How to make BitLocker use AES 256-bit encryption in Windows 10

This tutorial will show you step by step how to make BitLocker use AES 256-bit encryption instead of AES 128-bit encryption in Windows 10.

Windows 10 (version 1511) introduced a new disk encryption mode (XTS-AES). This mode provides additional integrity support, but it's not compatible with older versions of Windows.

You can also select the disk encryption mode (AES-CBC), which is compatible with older versions of Windows. If you're encrypting a removable drive (e.g. USB flash drive or external hard drive) that you're going to use on an older version of Windows, then you should use AES-CBC.

How to change BitLocker encryption method to AES 256 in Windows 10

  1. Right-click on the Windows start menu button.
  2. Click on Run.
    Open Windows 10 Run window
    You can also press the Windows Windows key + R keys on your keyboard to open the Run window.
  3. Enter gpedit.msc.
  4. Click OK or press the Enter key on your keyboard.
    Open Windows Local Group Policy Editor
  5. Under Computer Configuration, you double-click on Administrative Templates.
    Windows Administrative Templates
  6. Double-click on Windows Components.
  7. Click on BitLocker Drive Encryption.
    Windows Local Group Policy Editor BitLocker Drive Encryption
  8. Double-click on Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later).
    Choose drive encryption method and cipher strength
  9. Select the Enabled option.
    Choose drive encryption method and cipher strength setting enabled
  10. In the Options section, you change the encryption method. For operating system drives, you select XTS-AES 256-bit.
  11. For fixed data drives, you select XTS-AES 256-bit.
  12. For removable data drives, you should select AES-CBC 256-bit if you want to use the drive on other devices that are not running Windows 10 (Version 1511).
    Change BitLocker encryption method to AES 256 in Windows 10
  13. Click Apply to save the changes.
  14. Click on OK.

BitLocker will now use AES 256-bit encryption when creating new volumes.

Your existing BitLocker volumes will still use AES 128-bit encryption.

To use AES 256-bit encryption for your existing BitLocker volumes, you should decrypt and then re-encrypt them because BitLocker doesn't offer an option to convert from 128-bit to 256-bit.