Configure BitLocker hardware-based encryption for fixed data

As BitLocker offers two different types of encryption. This guide will help you switch between hardware-based and software-based encryption for fixed data drives. It is possible to switch between two encryptions using Local Group Policy Editor and Registry Editor on Windows 11/10 PC. However, your computer must support hardware-based encryption in order to use this change.

How to configure BitLocker hardware-based encryption for fixed data drives

To configure BitLocker hardware-based encryption for fixed data drives, follow these steps:

  1. Press Win+R to open the Run prompt.
  2. Type gpedit.msc and press the Enter button.
  3. Go to BitLocker Drive Encryption > Fixed Data Drives in Computer Configuration.
  4. Double-click on the Configure use of hardware-based encryption for fixed data drives setting.
  5. Choose the Enabled option.
  6. Set the rules accordingly.
  7. Click the OK button.

To learn more about these steps, continue reading.

For getting started, you need to open the Local Group Policy Editor on your computer. To do that, press Win+R to open the Run prompt, type gpedit.msc, and press the Enter button.

Then, navigate to this path:

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives

Here you can find a setting called Configure use of hardware-based encryption for fixed data drives. You need to double-click on this setting and choose the Enabled option.

How to configure BitLocker hardware-based encryption for fixed data drives

Now you can see and enable two settings:

  • Use BitLocker software-based encryption when hardware encryption is not available
  • Restrict encryption algorithms and cipher suites allowed for hardware-based encryption

You can enable these settings by ticking the corresponding checkboxes. Finally, click the OK button to save the change.

Configure BitLocker hardware-based encryption for fixed data drives using Registry

To configure BitLocker hardware-based encryption for fixed data drives using Registry, follow these steps:

  1. Search for regedit and click on the search result.
  2. Click the Yes button.
  3. Navigate to Microsoft in HKLM.
  4. Right-click on Microsoft > New > Key and name it FVE.
  5. Right-click on FVE > New > DWORD (32-bit) Value.
  6. Set the name as FDVAllowSoftwareEncryptionFailover.
  7. Double-click on it and set the Value data as 1.
  8. Create another REG_DWORD value named FDVHardwareEncryption.
  9. Set the Value data as 1 to enable.
  10. Create another REG_DWORD value named FDVRestrictHardwareEncryptionAlgorithms.
  11. Set the Value data as 1 to enable.
  12. Right-click on FVE > New > Expandable String Valueand name it as FDVAllowedHardwareEncryptionAlgorithms.
  13. Double-click on it to set the Value data as 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42.
  14. Restart your computer.

Let’s check out these steps in detail.

First, search for regedit in the Taskbar search box, click on the search result, and click the Yes button in the UAC prompt to open Registry Editor. Then, navigate to this path:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft

Right-click on Microsoft > New > Key and name it as FVE.

How to enforce BitLocker drive encryption for removable data drives

Right-click on FVE > New > DWORD (32-bit) Value and name them as follows:

  • FDVAllowSoftwareEncryptionFailover
  • FDVHardwareEncryption
  • FDVRestrictHardwareEncryptionAlgorithms

How to enforce BitLocker drive encryption for removable data drives

Following that, double-click on the FDVHardwareEncryption and set the Value data as 1.

How to configure BitLocker hardware-based encryption for fixed data drives

Next, double-click on the rest of the two REG_DWORD values and set the Value data as 1 to enable and to disable.

Once done, right-click on FVE > New > Expandable String Value and set the name as FDVAllowedHardwareEncryptionAlgorithms.

Next, double-click on it and set the Value data as 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42.

Finally, close all windows and restart your computer.

Read: The Startup options on this PC are configured incorrectly Bitlocker error

How do I make BitLocker use hardware encryption?

You can make BitLocker use hardware encryption instead of software encryption with the help of the Local Group Policy Editor or Registry Editor. For that, you need to open the Configure use of hardware-based encryption for fixed data drives setting and choose the Enabled option. Then, remove the tick from the Use BitLocker software-based encryption when hardware encryption is not available checkbox and click the OK button.

Read: Turn On BitLocker for Windows System Drive without TPM

Does BitLocker use hardware encryption?

Yes, BitLocker may use hardware encryption as long as your computer has the facility. If hardware-based encryption is not available on your computer, BitLocker may use software-based encryption. Whether it is for the removable drive or fixed drive, the policy is same for all.

That’s all! Hope this guide helped.

Read: Turn On or Off Auto-unlock for BitLocker Encrypted Data Drives in Windows 11/10.

How to configure BitLocker hardware-based encryption for fixed data drives

Hardware