Nowadays it is crazy to use a computer, especially if it is a laptop where we store personal data, without an encryption layer. Microsoft offers users of its operating system a powerful hard disk encryption software, BitLocker, which allows us to protect the data by applying this encryption so that, without the appropriate password, no one can access the files we save on the computer. By default, BitLocker uses an XTS-AES algorithm with a 128-bit encryption force , although it is very easy to take security to a new level. We show you how.
BitLocker is a totally free tool that is included in the operating system, although it is deactivated and, to use it, we have to activate it ourselves. Of course, in order to use this tool it is necessary to make sure you are using Windows 10 Pro, Enterprise or Education. Users of the Home edition do not have this tool.
The XTS-AES algorithm is the new disk encryption mode that Windows 10 uses by default. This mode offers good performance and has additional systems to ensure data integrity. However, this encryption mode is not compatible with previous versions of Windows. Therefore, if we need to share data with other versions it is necessary to use the AES-CBC encryption mode .
Both modes are compatible with both 128-bit encryption and 256-bit encryption. Here’s how to customize this encryption.
How to customize BitLocker encryption in Windows 10
When we activate BitLocker for the first time , it is configured with the XTS-AES algorithm and with a 128-bit encryption force. Whenever we change the algorithm used or the force it is necessary to deactivate the encryption and reactivate it for the changes to take effect.
For this, what we must do is enter into group policies. We need to have Administrator permissions on the computer and then we will type in the Windows search engine the “gpedit” command to edit the group policy.
Once inside, we will scroll to «Computer Configuration> Administrative Templates> Windows Components> BitLocker Drive Encryption. Here we must locate the section ” Choose encryption method and unit encryption intensity “.
Configure BitLocker Encryption
We double click on this entry and we can see the different options it offers to customize.
Customize encryption settings in BitLocker
This administrative template allows us to customize the type of encryption we want to give to all units. We can choose different ciphers for the unit with the operating system, the other internal units of the computer (fixed data units) and for the external units, such as external hard drives and USB.
By default, the Windows drive and fixed drives have 128-bit XTS-AES data encryption. External units, to maximize compatibility, use the 128-bit AES-CBC algorithm.
By clicking on the drop down we can adjust the algorithms we want to use in each type of device. For example, we can leave Windows 10 with 128-bit XTS-AES base encryption , encrypt internal data drives with 256-bit XTS-AES , and leave removable drives with AES-CBC encryption to improve compatibility, but of 256 bits to improve security.
Choose BitLocker algorithm and encryption strength
We apply and accept the changes and that’s it. Of course, as we have said, we have to deactivate BitLocker encryption and reactivate it so that the new algorithms are already operational.