How to encrypt files and folders with EFS in Windows 10, 8.1, and Windows 7

How to encrypt files and folders with EFS in Windows 10, 8.1, and Windows 7

Many people are familiar with the built-in flash drive and drive encryption feature in Windows 10, 8.1, and Windows 7 as Bitlocker, available in the professional and business editions of the operating system. Fewer are aware of the other file and folder encryption feature, the EFS file encryption system, which is also built into the system.

In this tutorial on exactly how EFS encryption works, how it allows you to limit access to important files and folders, how to restore access to data if necessary, and what the differences are from BitLocker. See also: Encrypt discs and flash drives with Bitlocker in Windows, Encrypt files, folders, drives and flash drives with VeraCrypt, How to password protect a file.

How EFS Encryption Works

EFS facilitates the encryption of the contents of selected folders or individual files using system facilities, so that they will only be accessible to the user and on the computer where the encryption was performed.

Other users of the same or another computer will see the files and their names on the drive, but will not be able to access (open) them, even if they have administrator rights.

This method is less secure than Bitlocker encryption, but if you only have a home edition of Windows 10, 8.1, or Windows 7 at your disposal, and your only concern is to prevent other account users from seeing the contents of your files, don't nothing happens to also use EFS: it will be convenient and fast.

How to Encrypt Folders and the Files They Contain Using EFS

The steps to encrypt a folder and its contents using the EFS encryption file system in the simplest version would be as follows (available only for folders on NTFS drives and flash drives):

  1. Open the properties of the desired folder (right click - properties).
  2. In the Attributes section, click the Other button.
  3. Under "Compression and Encryption Attributes" in the next window, check "Encrypt content to protect data" and click "OK".
  4. Click "OK" in the folder properties and apply the changes to the attached files and folders.
  5. Immediately afterwards, a system notification will appear asking you to archive the encryption key. Click on the notification.
  6. Click "Archive Now" (you may need the password to regain access to your data if you lose your account or access to this computer).
  7. The certificate export wizard will start. Click "Next" and leave the default settings. Click Next again.
  8. Set the password for your certificate that contains the encryption keys.
  9. Specify the storage location for the files and click "Done". This file will be useful for restoring file access after operating system crashes, or when you need to be able to open encrypted EFS files on another computer or under another user (see the next section for instructions on how to do this).

This completes the process - immediately after completing the procedure, all files in the folder you specified, both those already there and those being created again, will acquire a "lock" on the icon, informing that the files they are encrypted.

They will open without problems within that account, but in other accounts and on other computers you will not be able to open them, the system will report that the files cannot be accessed. However, the structure and names of the folders and files will be visible.

If you wish, you can, on the contrary, start the encryption by creating and saving the certificates (even on the smart card), and then already activate the "Encrypt content to protect data" box. To do this, press Win + R and type rekeywiz and press Enter.

Then follow all the steps given by the EFS Encryption System File Encryption Certificate Wizard. You can also use rekeywiz to specify whether you want to use a different certificate for a different folder.

Restore access to encrypted files, opening them on another computer or under another Windows account

If for one reason or another (for example, after reinstalling Windows) you've lost the ability to open files in EFS-encrypted folders or need the ability to open them on another computer or under another user, it's easy to do:

  1. On the computer of the account where you need to access the encrypted files, open the certificate file.
  2. The certificate import wizard opens automatically. For a basic script on it, just use the default settings.
  3. All you will be asked to do is enter the password for the certificate.
  4. After the successful import, of which you will be notified, the previously encrypted files will also be opened on this computer under the current user.

Differences Between EFS and Bitlocker Encrypted File System

Key Differences Related to Thinking of Different Encryption Options in Windows 10 - Windows 7

  • Bitlocker encrypts entire disks (including system ones) or disk partitions, while EFS applies to individual files and folders. However, Bitlocker encryption can also be applied to a virtual disk (which will be stored on the computer as an ordinary file).
  • EFS encryption certificates are tied to a specific Windows account and stored on the system (the key can also be exported as a file on a flash drive or written to a smart card).
  • Bitlocker encryption keys are stored in the TPM hardware module or can be saved to an external drive. A disk opened with Bitlocker is equally accessible to all users of the system, in addition, if TPM was not used, said disk can be easily opened on any other computer or laptop, simply by entering the password.
  • Folder encryption in case of using EFS must be activated manually (the files inside will be automatically encrypted later). When using Bitlocker, everything on the encrypted disk is encrypted on the fly.

From a security point of view, it is more efficient to use Bitlocker. However, if you just want to prevent other Windows users from opening your files, and you are using a home edition of the operating system (where Bitlocker is not present) - EFS is fine for that too.

Learn more.

Some more information about using the EFS encrypted file system in Windows:

  • EFS-encrypted files are not protected against erasure: any user on any computer can erase them.
  • The system includes a command line utility, cipher.exe, which can enable and disable EFS encryption for files / folders, manage certificates, and erase the contents of encrypted folders on the hard drive by overwriting the information with random bytes.
  • If you need to remove the EFS encryption certificates from your computer, you can do it as follows: go to Control Panel - Browser Properties. On the Content tab, click Certificates. Remove unnecessary certificates: their descriptions at the bottom of the window will say "Encrypting File System (EFS)" in the "Certificate Destination" field.
  • In the same certificate management section in "Browser Properties", you can export the certificate file to use it with another user or on another computer.