Did you know Windows XP, Windows 7, Windows 8 and 8.1 include an easy to use and very secure encryption service that allows you to encrypt files and folders with just a few clicks? It’s called the Encrypted File Service or EFS. Years ago I wrote how to use EFS to encrypt files using automation and scripting however I never explained how to enable it the easy way — from the Windows Explorer Interface.
Before I review those steps however, here’s a brief summary on what EFS is and why you should enable it on sensitive or private files.
EFS is a built-in Encryption service which is built into Windows since the days of Windows XP. Once a file is encrypted using EFS, it can only be accessed by the Windows login that encrypted the file. Although other users on the same computer might be able to see your files, they will be unable to open them – including Administrators. Very handy if you want to keep certain files or folders private – and because EFS is built-in seamlessly to Windows, you won’t even notice it most of the time.
Let’s review now how to enable it. Although the screenshots and steps below are taken from Windows 8, the steps are the same for Windows 7 and Windows XP.
Note: Similar to BitLocker, Windows EFS is only supported with the Pro and Enterprise versions of Windows 8.1, Windows 8 and Windows 7. If you’re unsure what version of Windows you’re running, just launch Winver.exe which is built into all versions of Windows.
Right-Click the Folder or File you wish to encrypt and click Properties.
From the General Tab, click Advanced.
Check the box Encrypt contents to secure data and click OK.
If you’re encrypting a folder, Windows will ask if you want to encrypt just the single folder or all subfolders and files in the folder.
Click the radio button that works for you and click OK.
By default, after encrypting a file or folder with Windows EFS, it will turn green as shown below.
Because I chose to encrypt all subfolders and files, notice how they are also encrypted (green) as well.
I also recommend using EFS to encrypt sensitive data to protect you against the theft or sale of your PC. Because the encrypting key is associated to your Windows account and password, your data will be safe even if the data is ripped or your password hard reset.
Very simple and very easy just as I promised. Before you move on however there is one more thing you should do before you start encrypting your entire hard drive with EFS — Backup your EFS Private Key Certificate.
Backing up your EFS Cert. is an important next step in the event of a hard disk corruption or other scenario where you lose your EFS Certificate on your system. Backing it up only takes a few minutes so please don’t skip this next step.
So what happen if an Administrator delete my password and login by my account
Unless you’ve backed up your EFS private key, the data will be lost.
In the next day or two, I’ll be writing up part 2 of this how-to which will explain how to backup the EFS private key to protect yourself against this type of issue including hard drive corruption which might impact your private key.
In Windows XP it does not work for me…
And I don’t know if you can help… I have a folder full of PDF files, and I have to send a PDF file to each person in a list.
I have written the excel code in VBA for creating an e-mail to each person, attach the file and write a body.
The problem is that I have to encrypt the mail, or protect the file with a password, or protect the mail with a password, because the file is confidential to each user.
I came up with some ideas like:
1. using a PDF password – in this case I have to go one by one
2. using the winzip password – same, one by one
3. using the encryption from outlook – I have to buy a digital certificate and I don’t know if this would give me what I want
4. using file encryption – should be an option for batch encrypt, but it would protect with my user, and it’s not working…
If you, or someone else have any ideas, it would be welcome
@Cassio – Great comment and great questions. Let me try to get to them all for ya:
1 – The error message you are getting tells me that your XP client is installed in a Windows Domain (Active Directory) so this must be a corporate PC. The problem you’re having is your Technology team has allowed the Recovery Certificate for EFS to expire.
They need to renew the EFS recovery certificate and re-upload it into Active Directory. Until this happens, EFS will prevent any new files from being encrypted in the entire Windows Domain. This is a safety mechanism built into the Corporate side of EFS. No workaround for this.
2 – Wow, you’re writing VBA files to automate emails etc… Much more advance that most — nice job. On the encryption side however you’re out of luck unfortunately.
EFS Encryption encrypts files at REST on your local desktop (or server in some rare corporate scenarios). It does not encrypt files in TRANSIT and in-face, Windows EFS is built to decrypt the file automatically the moment you attach the file to an email or copy it off your system. Because of this, EFS is not a good solution for you trying to securely transfer .PDF files to you customers.
3 – Questions — Are you sending these PDF files inside the company or outside? Also, why are you encrypted them? Is there a legal reason like HIPAA or a Vendor Requirement or a Corporate Policy you are following?
4 – Putting passwords on files is a solution but like you said, it’s not a good one and it’s very manual. Another problem is half the time the password is simple and not very secure (unless you use this guide to create a good password – https://www.groovypost.com/howto/create-easy-remember-secure-strong-password-phrase/)
Because the password usually does not actually encrypt the files (or encrypt them well) I would not go that path. The exception to this is using WinZip or 7Zip to Encrypt your files using a strong AES password before you send them. Again, this is manual and you need to do it 1 at a time but if you’re not doing this 10x a day, might not be a bad option. Here’s a few articles to read on this:
Both a bit old however they should get you down the right path.
