BitLocker: CBC vs XTS Modes

TL;DR

BitLocker offers two main encryption modes for full volume encryption: CBC and XTS. XTS is generally preferred due to its better performance, especially on modern hardware, and resistance to certain attacks. If you need FIPS 140-2 compliance, you’ll be limited to CBC mode. This guide explains the differences, how to check your current settings, and how to change them.

Understanding BitLocker Encryption Modes

BitLocker uses encryption algorithms (like AES) combined with modes of operation to encrypt your hard drive. These modes determine how the algorithm is applied to data blocks. The two main options are:

• CBC (Cipher Block Chaining): An older mode that’s simpler but slower, especially on SSDs. It can be vulnerable to certain attacks if not implemented carefully.
• XTS-AES (XEX-based Plaintext and Ciphertext Keying): A more modern mode designed for disk encryption. It offers better performance, particularly with solid state drives, and is generally considered more secure.

CBC vs XTS: Key Differences

1. Performance: XTS-AES performs significantly faster than CBC on SSDs and NVMe drives because it can be parallelized more easily. On older spinning hard drives, the difference is less noticeable.
2. Security: XTS-AES is generally considered more secure against certain attacks that target CBC mode, especially when dealing with large volumes of data.
3. FIPS 140-2 Compliance: If your organisation requires FIPS 140-2 validation (a US government standard for cryptographic modules), you must use CBC mode in BitLocker. XTS-AES is not currently covered by FIPS 140-2 validation for full volume encryption.

Checking Your Current BitLocker Encryption Mode

You can check your current BitLocker settings using the command line:

manage-bde -status C:

Look for the “Encryption Method” line in the output. It will show either “AES CBC (128-bit)”, “AES CBC (256-bit)”, or “AES XTS-AES (128-bit)” or “AES XTS-AES (256-bit)”.

Changing Your BitLocker Encryption Mode

Important: Changing the encryption mode requires decrypting and re-encrypting your entire drive. This process can take a very long time, especially for large drives. Ensure you have a recent backup before proceeding!

1. Back Up Your Data: Before making any changes, create a full backup of your system.
2. Decrypt the Drive: Use the manage-bde -off C: command to decrypt the drive. Replace ‘C:’ with the correct drive letter.

   manage-bde -off C:

3. Enable BitLocker with the Desired Mode: Use the manage-bde -on C: -encryptionmethod command to re-enable BitLocker with your chosen mode. Replace ‘C:’ with the correct drive letter and <mode> with either “AES128”, “AES256”, or “XTS-AES”.

   manage-bde -on C: -encryptionmethod XTS-AES

4. Verify the Change: After re-encryption is complete, run manage-bde -status C: again to confirm that the encryption method has been updated.

Considerations

• If you’re using a modern SSD or NVMe drive, XTS-AES is almost always the better choice for performance and security reasons.
• Only use CBC mode if FIPS 140-2 compliance is absolutely required by your organisation.
• Be patient! Re-encrypting a large drive can take many hours or even days.