1.    10 Mar 2016 #1
    Join Date : Nov 2015
    Posts : 201
    Win10

    New BitLocker Encryption Settings in version 1511?


    Hi,

    I have Win 10 Pro and I set the Encryption method in Group Policy as being XTS-AES 256 instead of the default XTS-AES 128. Is XTS-AES 256 more secure than XTS-AES 128?
    https://technet.microsoft.com/en-us/...(v=vs.85).aspx
      My ComputerSystem Spec
  2.    10 Mar 2016 #2
    Join Date : Oct 2013
    Posts : 25,705
    64-bit Windows 10 Pro build 17046

    Hello win10freak,

    XTS-AES 256 uses 256-bit encryption vs 128-bit encryption with XTS-AES 128. 256 is more secure.

    https://www.tenforums.com/tutorials/3...dows-10-a.html
      My ComputersSystem Spec
  3.    10 Mar 2016 #3
    Join Date : Nov 2015
    Posts : 201
    Win10
    Thread Starter

    Hello Brink,

    Yes, I had read your posting on that. And we thank you very much for it for posting that.

    My question being, is XTS-AES 256 more secure than XTS-AES 128?

    And what Encryption Method do you use when using BitLocker on OS drives?
      My ComputerSystem Spec
  4.    10 Mar 2016 #4
    Join Date : Oct 2013
    Posts : 25,705
    64-bit Windows 10 Pro build 17046

    XTS-AES 256 uses 256-bit encryption vs 128-bit encryption with XTS-AES 128. 256 is more secure.

    I use XTS-AES 256 whenever I encrypt with BitLocker.
      My ComputersSystem Spec
  5.    10 Mar 2016 #5
    Join Date : Feb 2014
    Posts : 487

    As Brink said, AES-256 is stronger than AES-128.

    I think the idea of AES-256 being weaker than AES-128 stemmed from an article Bruce Schneier once published regarding a NIST paper. The main part being AES-128 attacks would require 2128 time to break it, whereas the paper was showing attacks against AES-256 requiring only 2119 time to break it, hence the alarm. However the article itself also said that the attacks were non-practical, and also they weren't based on full 14-round AES-256, but crippled 9,10 and 11 round AES-256. In short, it was a theoretical non-practical paper exploring ideas rather than attacking real world AES-256 encrypted data. So despite the speculation, AES-256 is stronger than AES-128.

    The obvious question then is why use AES-128 when you can use the stronger AES-256. The advantage to using AES-128 is mainly for performance reasons (although any performance differences won't be noticeable to the user). When data is read and written to disk it's encrypted/decrypted on the fly and therefore AES-128 is faster and takes less processing power than AES-256. However, now-a-days most CPU's have AES-NI instructions built into the CPU specifically to make encrypting/decrypting as fast and efficient as possible. On top of that AES-XTS increases performance even further compared to AES-CBC.

    The reason for AES-256 on the other hand, is not because AES-128 is insecure because that is not the case, AES-128 is unbreakable now and for the foreseeable future. However, the NSA for example recommended that all 'Top Secret' data was encrypted with AES-256 for future proofing reasons. Data isn't just classified for this year, but for many years to come and in many years to come that could include protecting the data against quantum computing or other technological advancements. From a OS makers point of view though, as AES-128 is secure enough that AES-256 isn't required, there's been little point making AES-256 the default setting.
      My ComputerSystem Spec
  6.    10 Mar 2016 #6
    Join Date : Nov 2015
    Posts : 201
    Win10
    Thread Starter

    I was wondering as to why MS or other OS makers user AES 128 by default.
    You answered my question. And thanks!

    And to meet FIPS 140-2 compliance , need to use AES 256 as well.
      My ComputerSystem Spec
  7.    11 Mar 2016 #7
    Join Date : Oct 2013
    Posts : 25,705
    64-bit Windows 10 Pro build 17046

    AES 256 could have more of an impact on performance if the PC is not very powerful, but I agree it should be the default instead.
      My ComputersSystem Spec
  8.    11 Mar 2016 #8
    Join Date : Nov 2015
    Posts : 201
    Win10
    Thread Starter

    Yes, why not go for more security if there is a choice for it.
    The noticeable slowdown of my system is during the encryption process, but after that, no performance issues.
      My ComputerSystem Spec

 


Similar Threads
Thread Forum
BitLocker Encryption process VERY Slow on Win10
I just installed Win10 Pro and I love it. When I enabled BitLocker, I selected to encrypt the Entire drive instead of the Used Space because I just feel I am safer with encrypting the entire drive. And my drive is not new. It had Win7 running...
AntiVirus, Firewalls and System Security
Customization Create BitLocker Drive Encryption Shortcut in Windows 10
How to Create a BitLocker Drive Encryption Shortcut in Windows 10 You can use BitLocker Drive Encryption to help protect your files on an entire drive. BitLocker can help block hackers from accessing the system files they rely on to discover...
Tutorials
Update to version 1511 build 10586 changed lots of settings...
Why do they do this? I recently did the update of my W10x64 pro to version 1511 build 10586, and now I am discovering all kinds of annoying changes of my settings. In no particular order: * Caps Lock disable entry in registry was removed *...
General Support
Bitlocker hardware encryption cannot be activated on Win10 10586/1511
Hey, I'm having an issue with enabling hardware encryption with Bitlocker using Windows 10 build 10586 on a clean install with a Samsung 850 SSD. The encryption worked flawlessly before. I've spent hours and attempted multiple solutions and...
AntiVirus, Firewalls and System Security
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 06:33.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums