Did you know Windows XP, Windows 7, Windows 8 and 8.1 include an easy to use and very secure encryption service that allows you to encrypt files and folders with just a few clicks? It’s called the Encrypted File Service or EFS. Years ago I wrote how to use EFS to encrypt files using automation and scripting however I never explained how to enable it the easy way — from the Windows Explorer Interface. Before I review those steps however, here’s a brief summary on what EFS is and why you should enable it on sensitive or private files. EFS is a built-in Encryption service which is built into Windows since the days of Windows XP. Once a file is encrypted using EFS, it can only be accessed by the Windows login that encrypted the file. Although other users on the same computer might be able to see your files, they will be unable to open them – including Administrators. Very handy if you want to keep certain files or folders private – and because EFS is built-in seamlessly to Windows, you won’t even notice it most of the time. Let’s review now how to enable it. Although the screenshots and steps below are taken from Windows 8, the steps are the same for Windows 7 and Windows XP. Note: Similar to BitLocker, Windows EFS is only supported with the Pro and Enterprise versions of Windows 8.1, Windows 8 and Windows 7. If you’re unsure what version of Windows you’re running, just launch Winver.exe which is built into all versions of Windows. Right-Click the Folder or File you wish to encrypt and click Properties.
From the General Tab, click Advanced.
Check the box Encrypt contents to secure data and click OK.
Click OK
If you’re encrypting a folder, Windows will ask if you want to encrypt just the single folder or all subfolders and files in the folder. Click the radio button that works for you and click OK. By default, after encrypting a file or folder with Windows EFS, it will turn green as shown below.
Because I chose to encrypt all subfolders and files, notice how they are also encrypted (green) as well.
I also recommend using EFS to encrypt sensitive data to protect you against the theft or sale of your PC. Because the encrypting key is associated to your Windows account and password, your data will be safe even if the data is ripped or your password hard reset. Very simple and very easy just as I promised. Before you move on however there is one more thing you should do before you start encrypting your entire hard drive with EFS — Backup your EFS Private Key Certificate. Backing up your EFS Cert. is an important next step in the event of a hard disk corruption or other scenario where you lose your EFS Certificate on your system. Backing it up only takes a few minutes so please don’t skip this next step. In the next day or two, I’ll be writing up part 2 of this how-to which will explain how to backup the EFS private key to protect yourself against this type of issue including hard drive corruption which might impact your private key. And I don’t know if you can help… I have a folder full of PDF files, and I have to send a PDF file to each person in a list. I have written the excel code in VBA for creating an e-mail to each person, attach the file and write a body. The problem is that I have to encrypt the mail, or protect the file with a password, or protect the mail with a password, because the file is confidential to each user. I came up with some ideas like: 1. using a PDF password – in this case I have to go one by one 2. using the winzip password – same, one by one 3. using the encryption from outlook – I have to buy a digital certificate and I don’t know if this would give me what I want 4. using file encryption – should be an option for batch encrypt, but it would protect with my user, and it’s not working… If you, or someone else have any ideas, it would be welcome 1 – The error message you are getting tells me that your XP client is installed in a Windows Domain (Active Directory) so this must be a corporate PC. The problem you’re having is your Technology team has allowed the Recovery Certificate for EFS to expire. They need to renew the EFS recovery certificate and re-upload it into Active Directory. Until this happens, EFS will prevent any new files from being encrypted in the entire Windows Domain. This is a safety mechanism built into the Corporate side of EFS. No workaround for this. 2 – Wow, you’re writing VBA files to automate emails etc… Much more advance that most — nice job. On the encryption side however you’re out of luck unfortunately. EFS Encryption encrypts files at REST on your local desktop (or server in some rare corporate scenarios). It does not encrypt files in TRANSIT and in-face, Windows EFS is built to decrypt the file automatically the moment you attach the file to an email or copy it off your system. Because of this, EFS is not a good solution for you trying to securely transfer .PDF files to you customers. 3 – Questions — Are you sending these PDF files inside the company or outside? Also, why are you encrypted them? Is there a legal reason like HIPAA or a Vendor Requirement or a Corporate Policy you are following? 