Written by
Wilsey YoungBitLocker, a secure data protection solution developed by Microsoft, encrypts the entire disk or specific partition to protect the stored data from unauthorized access, whether the device is lost, stolen, or improperly decommissioned.
Some Windows users raise questions like “What encryption does BitLocker use?” and wonder what makes BitLocker so secure. You can keep reading the following content to learn more about the BitLocker encryption feature.
What encryption methods does BitLocker use?
At its core, BitLocker makes the most of AES (Advanced Encryption Standard) encryption, by default. It is a widely identified and government-approved encryption algorithm that provides one of the strongest security thanks to its complexity and the number of possible keys.
BitLocker supports two different key lengths for AES:
- AES-CBC 128-bit or XTS-AES 128-bit encryption: Provides strong security with a relatively lower impact on system performance.
- AES-CBC 256-bit or XTS-AES 256-bit encryption: Offers an even higher level of security but may cause slightly more processing overhead, particularly on older systems.
The 128-bit or 256-bit in the AES encryption algorithm also refers to the number of secured transformation rounds applied while the plaintext document is being transformed into the secure form, also known as ciphertext. Here are the number of transformation rounds that different-sized keys use:
- 128-bit key: 10 rounds
- 256-bit key: 14 rounds
The fewer the rounds, the more efficiently the space would be used, and the disk could be encrypted more effectively without sacrificing the performance. Generally speaking, there is no point in choosing 256-bit cipher strength, as there's not much benefit for the added complexity.
You can click the buttons below to share this post with your friends!
Why is BitLocker so secure?
BitLocker ensures the confidentiality and integrity of your data by employing several layers of protection. BitLocker uses the AES encryption algorithm perfectly integrated with the Trusted Platform Module (TPM) chip embedded in modern computers, to store cryptographic keys securely. This makes it more difficult for attackers or unauthorized users to access and tamper with sensitive information.
In addition, BitLocker blends well with Windows startup services, which allows you to configure whether BitLocker requires additional authentication each time your PC starts. Additionally, BitLocker offers pre-boot authentication methods, including PINs, USB keys, or more, ensuring that the data cannot be accessed without correct credentials even if your device is stolen or lost.
How to choose the encryption algorithm based on different situations?
Choosing between AES 128-bit and AES 256-bit encryption depends on your specific security needs and the performance capabilities of your system.
- For general users: AES 128-bit encryption is typically sufficient. It offers excellent security with minimal impact on your system performance, making it the ideal choice for most personal users.
- For highly sensitive data: AES 256-bit encryption is recommended for users who handle sensitive information. However, the impact brought by this cipher strength may be noticeable, especially on system performance.
- For different types of drives: XTS-AES is highly recommended for encrypting operating system drives and fixed data drives, while AES-CBC is fit for removable data drives.
How to configure the BitLocker encryption algorithm?
You can change the BitLocker encryption algorithm via Local Group Policy Editor on Windows, and here is how:
- Press the “Windows+R” keys to open the “Run dialog box,” type “gpedit.msc” in the box, and click “OK” or hit the “Enter” key on your keyboard.
- Expand the folder on the left side panel one by one following the path: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.
- Double-click "Choose drive encryption method and cipher strength", click "Enabled."
- Select the encryption method you want in the "Options" section, depending on your Windows version. You can respectively decide the encryption method of fixed data drives, operating system drives, or removable data drives.
- Click "Apply" and "OK" to let the change take effect.
By understanding your security needs and your system's capabilities, you can choose the right encryption method and strength with BitLocker to protect your data effectively.
Do you like this post? You can click the following buttons to share!