5 – The 2 options I would suggest is using either PGP or SMIME encryption which is built into Outlook. Both are not very friendly since you need to exchange certificates with those you are sending files to however that really is your only solution. If I had to pick between them, I would go PGP probably. It integrates will with Outlook (at least it used to) and it’s easy to use and setup. The only problem is your customer will also need to buy it….
Hope some of this is useful to ya ;)
When I go to Advance Properties, the “encrypt content to secure data” option is gray out and doesn’t allow me to select it. What do I need to do to enable, Thanks in advance for the info
What version of Windows 8 are you using? You will need Windows 8 PRO or Windows 8 Enterprise in order to use Encrypted Files System (AKA – EFS)
Let me know. That’s the first thing that comes to mind.
I ran into same prob as Vincent. Don’t you think your original post should specify which Win versions this is on???
Steve (my real name)
thanks for also answering my question at the same time – and simply as a comment on how I dislike Microsoft, why, when I upgrade my computer and have to buy into a new operating system (from XP to 8), don’t they tell me that I will not be able to open my imported documents from my old computer if they have been encrypted. Now, if I wish to encrypt the plain-text versions I have to go fork out $ for a different version of Windows – no wonder Bill is a brazillionare –
EFS Service is not fully supported in Windows 7 Starter,Home Basic, and Home Premium editions.
Very good point I should have noted in the article. EFS appears to only be supported in Windows 7 Professional, Enterprise and Ultimate editions. It remains to be seen what the support will be for Windows 8.
V. interesting ! how to fix if Win 7 gets corrupted/crashes
I recall reading somewhere recently that Administrators can be set up in Group Policies as Data Recovery Agents in order to recover encrypted files which other users cannot retrieve.
Is this the case and if so doesn’t that mean that Windows encryption at the user level is not as secure as you suggest here?
HI Peter — Yes you are correct. On a “Corporate” network that has Active Directory configured for their windows desktops and servers, they can import a recovery certificate into AD using Group Policy. From there they can assign the policy to all desktops so that any file encrypted will be encrypted with the recovery certificate as well.
This allows a company to ensure they can get files decrypted if the end users PC dies or leaves the company etc…
With this in mind, in the corporate sense you are correct, it’s not as bullet proof as some might want since the local IT guy can still grab the PC, decrypt the data and gain access to it. You need to keep in mind however that at most corporations, having an EFS Recovery Agent is usually VERY RARE even at large companies because the local IT does not understand how all of this works and even if they do, it’s not something they focus on and even if the do it’s normally a very complex process which requires approvel from management to actually gain access to a recovery cert. in order to get access to your files.
For example, using EFS to encrypt something — there is probably just 1 or 2 people in the company who can recovery your data (which is probably a good thing in the end) however the local IT intern cannot access your files. Not a bad trade-off if you ask me.
And then from a home standpoint, home users will no doubt NOT have a recovery agent so it is good and secure as I mention in the article.
Part of this discussion is way above my head, so I hope this isn’t an uninformed question. Wouldn’t a product like TrueCrypt also encrypt the files in a way that would meet many of the above questions?
So EFS is a different animal than TrueCrypt. First, EFS is built into the WIndows OS and requires no other software. EFS also only encrypts what you tell it to encrypt — specifically file and folder encryption.
Truecrypt is a 3rd party software package that needs to be installed. It encrypts EVERYTHING on the drive including system files. It needs to be managed by the user and has it’s own settings and config.
So, if you want to keep things simple and easy, use EFS. If you have Legal or Customer requirements to encrypt only file and folder, use EFS.
If you have requirements to encrypt WHOLE DISK – use Truecrypt.
Hopefully this helps.
What Steve says below is not really correct about TrueCrypt. You can define any folder (with its sub folders) as a “volume” and encrypt that. It does not need to be a whole drive.
I have a lower version of Windows that doesn’t have encryption built in so thanks for reminding me the TrueCrypt is a great option.
Whoops, meant to check the notify box:-(
I have a client being told that they have to use EFS. They have a 2011 SBS. They need it to meet some type of requirement since they are a collections law firm. The guys saying to enable EFS said to encrypt the entire system. They said system level not application level. Is it OK to encrypt the Windows and program files folder and every other folder. I am not sure why I can’t just encrypt the data folder. I guess I am just trying to see if it is OK and won’t mess anything up if I encrypt all of the folders.
I have windows 8 and am trying to encrypt a folder. But when I open the properties of the folder and click the “advanced button” the words “encrypt contents to secure data” are gray so im unable to select that option. How do im get the ability to select the “encrypt contents to secure data” box?
hi , i cant to click in Encrypt , becuse its unable to click . can i ask you to help me .im using the windows 8
Is it true that files removed or copied from Windows 8 to another filesystem (such as FAT32, or Linux-based filesystems) lose the encryption? That makes it useless, as someone could easily copy the files to a flash drive formatted to FAT32 (as many are) and gain access to them.
