How to Set Default BitLocker Encryption Method and Cipher Strength in Windows 10
You can use BitLocker Drive Encryption to help protect your files on an entire drive. BitLocker can help block hackers from accessing the system files they rely on to discover your password, or from accessing your drive by physically removing it from your PC and installing it in a different one. You can still sign in to Windows and use your files as you normally would.
New files are automatically encrypted when you add them to a drive that uses BitLocker. However, if you copy these files to another drive or a different PC, they're automatically decrypted.
BitLocker can encrypt the drive Windows is installed on (the operating system drive) as well as fixed data drives (such as internal hard drives). You can also use BitLocker To Go to help protect all files stored on a removable data drive (such as an external hard drive or USB flash drive).
Windows 10 (version 1511) introduces a new disk encryption mode (XTS-AES). This mode provides additional integrity support, but is not compatible with older versions of Windows.
You could also select to use disk encryption Compatible mode (AES-CBC) that is compatible with older versions of Windows. If you're encrypting a removable drive that you're going to use on an older version of Windows, you should use AES-CBC.
Both BitLocker Drive Encryption modes above support using 128-bit or 256-bit cipher strength.
Windows 10 uses XTS-AES 128 bit by default for operating system drives as well as fixed data drives, and uses AES-CBC 128 bit by default for removable data drives.
This tutorial will show you how to set a default encryption method (XTS-AES or AES-CBC) and cipher strength (128 bit or 256 bit) you want used by BitLocker in Windows 10.
You must be signed in as an administrator to be able to choose drive encryption method and cipher strength.
BitLocker Drive Encryption is only available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education editions.
The BitLocker encryption method and cipher strength you set as default is only applied when you turn on BitLocker for a drive. Any changes you make will not affect a drive already encrypted by BitLocker unless you turn off Bitlocker for the drive and turn on BitLocker for it again.
Contents
- Option One: Set Default BitLocker Drive Encryption Method and Cipher Strength in Local Group Policy Editor
- Option Two: Set Default BitLocker Drive Encryption Method and Cipher Strength in Registry Editor
1 Open the Local Group Policy Editor.
2 In the left pane of Local Group Policy Editor, navigate to the location below. (see screenshot below)
3 In the right pane of BitLocker Drive Encryption in Local Group Policy Editor, double click/tap on the Choose drive encryption method and cipher strength (Windows 10 (Version 1511) and later) policy to edit it. (see screenshot above)
4 Do step 5 (default) or step 6 (choose) below for what you would like to do.
A) Select (dot) Not Configured or Disabled, click/tap on OK, and go to step 7 below. (see screenshot below)
Not Configured is the default setting.
A) Select (dot) Enabled, select the encryption method you want for operating system drives, fixed data drives, and removable data drives, click/tap on OK, and go to step 7 below. (see screenshot below)
7 When finished, you can close the Local Group Policy Editor if you like.
1 Press the Win + R keys to open Run, type regedit into Run, and click/tap on OK to open Registry Editor.
2 If prompted by UAC, click/tap on Yes.
3 In Registry Editor, browse to the key location below. (see screenshot below)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE
4 Do step 5 (choose) or step 6 (default) below for what you would like to do.
A) In the right pane of the FVE key, double click/tap on the EncryptionMethodWithXtsFdv DWORD to modify it. (see screenshot below step 3)
If you don't have the EncryptionMethodWithXtsFdv DWORD (you don't by default), then right click or press and hold on an empty area in the right pane of the FVE key, click/tap on New, click/tap on DWORD (32-bit) Value, type EncryptionMethodWithXtsFdv, and press Enter.
B) Type the value data in the table below for the encryption method and cipher strength you want for fixed data drives, and click/tap on OK. (see screenshot and table below)
Value Data Description 3 AES-CBC 128-bit 4 AES-CBC 256-bit 6 XTS-AES 128-bit (default) 7 XTS-AES 256-bit
C) In the right pane of the FVE key, double click/tap on the EncryptionMethodWithXtsOs DWORD to modify it. (see screenshot below step 3)
If you don't have the EncryptionMethodWithXtsOs DWORD (you don't by default), then right click or press and hold on an empty area in the right pane of the FVE key, click/tap on New, click/tap on DWORD (32-bit) Value, type EncryptionMethodWithXtsOs, and press Enter.
D) Type the value data in the table below for the encryption method and cipher strength you want for operating system drives, and click/tap on OK. (see screenshot and table below)
Value Data Description 3 AES-CBC 128-bit 4 AES-CBC 256-bit 6 XTS-AES 128-bit (default) 7 XTS-AES 256-bit
E) In the right pane of the FVE key, double click/tap on the EncryptionMethodWithXtsRdv DWORD to modify it. (see screenshot below step 3)
If you don't have the EncryptionMethodWithXtsRdv DWORD (you don't by default), then right click or press and hold on an empty area in the right pane of the FVE key, click/tap on New, click/tap on DWORD (32-bit) Value, type EncryptionMethodWithXtsRdv, and press Enter.
F) Type the value data in the table below for the encryption method and cipher strength you want for removable data drives, click/tap on OK, and go to step 7 below. (see screenshot and table below)
Value Data Description 3 AES-CBC 128-bit (default) 4 AES-CBC 256-bit 6 XTS-AES 128-bit 7 XTS-AES 256-bit
A) In the right pane of the FVE key, right click or press and hold on the EncryptionMethodWithXtsFdv DWORD, and click/tap on Delete. (see screenshot below step 3)
B) Click/tap on Yes to confirm. (see screenshot below)
C) In the right pane of the FVE key, right click or press and hold on the EncryptionMethodWithXtsOs DWORD, and click/tap on Delete. (see screenshot below step 3)
D) Click/tap on Yes to confirm. (see screenshot below)
E) In the right pane of the FVE key, right click or press and hold on the EncryptionMethodWithXtsRdv DWORD, and click/tap on Delete. (see screenshot below step 3)
F) Click/tap on Yes to confirm, and go to step 7 below. (see screenshot below)
7 When finished, you can close Registry Editor if you like.
That's it,
Shawn
Related Tutorials
- How to Create a BitLocker Drive Encryption Shortcut in Windows 10
- How to Turn On or Off BitLocker for Operating System Drive in Windows 10
- How to Turn On or Off BitLocker for Removable Data Drives in Windows 10
- How to Turn On or Off BitLocker for Fixed Data Drives in Windows 10
- How to Turn On or Off Device Encryption in Windows 10