Windows 10: Change BitLocker Encryption Method and Cipher Strength in Windows 10

How to: Change BitLocker Encryption Method and Cipher Strength in Windows 10

How to Set Default BitLocker Encryption Method and Cipher Strength in Windows 10


You can use BitLocker Drive Encryption to help protect your files on an entire drive. BitLocker can help block hackers from accessing the system files they rely on to discover your password, or from accessing your drive by physically removing it from your PC and installing it in a different one. You can still sign in to Windows and use your files as you normally would.

New files are automatically encrypted when you add them to a drive that uses BitLocker. However, if you copy these files to another drive or a different PC, they're automatically decrypted.

BitLocker can encrypt the drive Windows is installed on (the removable data drive (such as an external hard drive or USB flash drive).

Windows 10 (version 1511) introduces a new disk encryption mode (XTS-AES). This mode provides additional integrity support, but is not compatible with older versions of Windows.

You could also select to use disk encryption Compatible mode (AES-CBC) that is compatible with older versions of Windows. If you're encrypting a removable drive that you're going to use on an older version of Windows, you should use AES-CBC.

Both BitLocker Drive Encryption modes above support using 128-bit or 256-bit cipher strength.

Windows 10 uses XTS-AES 128 bit by default for operating system drives as well as fixed data drives, and uses AES-CBC 128 bit by default for removable data drives.

This tutorial will show you how to set a default encryption method (XTS-AES or AES-CBC) and cipher strength (128 bit or 256 bit) you want used by BitLocker in Windows 10.

*Warning You must be signed in as an administrator to be able to choose drive encryption method and cipher strength.

*note BitLocker Drive Encryption is only available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education editions.

*note The BitLocker encryption method and cipher strength you set as default is only applied when you turn on BitLocker for a drive. Any changes you make will not affect a drive already encrypted by BitLocker unless you turn off Bitlocker for the drive and turn on BitLocker for it again.


CONTENTS:

• Option One: Set Default BitLocker Drive Encryption Method and Cipher Strength in Local Group Policy Editor
• Option Two: Set Default BitLocker Drive Encryption Method and Cipher Strength in Registry Editor

OPTION ONE [/i] Set Default BitLocker Drive Encryption Method and Cipher Strength in Local Group Policy Editor
1. Open the Local Group Policy Editor.

2. In the left pane of Local Group Policy Editor, navigate to the location below. (see screenshot below)
*Arrow Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption




3. In the right pane of BitLocker Drive Encryption in Local Group Policy Editor, double click/tap on the Choose drive encryption method and cipher strength (Windows 10 (Version 1511) and later) policy to edit it. (see screenshot above)

4. Do step 5 (default) or step 6 (choose) below for what you would like to do.


5. To Use Default BitLocker Drive Encryption Method and Cipher Strength
A) Select (dot) Not Configured or Disabled, click/tap on OK, and go to step 7 below. (see screenshot below)

*note Not Configured[/B] is the default setting.

6. To Choose BitLocker Drive Encryption Method and Cipher Strength
A) Select (dot) Enabled, select the encryption method you want for operating system drives, fixed data drives, and removable data drives, click/tap on OK, and go to step 7 below. (see screenshot below)




7. When finished, you can close the Local Group Policy Editor if you like.





OPTION TWO [/i] Set Default BitLocker Drive Encryption Method and Cipher Strength in Registry Editor
1. Press the Win+R keys to open Run, type regedit, and click/tap on OK to open Registry Editor.

2. If prompted by UAC, click/tap on Yes.

3. In Registry Editor, browse to the key location below. (see screenshot below)
*Arrow HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE





4. Do step 5 (choose) or step 6 (default) below for what you would like to do.


5. To Choose BitLocker Drive Encryption Method and Cipher Strength
A) In the right pane of the FVE key, double click/tap on the EncryptionMethodWithXtsFdv DWORD to modify it. (see screenshot below step 3)

*note If you don't have the EncryptionMethodWithXtsFdv DWORD (you don't by default), then right click or press and hold on an empty area in the right pane of the FVE key, click/tap on New, click/tap on DWORD (32-bit) Value, type EncryptionMethodWithXtsFdv, and press Enter.

B) Type the value data in the table below for the encryption method and cipher strength you want for fixed data drives, and click/tap on OK. (see screenshot and table below)




[table][tr][td]Value Data[/td] [td]Description[/td] [/tr] [tr][td]3[/td] [td]AES-CBC 128-bit[/td] [/tr] [tr][td]4[/td] [td]AES-CBC 256-bit[/td] [/tr] [tr][td]6[/td] [td]XTS-AES 128-bit (default)[/td] [/tr] [tr][td]7[/td] [td]XTS-AES 256-bit[/td] [/tr] [/table]

C) In the right pane of the FVE key, double click/tap on the EncryptionMethodWithXtsOs DWORD to modify it. (see screenshot below step 3)

*note If you don't have the EncryptionMethodWithXtsOs DWORD (you don't by default), then right click or press and hold on an empty area in the right pane of the FVE key, click/tap on New, click/tap on DWORD (32-bit) Value, type EncryptionMethodWithXtsOs, and press Enter.

