Written by
Wilsey YoungSummary: This post primarily explores the Encrypting File System (EFS) and how it works on Windows. Detailed steps to encrypt a file or folder with the Encrypting File System are included. -From m3datarecovery.com
BitLocker Drive Encryption feature often comes into play when a Windows user wants to protect personal data by encrypting a hard drive or partition. By contrast, some Windows users wonder if there's a built-in tool to password-protect a single file or folder rather than an entire drive.
Encrypting File System (EFS) is a built-in feature on Windows that few users know about. It is a file/folder encryption mechanism that is a far cry from the BitLocker Drive Encryption feature in certain aspects.
What is Encrypting File System (EFS)? How does it work? How can we use the Encrypting File System to password-protect an individual file or folder on Windows? This article covers almost all the questions you may be curious about Windows Encrypting File System (EFS).
What is Encrypting File System (EFS)
Encrypting File System (EFS) is a built-in feature on Windows operating systems. It enables you to encrypt an individual file or folder on an NTFS volume.
Windows Encrypting File System primarily aims to protect your sensitive data against unauthorized access, particularly if the Windows PC is lost or stolen, or if unauthorized users try to access the data directly from the hard disk.
Encrypting File System is a form of transparent encryption, indicating that the encrypted data or folder is automatically decrypted when accessed by an authorized user. As a side note, EFS is not supported on Windows Home Edition (e.g., Windows 10 Home) for marketing reasons.
EFS is available only on the following Windows Editions:
- Windows Professional
- Windows Education
- Windows Enterprise
You may be interested in the difference between Encrypting File System and BitLocker Drive Encryption: EFS vs BitLocker: What Are the Differences & How to Choose?
How does the Encrypting File System work
When you encrypt a file or folder with EFS, Windows OS generates a random File Encryption Key (FEK) to encrypt the contents using AES (Advanced Encryption Standard). The FEK is then encrypted with the user's public key and stored with the file's metadata.
When you access the file, Windows uses your private key to decrypt the FEK. The FEK is then used to decrypt the file's contents transparently. Therefore, only users who have the correct private key can decrypt and access the file. Losing your private key means you cannot decrypt your files encrypted by EFS.
You can share this post by clicking the following buttons
How to use the Encrypting File System on Windows
In this chapter, we'll show you the detailed steps to encrypt a folder with Encrypting File System.
Prerequisite for using the Encrypting File System
- The file system must be NTFS.
- EFS is available only in Professional, Enterprise, or Education Edition.
Detailed steps to encrypt a folder or file with the Encrypting File System
Follow the detailed steps below to password protect a folder or file with the Windows Encrypting File System:
- Right-click on the folder/file to choose "Properties", and tap on the "Advanced" button.
- Check "Encrypt contents to secure data", click "OK", and then click the “Apply” button on the “Properties” window.
- Choose "Apply changes to this folder, subfolders and files" and tap on "OK."
- A notification pops up, and you will be prompted to back up the File Encryption Key (FEK).
- Choose “Back up now (recommended).”
- The “Certificate Export Wizard” starts, and click “Next.”
- Keep the default settings and tap on “Next.”
- Tick "Password", enter and re-enter the password, and click "Next."
- Click "Browse", save the certificate and key to a removable disk, then click "Next."
- Click "Finish" to complete.
Key points to remember after encrypting with Encrypting File System
Here are some matters needing attention after using the Windows Encrypting File System to encrypt a folder or file.
- EFS does not protect your data if the authorized user is logged in, meaning that as long as you are logged into the correct user account, anyone can access the protected folder/file without providing the password.
- Suppose you are logged into other accounts or the encrypted folder/file is moved to another computer, you will need the certificate and key to regain access to the folder/file.
- Losing your EFS certificate/private key means losing access to your encrypted folder/file.
How to decrypt a folder or file encrypted by the Encrypting File System
Follow the steps below to cancel the encryption provided by the Encrypting File System:
- Right-click the encrypted file/folder and choose "Properties."
- Click "Advanced."
- Uncheck "Encrypt contents to secure data."
- Click "OK" and "Apply."
FAQs about Encrypting File System
You can share the post with your friends online!
A
Encrypting File System on Windows only encrypts an individual file or a folder containing numerous files. By contrast, BitLocker protects your data by encrypting an entire drive or partition.
A
Encrypting File System feature is recommended when: You want to protect personal data on a local machine; You are the only user of the device; You are not sharing data across devices; You don't prefer a full disk encryption like BitLocker.
A
No. Encrypting File System encrypts/decrypts files or folders on the fly, so apps and users interact with encrypted files just like normal files. As long as you are logged into the target Windows user account, you can access the protected folder/file without inputting the password.