Bitlocker: AES-XTS (new encryption type)


Hello

It's Rafal Sosnowski from Microsoft Dubai Security PFE Team. Today I want to talk about new Bitlocker algorithm introduced in Windows 10 (build 1511).

Bitlocker uses AES (Advanced Encryption Standard) to encrypt data on the drives. AES is a block cipher (as opposed to stream cipher) which divides plain text into blocks with the same size and then encrypt each block separately. If the data is bigger than the block size, it has to be partitioned. In the simplest way, data is split into separate blocks and the last block is extended with padding bits. This is the simplest method of transformation called Electronic Codebook mode (ECB) and can be easily reversed (equal plaintext blocks always generate equal encrypted blocks).

That’s why mathematicians designed few other, more secure and less predictable block modes called “block cipher modes of operation” like CBC, XTS, LRW, CFB, CCM, OFB and OCB. General concept of these modes is to introduce randomization of the plaintext data based on additional input (initialization vector).

 

In Bitlocker, AES works in 2 modes:

CBC - Cipher block chaining (CBC) – in this mode current block's plaintext is XOR’ed with previous block's cipher text before encryption. This gives assurance that same data in different sectors will give us different output after encryption. First block in this mode will get random initialization vector (IV). CBC mode for Bitlocker has been introduced in Windows Vista.

XTS – XEX-based tweaked-codebook mode with ciphertext stealing – in this mode we still execute XOR function between blocks but also add additional tweak key to improve permutation. This tweak key can be sector address or combination of the sector address and its index. XTS mode for Bitlocker has been introduced in Windows 10 (build 1511).

Both modes support 128 and 256bit key length.

 

Selection of these two can be controller via GPO under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Choose drive encryption method and cipher strength:

 

For Windows version 1511 and later we are able to choose different algorithm for each disk type (OS, data drive, removable data drive):

Note: In Windows 7 there was also AES CBC with Elephant Diffuser which was removed in Windows 8.

 

Above configuration of the algorithms for Windows 10 (build 1511) is kept as REG_DWORDs under:

HKLM\SOFTWARE\Policies\Microsoft\FVE

Operating System drives: EncryptionMethodWithXtsOs

Fixed Data drives: EncryptionMethodWithXtsFdv

Removable Data drives: EncryptionMethodWithXtsRdv

Possible values:

AES-CBC 128bit – value 3

AES-CBC 128bit – value 4

AES-XTS 128bit – value 6

AES-XTS 256bit – value 7

Example of configuration of AES-XTS-256 enforced on all types of drives:

These registry entries can be imported into MDT or SCCM when creating Task Sequence for Bitlocker Encryption.

 

Encryption type for Windows 8 and Windows 10 (earlier than 1511) is kept as REG_DWORD  under:

HKLM\SOFTWARE\Policies\Microsoft\FVE

EncryptionMethodNoDiffuser

AES CBC 128 bit - value 3

AES CBC 256bit - value 4

 

Encryption type for Windows Vista and Windows 7 is kept as REG_DWORD  under:

HKLM\SOFTWARE\Policies\Microsoft\FVE

EncryptionMethod

AES CBC 128 bit - value 3

AES CBC 256bit - value 4

AES CBC 128 bit with Diffuser - value 1

AES CBC 256 bit with Diffuser - value 2

 

So in what besides security XTS mode is better than CBC? If we talk about Bitlocker we clearly see advantage in performance:

Initial encryption time of 10GB volume

AES mode: encryption time:
CBC 128bit 11m 49s
CBC 256bit 11m 44s
XTS 128bit 11m 15s
XTS 256bit 11m 16s

 

Above performance test’s result is not Microsoft official benchmark. Your individual test can be different as performance of Bitlocker encryption depends on multiple factors like: drive type (SSD/HDD), firmware, workload and many more...

Rafal

Comments (4)

  1. Madushanka Gamage says:

    Hey Rafal,

    Useful Article.
    Cheers !

  2. Tomas Ulbrich says:

    Hello,

    I see you have an ‘unofficial” encryption time chart – question(s)

    So you are saying that CBC or XTS 256-bit is faster then 128? – Does that apply only to 10, or 8 or 7, or all of them?

    Is XTS more secure then CBC? – I’ve read a mixture of conflicting reports.

    Cheers,
    Tomas

    Cheers,
    Tomas

  3. nope I am not saying that 256bit is faster than 128bit. In my example difference was so small that we can consider is as a margin of error. In my tests XTS was quicker than CBC but as I said in your tests results might be different. Also if you want to speed up initial encryption use modern CPU that has AES-NI extension.

  4. eeeeee says:

    Oh wow, in 2008 Microsoft said to NIST that XTS is utterly insecure.

    http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/XTS/collected_XTS_comments.pdf

Skip to main content