First of all, you should specify the design security level by selecting whether or not to allow the readback and reconfiguration of the device during generation of the bitstream.
The most powerful techniques are AES with the battery-backed SRAM key, or AES with the eFUSE key (7 series, Virtex-6, Spartan-6 devices; Virtex-5 FPGA does not support eFUSE). Also, there is an on-chip bitstream keyed-Hash Message Authentication Code (HMAC) algorithm implemented in hardware to provide additional security beyond that provided by the AES decryption alone. (7 series, Virtex-6 devices)
Device identification is a third technique which uses a lower level of security and a device DNA (7 series, Virtex-6, Spartan-6, extended Spartan-3A devices).
Besides, the customer can use an external encryption device, a secure EEPROM, to protect the design. First, calculate a verification code, then compare it with the one from the secure EEPROM. Details and reference designs can be found at: http://www.xilinx.com/support/documentation/application_notes/xapp780.pdf. This is useful in more cost-sensitive applications where the level of security required is limited. This concept can be applied to all FPGA families.