How to make BitLocker use AES 256-bit encryption in Windows 10
This tutorial will show you step by step how to make BitLocker use AES 256-bit encryption instead of AES 128-bit encryption in Windows 10.
Windows 10 (version 1511) introduced a new disk encryption mode (XTS-AES). This mode provides additional integrity support, but it's not compatible with older versions of Windows.
You can also select the disk encryption mode (AES-CBC), which is compatible with older versions of Windows. If you're encrypting a removable drive (e.g. USB flash drive or external hard drive) that you're going to use on an older version of Windows, then you should use AES-CBC.
How to change BitLocker encryption method to AES 256 in Windows 10
1. Press the Windows + R keys on your keyboard to open the Run window.
Or right-click on the Windows start menu button and then click on Run.
2. Enter gpedit.msc.
3. Press the Enter key on your keyboard or click on OK.
This will open the “Local Group Policy Editor”.
Another way to open the “Local Group Policy Editor”: right-click on the Windows start menu button and click on Command Prompt (Admin). Enter gpedit.msc and press the Enter key on your keyboard.
4. Under Computer Configuration, you double-click on Administrative Templates.
5. Double-click on Windows Components.
6. Click on BitLocker Drive Encryption.
7. Double-click on Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later).
8. Select Enabled.
9. Under Options, you change the encryption method. For operating system drives, you select XTS-AES 256-bit.
10. For fixed data drives, you select XTS-AES 256-bit.
11. For removable data drives, you should select AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511).
12. Click on Apply (bottom right) to save the changes.
13. Click on OK.
BitLocker will now use AES 256-bit encryption when creating new volumes.
Your existing BitLocker volumes will still use AES 128-bit encryption.
To use AES 256-bit encryption for your existing BitLocker volumes, you should decrypt and then re-encrypt them because BitLocker doesn't offer an option to convert from 128-bit to 256-bit.