This topic discusses USMT options for migration store encryption to protect the integrity of user data during a migration.

USMT 4.0 Encryption Options

USMT 4.0 enables support for stronger encryption algorithms, called Advanced Encryption Standard (AES), in several bit-level options. AES is a National Institute of Standards and Technology (NIST) specification for the encryption of electronic data.

The encryption algorithm you choose must be specified for both the ScanState and LoadState commands, so that these commands can create or read the store during encryption and decryption. The new encryption algorithms can be specified on the ScanState and LoadState command lines by using the /encrypt:"encryptionstrength" and the /decrypt:"encryptionstrength" command-line options. All of the encryption application programming interfaces (APIs) used by USMT are available in the Windows® XP, Windows Vista®, and Windows® 7 operating systems. However, export restrictions might limit the set of algorithms that are available to computers in certain locales. You can use the Usmtutils.exe file to determine which encryption algorithms are available to the computers' locales before you begin the migration.

The following table describes the new command-line encryption options in USMT 4.0.

Component Option Description

ScanState

/encrypt: <AES, AES_128, AES_192, AES_256, 3DES, 3DES_112>

This option and argument specify that the migration store is encrypted and which algorithm to use. When the algorithm argument is not provided, the ScanState tool employs the 3DES algorithm used in USMT 3.0.

LoadState

/decrypt: <AES, AES_128, AES_192, AES_256, 3DES, 3DES_112>

This option and argument specify that the store must be decrypted and which algorithm to use. When the algorithm argument is not provided, the LoadState tool employs the 3DES algorithm used in USMT 3.0.

See Also