Enable 256-bit Bitlocker encryption on Windows 11 for increased security

Bitlocker is the default encryption technology for Windows operating systems. It is widely used on Windows, but some users prefer third-party solutions such as VeraCrypt.

What many users of Bitlocker don’t know is that it defaults to 128-bit encryption, even though 256-bit is available. Without going into too much detail about the differences; the core difference between AES 128-bit and 256-bit encryption is the length of the security key. Longer keys make brute force attacks more difficult.

While the default is 128-bit, even Microsoft recommends 256-bit for improved security. The problem is, most users probably don't know about the weaker defaults or how to change them.

First, you may be wondering what encryption method is used on your Windows device. How it's done:

1. Open the Start menu.
2. Type CMD and activate the "Run as administrator" option while highlighting the command prompt result.
3. Run commandmanage-bde -status.
4. Windows returns a bunch of information about each volume. Check encryption method status. If it says XTS-AEs 256, you're all set and don't need to do anything. If you get XTS-AES 128, the encryption uses the weaker 128-bit method.

The problem is, Windows does not include an option to migrate from 128-bit to 256-bit. Worse, even to get the 256-bit option, you have to change it in the Group Policy Editor.

Here's a step-by-step guide on how to do this:

1. Open the Start menu.
2. Type gpedit.msc and select Edit Group Policy.
3. Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.
4. Double-click "Select drive encryption method and password strength" to manage this policy. Note that there are three entries for different versions of Windows. Select "Windows 10 [version 1511] and later."
5. Switch the status of the policy to "Enabled".
6. Change the encryption method for the operating system and fixed drives to XTS-AES 256 bit. You can also make changes to removable data drives. Some say AES-CBS 256-bit offers better compatibility, but that only matters if you plug the removable drive into another system.
7. Select "OK" to make changes.

After making the required changes, you need to decrypt your BitLocker encrypted drives and then re-encrypt them. BitLocker automatically uses the new encryption method when encrypting volumes on your system.

The easiest way to get started is to open the Start menu, type BitLocker, and then select the Manage BitLocker option.

It opens the classic Control Panel of Windows operating system. There, you can find "Turn BitLocker on" (if the drive is not encrypted) or "Turn BitLocker off" (if the drive is encrypted).

First select "Turn off BitLocker" to decrypt the entire selected volume. Then, when finished, select Turn on BitLocker to encrypt the volume using a stronger encryption method. Repeat this process for all volumes that you want to protect with BitLocker.

The above is the detailed content of Enable 256-bit Bitlocker encryption on Windows 11 for increased security. For more information, please follow other related articles on the PHP Chinese website!