Scenario 9: Configuring the Encryption Method and Cipher Strength (Windows 7)

Applies To: Windows 7

This scenario describes how to modify the encryption method and cipher strength used by BitLocker Drive Encryption to encrypt operating system drives, fixed data drives, and removable data drives. BitLocker supports 128-bit and 256-bit encryption keys. Longer encryption keys provide a more enhanced level of security and are less likely to be successfully attacked by the use of brute-force methods. However, longer keys can cause slower encryption and decryption of data. In addition, BitLocker supports a Diffuser algorithm to help protect the system against ciphertext manipulation attacks, a class of attacks in which changes are made to the encrypted data in an attempt to discover patterns or weaknesses.

This Group Policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted or if encryption is currently in progress. The encryption method must be changed before you encrypt the drive with BitLocker for the method you selected can be used on the drive.

By default, BitLocker uses Advanced Encryption Standard (AES) encryption with 128-bit encryption keys and Diffuser. Most organizations do not need to modify this setting, but in some situations—for example, if your organization is Federal Information Processing Standard (FIPS) compliant—you would need to modify the encryption method to not use Diffuser. If you are in a highly secure environment, you may need to use the 256-bit encryption algorithm with Diffuser to provide a higher level of encryption.

Before you start

To complete the procedure in this scenario:

  • You must be able to provide administrative credentials.

To configure the BitLocker encryption method and cipher strength

  1. Click Start, type gpedit.msc in the Search programs and files box, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. In the console tree under Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components, click BitLocker Drive Encryption.

  4. To change the default encryption algorithm used by BitLocker, in the details pane, double-click Choose drive encryption method and cipher strength to open the policy setting.

  5. If this setting is disabled or not configured, BitLocker will use the default encryption method of AES 128-bit with Diffuser. The Diffuser is an additional encryption method applied when the drive is encrypted and decrypted to provide additional protection to the data as it moves from plaintext to encrypted form.

  6. To change the encryption method and cipher strength, click Enabled for the policy setting. Under Select the encryption method, select AES 256-bit with Diffuser to choose a stronger encryption algorithm. If your organization has formal requirements to use only government-approved encryption algorithms, you can select either AES 128-bit or AES 256-bit; otherwise, using these encryption methods is not recommended.

  7. After you have made your choices, click Apply to apply the settings, and then close the dialog box.

  8. Close the Local Group Policy Editor.

  9. To force Group Policy to apply the changes immediately, you can click Start, type gpupdate.exe /force in the Search programs and files box, and then press ENTER. Wait for the process to finish.

By completing this procedure, you have modified the encryption method and cipher strength used by BitLocker to encrypt operating system drives, fixed data drives, and removable data drives.