How to make BitLocker use AES 256-bit encryption in Windows 10

Learn how to make BitLocker use AES 256-bit encryption instead of AES 128-bit encryption in Windows 10 with this step-by-step tutorial.

Windows 10 (version 1511) introduced a new disk encryption mode (XTS-AES). This mode provides additional integrity support, but it's not compatible with older versions of Windows.

You can also select the disk encryption mode (AES-CBC), which is compatible with older versions of Windows. If you're encrypting a removable drive (e.g. USB flash drive or external hard drive) that you're going to use on an older version of Windows, then you should use AES-CBC.

How to change BitLocker encryption method to AES 256 in Windows 10

1. Press the Windows Windows key + R keys on your keyboard to open the Run window.

Windows and R keyboard key

Or right-click on the Windows start menu button and then click on Run.

Open Windows 10 Run window

2. Enter gpedit.msc.

3. Press the Enter key on your keyboard or click on OK.

Open Windows Local Group Policy Editor

This will open the “Local Group Policy Editor”.

Another way to open the “Local Group Policy Editor”: right-click on the Windows start menu button and click on Command Prompt (Admin). Enter gpedit.msc and press the Enter key on your keyboard.

4. Under Computer Configuration, you double-click on Administrative Templates.

Windows Administrative Templates

5. Double-click on Windows Components.

6. Click on BitLocker Drive Encryption.

Windows Local Group Policy Editor BitLocker Drive Encryption

7. Double-click on Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later).

Choose drive encryption method and cipher strength

8. Select Enabled.

Choose drive encryption method and cipher strength setting enabled

9. Under Options, you change the encryption method. For operating system drives, you select XTS-AES 256-bit.

10. For fixed data drives, you select XTS-AES 256-bit.

11. For removable data drives, you should select AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511).

Change BitLocker encryption method to AES 256 in Windows 10

12. Click on Apply (bottom right) to save the changes.

13. Click on OK.

BitLocker will now use AES 256-bit encryption when creating new volumes.

Your existing BitLocker volumes will still use AES 128-bit encryption.

To use AES 256-bit encryption for your existing BitLocker volumes, you should decrypt and then re-encrypt them because BitLocker doesn't offer an option to convert from 128-bit to 256-bit.