Changing BitLocker Encryption Strength from 128-Bit to 256-Bit: Tutorial

Changing BitLocker Encryption Strength from 128-Bit to 256-Bit: Tutorial
Page content

Windows 8’s BitLocker Drive Encryption, available in the Professional and Enterprise editions, secures drives by keeping data scrambled unless the configured authentication method is supplied. Similarly, BitLocker To Go uses the same encryption technique to protect removable media, such as a USB drive. By default, both BitLocker tools use 128-bit AES encryption, which has not been defeated yet, at least not publically.

128-bit might sound adequate unless a stronger alternative is available, in which case the philosophy of “the stronger, the better” takes hold. If you are one of those ultra-security conscious users, Microsoft gives you the option of enabling 256-bit AES encryption, which increases the number of possible key combinations from 2128 to 2256. This means 256-bit encryption is 2128 times larger than 2128, not what some people assume to be just twice the size.

The philosophy of advocating 256-bit encryption is sound on paper, but it’s somewhat flawed in practice. For one, the strength of any encryption is only as strong as the password. Even with the vast increase in possible key combinations, if you use “12345678” as your password your encryption is effectively useless regardless of the encryption strength.

Furthermore, it is assumed that 128-bit encryption using a complex, random password is impossible to crack, so jumping up to 256-bit encryption is similar to multiplying infinity by infinity; there is really no point, because the result is still infinity.

However, there is one theoretical scenario in which BitLocker benefits from 256-bit encryption. A brute-force attack using a currently theoretical quantum computer effectively reduces the possible key combinations to the square root, meaning 128-bit encryption drops to 264 keys, which can be cracked. 256-bit encryption effectively drops to 2128 keys, which would remain stoic against such attacks.

You have the option of 256-bit encryption and enabling this top-tier encryption algorithm future-proofs your computer even against pseudo-science-fiction computing. Doing so burdens your system with a modest performance hit, although this performance degradation will go largely unnoticed unless you regularly push your system to the limits.

It should also be understood that enabling 256-bit encryption only affects drives encrypted after changing this option; drives encrypted before enabling 256-bit will still use 128-bit encryption.

Changing Encryption Strength

Press Win-R, type gpedit.msc and click OK to open Local Group Policy Editor.

Open Computer Configuration\ Administrative Templates\Windows Components\BitLocker Drive Encryption and then double-click Choose Drive Encryption Method and Cipher Strength from the right pane.

Click Enabled to turn on this rule and activate the Select the Encryption Method drop-down menu.

Select AES 256-Bit from the Select the Encryption Method drop-down menu (by default, AES 128-bit is selected) and click OK. You can then close the Local Group Policy Editor. Any drives subsequently encrypted with BitLocker Drive Encryption or BitLocker To Go will use 256-bit encryption.