How to make BitLocker use AES 256-bit encryption
This step-by-step tutorial will show you how to make BitLocker use AES 256-bit encryption instead of AES 128-bit encryption on Windows 10 and 11.
Windows 10 (version 1511) introduced a new disk encryption mode (XTS-AES). This mode provides additional integrity support, but it's not compatible with older versions of Windows.
You can also select the disk encryption mode (AES-CBC), which is compatible with older versions of Windows. If you're encrypting a removable drive (e.g., USB flash drive or external hard drive) for use on an older version of Windows, you should use AES-CBC.
How to change BitLocker encryption method to AES 256 on Windows 10 and 11
- Right-click the Windows start menu button.
-
Click Run.
You can also press the Windows
+ R keys on your keyboard to open the Run window.
-
Enter
gpedit.msc. -
Click OK or press the Enter key on your keyboard.
-
Under Computer Configuration, you double-click Administrative Templates.
- Double-click on Windows Components.
-
Click BitLocker Drive Encryption.
-
Double-click Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later).
-
Select the Enabled option.
- In the Options section, you change the encryption method. For operating system drives, you select XTS-AES 256-bit.
- For fixed data drives, you select XTS-AES 256-bit.
-
For removable data drives, you should select AES-CBC 256-bit if you want to use the drive on other devices that are not running Windows 10 (Version 1511).
- Click Apply to save the changes.
- Click OK.
BitLocker will now use AES 256-bit encryption when creating new volumes.
Your existing BitLocker volumes will still use AES 128-bit encryption.
To use AES 256-bit encryption for your existing BitLocker volumes, you should decrypt and re-encrypt them because BitLocker doesn't offer an option to convert from 128-bit to 256-bit.
References:
https://www.thewindowsclub.com/change-bitlocker-encryption-method-cipher-strength