Enable 256-bit Bitlocker encryption on Windows 11 to boost security
Bitlocker is the default encryption technology of the Windows operating system. It is used widely on Windows, but some users prefer third-party solutions, such as VeraCrypt.
What many users of Bitlocker don't know is that it defaults to 128-bit encryption, even though 256-bit is also available. Without going into too many details about the differences; the core difference between AES 128-bit and 256-bit encryption is the length of the security key. A longer key makes brute force attacks much harder.
While 128-bit is the default, even Microsoft recommends using 256-bit to improve security. Problem is, most users may not know about the weaker default or how to make the change.
First, you may want to find out which encryption method is used on the Windows device. Here is how that is done:
- Open the Start Menu.
- Type CMD and activate the "run as administrator" option while the Command Prompt result is highlighted.
- Run the command manage-bde -status.
- Windows returns a bunch of information about each volume. Check the Encryption Method status. If it reads XTS-AEs 256 you are all set and don't need to do anything. If you get XTS-AES 128, encryption is using the weaker 128-bit method.
Problem is, Windows does not include an option to migrate from 128-bit to 256-bit. Even worse, to even get the 256-bit option, it is necessary to make a change in the Group Policy Editor.
Here is a step-by-step guide on how to do that:
- Open the Start Menu.
- Type gpedit.msc and select Edit Group Policy.
- Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.
- Double-click on "Choose drive encryption method and cipher strength" to manage this policy. Note that there are three entries for different versions of Windows. Select Windows 10 [Version 1511] and later.
- Switch the status of the policy to Enabled.
- Change the encryption method for operating system and fixed drives to XTS-AES 256-bit. You may also make the change for removable data drives. Some say that AES-CBS 256-bit offers better compatibility, but this is only important if you plug-in the removable drive into other systems.
- Select OK to make the change.
Once you have made the required changes, you need to decrypt the BitLocker encrypted drives and then re-encrypt them. BitLocker uses the new encryption method automatically when it encrypts volumes on the system.
The easiest way to get started is to open the Start Menu, type BitLocker and select the Manage BitLocker option.
It opens the classic Control Panel of the Windows operating system. There you find either "Turn BitLocker on", if the drive is not encrypted, or "Turn off BitLocker" if it is encrypted.
Select Turn off BitLocker first to decrypt the entire volume that you have selected. Then, once done, select Turn BitLocker on to encrypt the volume using the stronger encryption method. Repeat the process for all volumes that you want to protect with BitLocker.
You can check out my guide on encryption Windows 10 hard drives with BitLocker. It is from 2015, but the process has not changed.
Now You: do you encrypt your drives and devices?
I don’t use Bitlocker.
In the BIOS/UEFI settings, there is an entry to put a password on the hard drive.
I also have a password required to access the BIOS/UEFI.
I have to enter the password when the computer boots up.
I just googled how long it takes to crack something in 128 bit encryption, apparently it can take a billion years, so what kind of security benefit does 256 bit offer? Don’t say “harder to brute force” because clearly 128 bit has enough complexity to ensure this is never an issue.
I don’t understand this…
I don’t understand that neither. However, Microsoft is always lying about its aim to provide more security to the users. Just because for they the security it’s not free: you must buy the Pro version.
‘manager-bde -status’ is not recognized as an internal or external command, operable program or batch file.
You need to type manage, not manager, also no space in the command. Does this resolve the issue?
Yes, thank you!
Microsoft doesn’t care about security at all. Bitlocker should be available in Home versions too. They are liying all the time and selling bull**** to us.
There must be a master key around.
The US does not allow the export of encryption technologies for which there is no access. No?
Obviously this is wrong, where did you read such a thing?