Increase bitlocker cypher strength to AES 256 | Plus automated drive dismounting!

Bitlocker is good. Im not going to say great but good as in good enough to get the job done while giving users a relatively safe encryption suite built right into Microsoft that will keep your files (when implements properly) safe from people who may want access to your pc or laptop. Millage may vary when dealing with government entities.

However did you know that Bitlocker has various settings that can be configured to increase overall security? If your using the default settings take a look below:

Problem: How do I set bitlocker up to be more secure?

Solution: Change the cipher strength higher.
Before I show you how I want to make something clear and apparent. Assume everything you encrypt can be decrypted, it is just a matter of time. This does not mean don’t encrypt… it just means that encryption will only buy you time when dealing with government entities now, or a passionate individual with a 32 GPU cluster and a vendetta.

Either way more security is always better than none at all. Back on task!

First we need to set the cipher strength, if you have already encrypted the drive you will need to do it again. Open up gpedit.msc with Start > Run > gpedit.msc

Once you have it open expand the following tree:
Tree

Here you will see various options but the one we want is: Choose drive encryption and cipher strength. Set it to Enabled and choose from the dropdown AES 256-bit.
CS

Once this is set press OK. There you go, now you will need to set back up bitlocker, it is assumed you have done this already if not head on over to MS and they will provide you with instructions.

BONUS ROUND! How can I automatically dismount encrypted bitlocker drives?

Don’t forget to error is human! Leaving your drives mounted could lead to unforeseen consequences if you are visited late at night buy unsavory officials, someone breaks into your house / hotel room, or steals your laptop. With the drives left mounted the keys are both in memory, and the drives accessible. They do not lock until you reboot.

So how can you solve this? Easy, create a scheduled task in order to lock the drive after a predefined time of idleness or on a schedule.

First hit start > type in Task Scheduler and open it up.
tsk

Next Right Click and choose Create Basic Task.. don’t worry we will change it during the setup process.
tsk2

Give it a name and a snazzy description.
tsk3

The next two windows are at your discretion fill out based off needs seeing as they have to do with how often the job will run. You will be eventually asked What action do you want the task to perform? Choose Start a program.
tsk4

The next window you will want to paste in:
manage-bde.exe -lock -ForceDismount E:

E: is the drive letter you want to lock with bitlocker, you need to customize this to your own setup. Windows will tell you your dome and don’t know proper syntax. This is fine for the sake of not wanting two screenshots in the article it windows will do it for you if you hit Yes.
tsk5

Voila! Hit Next and your done! You have not just increased the security of your bitlocker setup with minimal effort but maximum gain.

Here is a list of other BitLocker command options in case your interested.

Leave a Reply

Your email address will not be published. Required fields are marked *