D) Type the value data in the table below for the encryption method and cipher strength you want for operating system drives, and click/tap on OK. (see screenshot and table below)




[table][tr][td]Value Data[/td] [td]Description[/td] [/tr] [tr][td]3[/td] [td]AES-CBC 128-bit[/td] [/tr] [tr][td]4[/td] [td]AES-CBC 256-bit[/td] [/tr] [tr][td]6[/td] [td]XTS-AES 128-bit (default)[/td] [/tr] [tr][td]7[/td] [td]XTS-AES 256-bit[/td] [/tr] [/table]

E) In the right pane of the FVE key, double click/tap on the EncryptionMethodWithXtsRdv DWORD to modify it. (see screenshot below step 3)

*note If you don't have the EncryptionMethodWithXtsRdv DWORD (you don't by default), then right click or press and hold on an empty area in the right pane of the FVE key, click/tap on New, click/tap on DWORD (32-bit) Value, type EncryptionMethodWithXtsRdv, and press Enter.

F) Type the value data in the table below for the encryption method and cipher strength you want for removable data drives, click/tap on OK, and go to step 7 below. (see screenshot and table below)




[table][tr][td]Value Data[/td] [td]Description[/td] [/tr] [tr][td]3[/td] [td]AES-CBC 128-bit (default)[/td] [/tr] [tr][td]4[/td] [td]AES-CBC 256-bit[/td] [/tr] [tr][td]6[/td] [td]XTS-AES 128-bit[/td] [/tr] [tr][td]7[/td] [td]XTS-AES 256-bit[/td] [/tr] [/table]


6. To Use Default BitLocker Drive Encryption Method and Cipher Strength
A) In the right pane of the FVE key, right click or press and hold on the EncryptionMethodWithXtsFdv DWORD, and click/tap on Delete. (see screenshot below step 3)

B) Click/tap on Yes to confirm. (see screenshot below)



C) In the right pane of the FVE key, right click or press and hold on the EncryptionMethodWithXtsOs DWORD, and click/tap on Delete. (see screenshot below step 3)

D) Click/tap on Yes to confirm. (see screenshot below)



E) In the right pane of the FVE key, right click or press and hold on the EncryptionMethodWithXtsRdv DWORD, and click/tap on Delete. (see screenshot below step 3)

F) Click/tap on Yes to confirm, and go to step 7 below. (see screenshot below)



7. When finished, you can close Registry Editor if you like.

That's it,
Shawn


Related Tutorials

• How to Create a BitLocker Drive Encryption Shortcut in Windows 10
• How to Turn On or Off BitLocker for Operating System Drive in Windows 10
• How to Turn On or Off BitLocker for Removable Data Drives in Windows 10
• How to Turn On or Off BitLocker for Fixed Data Drives in Windows 10

:)

 

Bitlocker in Windows 10 without TPM

Are you sure you've got 10 Pro installed (fully patched up) and are logged in as an Admin?

Assuming that, I'm guessing you're looking under the wrong section. I double checked, and it's right there in the local group policy editor under Local Computer Policy/ Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption.

I also set the "Choose drive encryption method and cipher strength" to the newer/better XTS-AES 256-bit method under there.

 

CANNOT USE ENHANCED BITLOCKER PIN

Hello,

I am having problem with creating complex passwords while activating BitLocker drive encryption at win10.

It only lets me to put numeric password but I want to use complex password with characters, letters and symbols.

I already enabled

- "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”

- "Choose drive encryption method and cipher strength"

- "Allow Enhanced PINs For Startup"

policies before I start encryption but nothing changed. Is there a way to use complex passwords?

 

Hello Yasak, *Smile

That's correct. The keys will not be there by default in OPTION TWO unless added.

 

Hi

Am just about to do this and need to step back. I will use the stronger cipher for all but USB drives. I will use a usb drive for authentication as well the windows password (if that's possible).

However, I have been used to using Truecrypt, partitioning all my drives to separate O/S and data. Truecrypt helpfully offered the function to mount the data drive/partition along with the system drive when the boot key was entered (as long as same key was used for both o/s and data partitions).

Now the real point of my post.....
This worked really well and allowed me to move the locations of special folders to the data drive from where I backed these up, altogether, pictures, music, videos, downloads and desktop. The latter may be an issue with Bitlocker if unlike Truecrypt, it does not offer a way of mounting data drive along with o/s at boot time - otherwise the desktop and taskbar will probably not populate properly at boot.

Need to understand this before I start encryption.

It looks like I have to encrypt the partitions separately... or can they be encrypted together i.e. whole system drive including data partition....? Happy to use the same key for both as I did with Truecrypt.

Just need to know that my desktop will load at boot from the data partition if I move the special folder to data partition.

 

Hello Kevin, *Smile

That's correct. BitLocker will encrypt per drive instead of whole hard disk.

 

Thanks. Any idea on how it deals with changed location of desktop special folder at boot time? Does it mean that a password or whatever authentication is used has to be used twice, once for each partition, o/s and data partition (the latter being where I would preferably store the desktop special folder)?

 

I haven't tested to know 100%, but I would think that if you have it set to unlock the drive when you sign in to Windows 10, it'll be fine.

 

Thanks Brink. I think you are right. Have since found this:

BitLocker Auto-unlock - Turn On or Off in Windows 8

 

Please let us know how it went to confirm. *Smile