New BitLocker Encryption Settings in version 1511? Solved

  1.    10 Mar 2016 #1

    New BitLocker Encryption Settings in version 1511?


    I have Win 10 Pro and I set the Encryption method in Group Policy as being XTS-AES 256 instead of the default XTS-AES 128. Is XTS-AES 256 more secure than XTS-AES 128?
      My ComputerSystem Spec

  2. Brink's Avatar
    Posts : 34,551
    64-bit Windows 10 Pro build 18290
       10 Mar 2016 #2

    Hello win10freak, :)

    XTS-AES 256 uses 256-bit encryption vs 128-bit encryption with XTS-AES 128. 256 is more secure.
      My ComputersSystem Spec

  3.    10 Mar 2016 #3

    Hello Brink,

    Yes, I had read your posting on that. And we thank you very much for it for posting that.

    My question being, is XTS-AES 256 more secure than XTS-AES 128?

    And what Encryption Method do you use when using BitLocker on OS drives?
      My ComputerSystem Spec

  4. Brink's Avatar
    Posts : 34,551
    64-bit Windows 10 Pro build 18290
       10 Mar 2016 #4

    XTS-AES 256 uses 256-bit encryption vs 128-bit encryption with XTS-AES 128. 256 is more secure.

    I use XTS-AES 256 whenever I encrypt with BitLocker.
      My ComputersSystem Spec

  5.    10 Mar 2016 #5

    As Brink said, AES-256 is stronger than AES-128.

    I think the idea of AES-256 being weaker than AES-128 stemmed from an article Bruce Schneier once published regarding a NIST paper. The main part being AES-128 attacks would require 2128 time to break it, whereas the paper was showing attacks against AES-256 requiring only 2119 time to break it, hence the alarm. However the article itself also said that the attacks were non-practical, and also they weren't based on full 14-round AES-256, but crippled 9,10 and 11 round AES-256. In short, it was a theoretical non-practical paper exploring ideas rather than attacking real world AES-256 encrypted data. So despite the speculation, AES-256 is stronger than AES-128.

    The obvious question then is why use AES-128 when you can use the stronger AES-256. The advantage to using AES-128 is mainly for performance reasons (although any performance differences won't be noticeable to the user). When data is read and written to disk it's encrypted/decrypted on the fly and therefore AES-128 is faster and takes less processing power than AES-256. However, now-a-days most CPU's have AES-NI instructions built into the CPU specifically to make encrypting/decrypting as fast and efficient as possible. On top of that AES-XTS increases performance even further compared to AES-CBC.

    The reason for AES-256 on the other hand, is not because AES-128 is insecure because that is not the case, AES-128 is unbreakable now and for the foreseeable future. However, the NSA for example recommended that all 'Top Secret' data was encrypted with AES-256 for future proofing reasons. Data isn't just classified for this year, but for many years to come and in many years to come that could include protecting the data against quantum computing or other technological advancements. From a OS makers point of view though, as AES-128 is secure enough that AES-256 isn't required, there's been little point making AES-256 the default setting.
      My ComputerSystem Spec

  6.    10 Mar 2016 #6

    I was wondering as to why MS or other OS makers user AES 128 by default.
    You answered my question. And thanks!

    And to meet FIPS 140-2 compliance , need to use AES 256 as well.
      My ComputerSystem Spec

  7. Brink's Avatar
    Posts : 34,551
    64-bit Windows 10 Pro build 18290
       11 Mar 2016 #7

    AES 256 could have more of an impact on performance if the PC is not very powerful, but I agree it should be the default instead.
      My ComputersSystem Spec

  8.    11 Mar 2016 #8

    Yes, why not go for more security if there is a choice for it.
    The noticeable slowdown of my system is during the encryption process, but after that, no performance issues.
      My ComputerSystem Spec


Related Threads
BitLocker Encryption process VERY Slow on Win10 in AntiVirus, Firewalls and System Security
I just installed Win10 Pro and I love it. When I enabled BitLocker, I selected to encrypt the Entire drive instead of the Used Space because I just feel I am safer with encrypting the entire drive. And my drive is not new. It had Win7 running...
How to Create a BitLocker Drive Encryption Shortcut in Windows 10 You can use BitLocker Drive Encryption to help protect your files on an entire drive. BitLocker can help block hackers from accessing the system files they rely on to discover...
Why do they do this? I recently did the update of my W10x64 pro to version 1511 build 10586, and now I am discovering all kinds of annoying changes of my settings. In no particular order: * Caps Lock disable entry in registry was removed *...
Hey, I'm having an issue with enabling hardware encryption with Bitlocker using Windows 10 build 10586 on a clean install with a Samsung 850 SSD. The encryption worked flawlessly before. I've spent hours and attempted multiple solutions and...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 05:24.
Find Us