4 – Putting passwords on files is a solution but like you said, it’s not a good one and it’s very manual. Another problem is half the time the password is simple and not very secure (unless you use this guide to create a good password – https://www.groovypost.com/howto/create-easy-remember-secure-strong-password-phrase/) Because the password usually does not actually encrypt the files (or encrypt them well) I would not go that path. The exception to this is using WinZip or 7Zip to Encrypt your files using a strong AES password before you send them. Again, this is manual and you need to do it 1 at a time but if you’re not doing this 10x a day, might not be a bad option. Here’s a few articles to read on this: https://www.groovypost.com/howto/geek-stuff/7zip-winzip-replacement-file-compression-encryption/ https://www.groovypost.com/howto/security/use-winzip-to-encrypt-store-or-email-sensitive-data/ Both a bit old however they should get you down the right path. 5 – The 2 options I would suggest is using either PGP or SMIME encryption which is built into Outlook. Both are not very friendly since you need to exchange certificates with those you are sending files to however that really is your only solution. If I had to pick between them, I would go PGP probably. It integrates will with Outlook (at least it used to) and it’s easy to use and setup. The only problem is your customer will also need to buy it…. Hope some of this is useful to ya ;) When I go to Advance Properties, the “encrypt content to secure data” option is gray out and doesn’t allow me to select it. What do I need to do to enable, Thanks in advance for the info What version of Windows 8 are you using? You will need Windows 8 PRO or Windows 8 Enterprise in order to use Encrypted Files System (AKA – EFS) https://www.groovypost.com/howto/windows-8-windows-8-pro-windows-rt-differences/ Let me know. That’s the first thing that comes to mind. Is this the case and if so doesn’t that mean that Windows encryption at the user level is not as secure as you suggest here? This allows a company to ensure they can get files decrypted if the end users PC dies or leaves the company etc… With this in mind, in the corporate sense you are correct, it’s not as bullet proof as some might want since the local IT guy can still grab the PC, decrypt the data and gain access to it. You need to keep in mind however that at most corporations, having an EFS Recovery Agent is usually VERY RARE even at large companies because the local IT does not understand how all of this works and even if they do, it’s not something they focus on and even if the do it’s normally a very complex process which requires approvel from management to actually gain access to a recovery cert. in order to get access to your files. For example, using EFS to encrypt something — there is probably just 1 or 2 people in the company who can recovery your data (which is probably a good thing in the end) however the local IT intern cannot access your files. Not a bad trade-off if you ask me. And then from a home standpoint, home users will no doubt NOT have a recovery agent so it is good and secure as I mention in the article. Truecrypt is a 3rd party software package that needs to be installed. It encrypts EVERYTHING on the drive including system files. It needs to be managed by the user and has it’s own settings and config. So, if you want to keep things simple and easy, use EFS. If you have Legal or Customer requirements to encrypt only file and folder, use EFS. If you have requirements to encrypt WHOLE DISK – use Truecrypt. Hopefully this helps. -s Windows 8 has the BitLocker Drive Encryption–I wonder if that has the same shortcomings. So first — awesome tip on redirecting docs to your Onedrive (Skydrive). Second, that’s not going to be an easy one to solve regarding EFS. EFS by design decrypts files as they leave your PC. So, if you try to build a work-around for this, I think it will be painful. Normally, to EFS encrypt something on a shared drive requires EFS config on that end point share. Not something you’re going to have much luck with with a hosted drive like OneDrive/Skydrive. Nice chart here: http://en.wikipedia.org/wiki/Windows_8_editions I’m also playing with EFS Support today with Microsoft Onedrive. Will drop an article on that shortly. That’s not accurate. EFS is included and fully supported as long as you have Windows 8 & 8.1 Pro or Enterprise edition. seems my kid sister messed it up accidently few years ago :’( as when i go to the properties>advanced then there’s her name under the “users who can access this file” since then i have change my O.S many times and every time those files were there colored green. right now i am using win 8.1 i dont understand this certificate or key stuff but still aftere reading a few article when i tried to click the option “back up keys” it shows erroe that the certificate or key is not availiable for export on this machine. now sir, plzz tell me what r my options and what can i do. if i cant do anything then at least tell me that so that i can hard reset my hdd whith no hope. thank u very much sir I’m using Windows 8.1 Pro, but when I check the box to encrypt a folder, I get this error: http://prntscr.com/4aeg4e I tried with different folders, on different drives, and also tried with individual files. I get the same error. I am administrator and also took ownerhip of the folder/file.Any idea? Very odd. If you took ownership of the file and then gave yourself Full Control over it, you should not get an access denied. Looking at the screenshot, it looks like you are trying to encrypt a folder on another drive. Is that Drive formatted with NTFS? If it’s using FAT or FAT32, it will fail. Give that a shot and let me know. -S If this was a corporate device, it could be your Sys Admin disabled that feature OR, perhaps you’re not a local admin? Hard to say. -S I’m pretty certain that when you enrypt Files sync’d up via Dropbox or OneDrive, the files are enrypted locally however when they SYNC up and off the box, they are decrypted on the way up to the cloud. The same applies actually when you attach an EFS encrypted file into an email via Outlook or another client. On the way out, it’s decrypted. This is by design, EFS is only encrypted at rest — not transit. Comment Name * Email *
Δ Save my name and email and send me emails as new comments are made to this post.