deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-removable-data-drives.md
Paolo Matarazzo 7135a27212 updates
2023-10-30 18:30:20 -04:00

2.2 KiB
Raw Blame History

author, ms.author, ms.date, ms.topic
author ms.author ms.date ms.topic
paolomatarazzo paoloma 10/30/2023 include

Configure use of hardware-based encryption for removable data drives

This policy setting allows you to manage BitLocker's use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.

If you enable this policy setting, you can specify options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on devices that don't support hardware-based encryption. You can also specify if you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption.

If you disable this policy setting, BitLocker can't use hardware-based encryption with removable data drives, and BitLocker software-based encryption will be used by default when the drive is encrypted.

If you do not configure this policy setting, BitLocker will use software-based encryption, irrespective of hardware-based encryption availability.

Note

The Choose drive encryption method and cipher strength policy setting doesn't apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive.

The Restrict encryption algorithms and cipher suites allowed for hardware-based encryption option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For example:

  • AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2
  • AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
Path
CSP Not available
GPO Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives