Over the weekend, I reimaged my Windows 10 laptop, and while setting everything up, decided to use Bitlocker instead of VeraCrypt like I have previously. When researching the best configuration, documentation felt scattered, and I ended up having to research for a while (including here on Reddit) to figure out the most secure configuration for a consumer machine. Both for my future reference (for when I need to reimage my wife’s/parents’/friends’ machines) and the benefit of the community, I’m consolidating my findings from official documentation here.
We’ll start with the encryption base. By default, Windows 10 allows for hardware-based encryption. This means that Microsoft trusts the vendors of your solid state drive to have built-in hardware encryption that will satisfy your security needs. Unfortunately, most vendors do not have this security actually implemented, and that has led to some disastrous findings that still have not been mitigated.
Despite this, the default to enforce hardware encryption has not been changed by Microsoft. Disabling hardware encryption in favor of software-based encryption is the first step to ensuring proper encryption. In group policy, navigate to “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption,” and under the “Fixed Data Drives,” “Operating System Drives,” and “Removable Data Drives,” folders change the policy “Configure use of hardware-based encryption for [drive type]” to disabled.
Next, change the default encryption algorithm. Again, Microsoft has set the most insecure option to be the default, AES-128 encryption. While still in Group Policy, navigate to “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption” and set “Choose drive encryption method and cipher strength” to the following:
Operating System Drives: XTS-AES 256-bit Fixed Data Drives: XTS-AES 256-bit Removable Data Drives: AES-CBC 256-bit
A note about the different encryption types XTS-AES vs AES-CBC: both are heavily resistant to sophisticated attacks and one does not seem to be “better” or “safer” than the other in terms of reading encrypted data, though XTS-AES hardens against manipulating the encrypted data.
The main difference on a practical level is compatibility across systems, Windows, Linux, and MacOS. AES-CBC has a much more compatible cross-platform, as explained in the notes for the group policy.
If your device has a TPM chip, adding TPM platform validation is critical. While alone, it provides “compliant” security (but less security than practical for a targeted attack), paired with an encryption PIN, it is an excellent tool for improving security.
By both checking for values and configurations of certain components, it is supposed to protect your hard drive from being decrypted when pulled from your device plugged into a different system for analysis. When a separate Bitlocker PIN is in place, TPM prevents brute-force attacks on the drive, whether or not it is plugged into the original system, keeping the password safer.
The TPM platform validation policies can be configured under “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives” and locating the profile for your device’s configuration: “Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)/for native UEFI firmware configurations/BIOS-based firmware configurations.” Set the policy to “Enabled.” The default configuration is recommended (PCRs 0,2,4, and 11), though if you are certain that the other PCRs on your device will not change, they can be added as well.
As previously mentioned and shown, TPM is not the only authentication method that should be used. A Bitlocker PIN and/or a startup key can be configured, a PIN being a typed password and a startup key being a separate drive containing an authentication key required to be plugged in upon device boot. The policy for that is “ Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require additional authentication at startup.” Set all of the options to “allow” except for the option that you want to “require.” For example, since I wanted just the TPM and PIN authentication, I set the following:
For the choice of “Configure TPM startup:”, choose “Allow TPM.” For the choice of “Configure TPM startup PIN:”, choose “Require startup PIN with TPM.” For the choice of “Configure TPM startup key:”, choose “Allow startup key with TPM.” For the choice of “Configure TPM startup key and PIN:”, choose “Allow startup key and PIN with TPM.”
By default, the PIN can only be 4-7 digits. This can be changed by enabling enchanced PINs. This setting is under “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Allow enhanced PINs for startup.”
Setting the PIN can then be set by running “manage-bde -protectors -add c: -TPMAndPIN” in an elevated cmd or PS window.
After everything is set, run “gpupdate /force” in PS or cmd and enable Bitlocker!
I hope this helps someone else out! Please let me know if there’s anything I missed or can improve on; while this is the most complete guide I could write, I won’t claim it’s 100%.