when creating new volumes.
Your existing BitLocker volumes will still use AES 128-bit encryption.
To use AES 256-bit encryption for your existing BitLocker volumes, you should decrypt and then re-encrypt them because BitLocker doesn't offer an option to convert from 128-bit to 256-bit.
References:
https://www.thewindowsclub.com/change-bitlocker-encryption-method-cipher-strength