- slide 1 of 15
First introduced with Windows XP, Microsoft’s Encrypting File System continues in Windows 8 Professional and Enterprise editions to provide high-grade encryption. Unlike the useful BitLocker Drive Encryption, which is also available in those Windows editions, EFS allows account-specific encryption of individual files and folders and uses the account’s login details as the decryption key. This means the files are immediately accessible after logging into your account. Although this system is convenient, it also means the encryption is only as strong as your account password, so care need be taken to choose a strong password.
Once encrypted, the files and folders are only accessible using the account credentials. This is especially helpful when you need to block access to files outside your library on a multi-user computer. In this scenario, however, other users could still see the filenames and file types, even though they’re unable to open them.
- slide 2 of 15
A Few Considerations
Enabling EFS does have some drawbacks. The encrypting and decrypting process imposes a small performance overhead, but the application of such on just individual files means the overhead will rarely be noticeable on modern machines. Of more notable concern is encrypted files are no longer indexed, so if you’re a frequent user of Windows’s search feature, you’ll need to tweak the indexing service to traverse encrypted files. Furthermore, Windows 8’s File History feature doesn’t work on encrypted files, so if you rely on these automatic backups to locate previous file versions, you might need to reconsider encryption. Finally, EFS only works on an NTFS-formatted drive, which will normally only be an issue when copying data to external FAT, FAT32 or exFAT drives, in which case the external copies will no longer be encrypted.
In addition, if you lose your account credentials the files become inaccessible. This can happen when you forget your password or an admin resets your password. To protect against such situations, you should export your encryption key and save the password-protected backup in a secure location. This backup enables you to import it into another account (yours or someone else’s) to regain access to encrypted files. When you first choose to encrypt a file or folder, a balloon notification appears suggestion you back up your file encryption key. Clicking that notification opens the Certificate Export Wizard that walks you through the necessary steps.
- slide 4 of 15
Encrypting Files and Folders
1. Right-click any non-system folder or file from File Explorer and select “Properties.” You can select multiply files by holding the “Ctrl” key and clicking individual files. Don’t select the entire C: drive or your Windows or Users folder, because you can’t encrypt the required system files contained therein.
- slide 5 of 15
2. Click “Advanced” on the General tab.
- slide 7 of 15
3. Check “Encrypt Contents to Secure Data” and click “OK.”
- slide 9 of 15
4. Click “Apply” to apply the new advanced settings.
- slide 10 of 15
5. Choose the appropriate encryption attribute. If you chose to encrypt a folder, you’re given the option to only encrypt the selected folder (thereby ignoring subfolders) or also encrypt nested subfolders and any files they may contain.
- slide 12 of 15
If you chose to encrypt a file, you’re given the option to only encrypt the selected file, or also encrypt the folder that holds the file.
- slide 14 of 15
6. Click OK after making your selection. The newly encrypted files and folders are displayed with a green color, so you can readily identify them. If you’d prefer they appear as if they were not encrypted, click Options from File Explorer’s View tab, select the Folder Options View tab, deselect Show Encrypted or Compressed NTFS Files in Color and click OK.
- slide 15 of 15
If you want to add encrypted files to the Windows Indexing Service, type “Indexing Options” in the Windows search field and select Indexing Options. Click Advanced, check Index Encrypted Files, click Continue if you see a security prompt and select OK. However, you should have BitLocker Drive Encryption enabled to use this option, because text in some files will be copied to the index, making it potentially accessible to a knowledgeable user.