Encryption Type Calculator¶
Three settings control Kerberos encryption types in Active Directory, and each one interprets the same bitmask differently. Use this calculator to convert between decimal, hex, and individual flags for any of the three settings.
For the full reference on each setting, see msDS-SupportedEncryptionTypes, Registry Settings, and Group Policy.
Bit Flags
Values
Quick Presets
Warnings
No warnings for the current configuration.
PowerShell Command
How the Three Settings Differ¶
These three settings use the same bitmask format but serve different purposes and interpret certain bits differently.
| Setting | Where | Scope | Key Difference |
|---|---|---|---|
msDS-SupportedEncryptionTypes |
AD attribute on each account | Per-account | Carries etype bits (0-5), protocol feature flags (16-19), and the future flag (31). AES-SK (bit 5) is honored here. Always overrides the other two settings. |
DefaultDomainSupportedEncTypes |
HKLM\...\Services\KDC on each DC |
Per-DC (not replicated) | AES-SK (bit 5) is honored here. Bits 16-19 and 31 are not meaningful. |
SupportedEncryptionTypes |
HKLM\...\Policies\System\Kerberos\Parameters |
Per-machine (written by GPO) | Acts as a hard filter. The GPO "Future encryption types" checkbox sets bits 5-30 (0x7FFFFFE0), not bit 31. High bits are stripped when the machine auto-writes its AD attribute. |
For the full precedence rules and 14 worked examples, see Etype Decision Guide.
Bit Flag Reference¶
Source: [MS-KILE] section 2.2.7 — Supported Encryption Types Bit Flags.
Encryption Type Bits (0-5)¶
| Bit | Hex | Decimal | Name | Etype # | Status |
|---|---|---|---|---|---|
| 0 | 0x1 |
1 | DES-CBC-CRC | 1 | Removed in Server 2025 |
| 1 | 0x2 |
2 | DES-CBC-MD5 | 3 | Removed in Server 2025 |
| 2 | 0x4 |
4 | RC4-HMAC | 23 | Deprecated (July 2026) |
| 3 | 0x8 |
8 | AES128-CTS-HMAC-SHA1-96 | 17 | Recommended |
| 4 | 0x10 |
16 | AES256-CTS-HMAC-SHA1-96 | 18 | Recommended |
| 5 | 0x20 |
32 | AES256-CTS-HMAC-SHA1-96-SK | — | Session key variant (Nov 2022+). Honored in both DefaultDomainSupportedEncTypes and per-account msDS-SupportedEncryptionTypes. |
Protocol Feature Flags (16-19)¶
These bits are not encryption types — they are protocol feature flags defined in
[MS-KILE] section 2.2.7 and stored in the same msDS-SupportedEncryptionTypes bitmask.
They are only meaningful on the AD attribute, not in registry-based settings.
| Bit | Hex | Decimal | Name | Introduced | Description |
|---|---|---|---|---|---|
| 16 | 0x10000 |
65536 | FAST-supported | Server 2012 | Account supports Kerberos armoring ([RFC 6113]) |
| 17 | 0x20000 |
131072 | Compound-identity-supported | Server 2012 | Account supports compound identity for Dynamic Access Control |
| 18 | 0x40000 |
262144 | Claims-supported | Server 2012 | Account supports claims-based authentication |
| 19 | 0x80000 |
524288 | Resource-SID-compression-disabled | Server 2012 | Disables resource SID compression in the PAC |
AES-SHA2 Encryption Types (6-7)¶
Windows Server 2025 introduces two new AES encryption types that use SHA-2 based key derivation instead of SHA-1[^aes-sha2]. These bits are defined in the bitmask but are not yet active in etype negotiation as of April 2026.
| Bit | Hex | Decimal | Name | Etype # | Status |
|---|---|---|---|---|---|
| 6 | 0x40 |
64 | AES128-CTS-HMAC-SHA256-128 | 19 | Defined, not yet active |
| 7 | 0x80 |
128 | AES256-CTS-HMAC-SHA384-192 | 20 | Defined, not yet active |
[^aes-sha2]: These algorithms are defined in Microsoft's
PSKerb module and
appear in the Get-KerbEncryptionUsage.ps1 etype table. They correspond to
RFC 8009 (AES Encryption with
HMAC-SHA2 for Kerberos 5). When activated, they will replace the SHA-1 based AES
variants (bits 3-4) as the strongest available etypes.
Reserved and Future Bits¶
| Bit | Hex | Decimal | Name | Notes |
|---|---|---|---|---|
| 8-15 | — | — | Reserved | Must be zero |
| 20-30 | — | — | Reserved | Must be zero |
| 31 | 0x80000000 |
2147483648 | Future encryption types | Allows future etypes added by Microsoft |