Windows 8 has the BitLocker Drive Encryption–I wonder if that has the same shortcomings.
Supposedly on Windows 8 basic you simply don’t have access to the encryption function. If this is true, which I have no reason to believe it isn’t, I honestly believe Windows to be inferior to mac in just about every function but coding. Why would you reduce the functionality of your updated OS? I hate this machine.
Using Windows 8.1, I moved my Documents folder (using the Properties>Location method) into my Skydrive Folder so it’s always in sync with my Skydrive.
If I right-click on the Documents folder within my local Skydrive folder, and then on Advanced, the Encryption option is greyed out.
Any thoughts on how I can encrypt my Documents folder yet still keep it in sync with Skydrive?
So first — awesome tip on redirecting docs to your Onedrive (Skydrive). Second, that’s not going to be an easy one to solve regarding EFS. EFS by design decrypts files as they leave your PC. So, if you try to build a work-around for this, I think it will be painful. Normally, to EFS encrypt something on a shared drive requires EFS config on that end point share. Not something you’re going to have much luck with with a hosted drive like OneDrive/Skydrive.
It appears (from more research) that Windows 8 and 8.1 Single Language (i.e. not Pro or Enterprise) does NOT have EFS built-in.
Even creating a new folder not in the Documents folder has the encryption option greyed out…. :-(
Hi Gordon, yeah sorry about that. Similar to Windows 7, EFS and BitLocker is only included with PRO and ENTERPRISE.
Nice chart here: http://en.wikipedia.org/wiki/Windows_8_editions
I’m also playing with EFS Support today with Microsoft Onedrive. Will drop an article on that shortly.
Windows 8 does not have EFS. Guess you don’t use 8.
That’s not accurate. EFS is included and fully supported as long as you have Windows 8 & 8.1 Pro or Enterprise edition.
How to allow user on the same computer to have just read and execute access an encrypted file, without any other permissions
ok sir, i seriously need help or information regearding my situation so plzz plzz help.
i had some files colored green for 1-2 years but i ignored it as i didnt knew what it meant. i thought it was jst a random thing like changing icon or something.
now that i ve realized that it is encyrpted and cant copy it or open it i dont know what to do.
seems my kid sister messed it up accidently few years ago :'(
as when i go to the properties>advanced then there’s her name under the “users who can access this file”
since then i have change my O.S many times and every time those files were there colored green.
right now i am using win 8.1
i dont understand this certificate or key stuff but still aftere reading a few article when i tried to click the option “back up keys” it shows erroe that the certificate or key is not availiable for export on this machine.
now sir, plzz tell me what r my options and what can i do. if i cant do anything then at least tell me that so that i can hard reset my hdd whith no hope.
thank u very much sir
Very good article on EFS. But I have a problem and I didn’t find a solution anywhere.
I’m using Windows 8.1 Pro, but when I check the box to encrypt a folder, I get this error: http://prntscr.com/4aeg4e
I tried with different folders, on different drives, and also tried with individual files. I get the same error.
I am administrator and also took ownerhip of the folder/file.Any idea?
Very odd. If you took ownership of the file and then gave yourself Full Control over it, you should not get an access denied. Looking at the screenshot, it looks like you are trying to encrypt a folder on another drive. Is that Drive formatted with NTFS? If it’s using FAT or FAT32, it will fail. Give that a shot and let me know.
It’s NTFS. And it’s not an external drive, just a third partiton on my internal HDD.
This is when I try to encrypt it. Should the “Details” button be gray? Or it’s clickable only when the folder is encrypted (never did it before).
After I press OK and then Apply/OK, I get this.
I click continue and then I get the error from the first comment.
But, I just noticed. It works with the C and D partitions. So it’s only the E partition.
Any idea what could be the cause?
You have an error in your article. You state that EFS is supported in the Pro and Enterprise versions of Windows 8.1, Windows 8 and Windows 7. If by “Pro”, you mean “Professional”, I can tell you that EFS is not in fact available in Windows 7 Professional. I know this because I have Windows 7 Professional and there is no capability to encrypt a folder because there is no Advanced button in the General tab in Windows 7 Professional.
Hi Ron. That’s odd. There must be something else going on because I know that EFS is supported on Windows 7.
If this was a corporate device, it could be your Sys Admin disabled that feature OR, perhaps you’re not a local admin?
Hard to say.
So I encrypted all of my files on OneDrive using this method and from the computer I encrypted them all on they show up green, which means they are encrypted. When I view the files on OneDrive with my Surface 3 they don’t show up as green and allow me to encrypt them again (I haven’t done it yet because I don’t understand why they are not encrypted now).
I’m pretty certain that when you enrypt Files sync’d up via Dropbox or OneDrive, the files are enrypted locally however when they SYNC up and off the box, they are decrypted on the way up to the cloud.
The same applies actually when you attach an EFS encrypted file into an email via Outlook or another client. On the way out, it’s decrypted.
This is by design, EFS is only encrypted at rest — not transit.