Secuirty Decrypt Lock Unlock Icon 02

Change BitLocker Encryption Method and Cipher Strength in Windows 10

How to Change BitLocker Encryption Method and Cipher Strength in Windows 10

BitLocker in Windows 10 supports a number of encryption methods, and supports changing a cipher strength. These options can be configured with either Group Policy or Registry Editor. In this post, we will review both methods.BitLocker was first introduced in Windows Vista and still exists in Windows 10. It was implemented exclusively for Windows and has no official support in alternative operating systems. BitLocker can utilize your PC's Trusted Platform Module (TPM) to store its encryption key secrets. In modern versions of Windows such as Windows 8.1 and Windows 10, BitLocker supports hardware-accelerated encryption if certain requirements are met (the drive has to support it, Secure Boot must be on and many other requirements). Without hardware encryption, BitLocker switches to software-based encryption so there is a dip in your drive's performance.

Note: In Windows 10, BitLocker Drive Encryption is only available in the Pro, Enterprise, and Education editions.

Bitlocker encryption methods and cipher strength

For fixed drives and the system drive, Windows 10 supports the following encryption methods and cipher strength:

  • AES-CBC 128-bit
  • AES-CBC 256-bit
  • XTS-AES 128-bit ( used by default)
  • XTS-AES 256-bit

For removable drives, the same encryption algorithms can be used, however, BitLocker defaults to AES-CBC 128-bit.

Here are two methods you can use to adjust the data encryption options. Please keep in mind that BitLocker applies the configured encryption method and cipher strength when you turn on BitLocker for a drive. Changing the method won't affect already encrypted drives. You have to turn off BitLocker for an encrypted drive and turn on it again to apply the new encryption options.

To Change BitLocker Encryption Method and Cipher Strength in Windows 10,

  1. Open the Local Group Policy editor app.
  2. Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption on the left.
  3. On the right, find the policy setting Choose drive encryption method and cipher strength (Windows 10 (Version 1511) and later).
  4. Double-click on it and set the policy to Enabled.
  5. Now, select the encryption method you want for operating system drives, fixed data drives, and removable data drives.

You are done.

Setting the mentioned policy to "Not configured' will restore defaults.

Alternatively, you can apply a Registry tweak.

Change BitLocker Encryption Method and Cipher Strength in Registry

  1. Open Registry Editor.
  2. Go to the following Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE.
    See how to jump to the desired Registry key with one click. If you do not have such a key, then just create it.
  3. To specify BitLocker Drive Encryption Method and Cipher Strength for fixed data drives, create a new 32-bit DWORD value EncryptionMethodWithXtsFdv. Note: Even if you are running 64-bit Windows, you still need to use a 32-bit DWORD as the value type.
  4. Set it to one of the following values:
    • 3 = AES-CBC 128-bit
    • 4 = AES-CBC 256-bit
    • 6 = XTS-AES 128-bit (this is the default option in Windows 10)
    • 7 = XTS-AES 256-bit
  5. For operating system drives, create a new 32-bit DWORD value EncryptionMethodWithXtsOs.
  6. Set it to one of the following values:
    • 3 = AES-CBC 128-bit
    • 4 = AES-CBC 256-bit
    • 6 = XTS-AES 128-bit (this is the default option in Windows 10)
    • 7 = XTS-AES 256-bit
  7. For removable data drives, create a new 32-bit DWORD value EncryptionMethodWithXtsRdv.
  8. Set it to one of the following values:
    • 3 = AES-CBC 128-bit
    • 4 = AES-CBC 256-bit
    • 6 = XTS-AES 128-bit (this is the default option in Windows 10)
    • 7 = XTS-AES 256-bit
  9. To make the changes done by the Registry tweak take effect, you need to sign out and sign in again to your user account.

Later, you can delete the EncryptionMethodWithXtsRdv, EncryptionMethodWithXtsOs, and EncryptionMethodWithXtsFdv values to restore the default encryption method for all drive types.

Articles of interest:

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!

Leave a Reply

Your email address will not be published.