Encrypting File System in Windows

By Margus Saluste, www.winhelp.us. Last modified: 2015-02-28.

How to encrypt files and folders on NTFS drives in Windows XP, Vista, 7, 8 and 8.1

Encrypting File System (EFS) aka NTFS encryption in Windows means making personal files and folders accessible only by the user who has decryption key. If a user encrypts his/her files and folders, a certificate with a private key is created and stored automatically. After this, no one besides this user is able to open or modify the encrypted files. The user can still export a decryption certificate with the private key for those who need to access his/her files. If the user loses encryption certificate (for example, due to forcible password reset) and has no backup of it, he/she will lose all acces to the encrypted files, too. Linux is of no help in such case, either - no third-party EFS driver is available there.

Only Professional/Business and Ultimate/Enterprise editions of Windows XP, Vista, 7, 8 and 8.1 support file and folder encryption on NTFS file system. The feature is not available in Basic and Home editions, but you can still use encrypted files if you import decryption certificate. FAT file systems and other file systems do not support Encrypting File System.
For Basic and Home edition users, free TrueCrypt is a viable alternative.

Caveats: Windows Search and File History

Please note that encrypting files and folders with EFS will also prevent indexing the items. This means that Windows Search is unable to display these items - for example, if you encrypt your Documents folder, no search results will return from files in there.
This is a security measure, but you can bypass it by opening Indexing Options from Control Panel, clicking Advanced and enabling the Index encrypted files option in File Settings section.

Windows 8 and 8.1 users should be aware of the fact that File History does not back up any items protected with EFS. Again, TrueCrypt system drive encryption can be useful here.

Encrypting files and folders in Windows

You can encrypt your own files and folders, but you must never encrypt any system folders (Windows, Program Files, ProgramData), whole Documents and Settings or Users folder or whole system drives (the drive where Windows is installed). For example: if you encrypt Windows folder, Windows will not start anymore because it has no access to essential system files; if you encrypt the whole Users folder, other users will not be able to log on. If you encrypt the whole system drive using NTFS encryption, your computer won't boot at all.
To get full system disk encryption, use free TrueCrypt.

You should always prefer encrypting folders, not individual files in them - if NTFS encryption is enabled for a folder, all files and sub-folders with their files in it will always be automatically encrypted. If you encrypt individual files only, no other files will be automatically encrypted.

To enable NTFS encryption for a file or folder, right-click it in Windows Explorer (File Explorer in Windows 8 and 8.1) and select Properties from the menu. You can also hold down Shift or Ctrl key while selecting multiple adjacent or non-adjacent items.

Windows 7, Windows Explorer. To encrypt a file or folder, right-click it and click Properties.

Verify that the General tab is open and click Advanced in the bottom part of the file or folder properties window.
Folder Properites, General tab. To encrypt the item, click Advanced.

In the Advanced Attributes window, enable the Encrypt contents to secure data check box. Please note that files and folders cannot be compressed and encrypted at the same time - encryption will always disable compression. Click OK in the current window.
Advanced Attributes window. Enable the 'Encrypt contents to secure data' option to turn on encryption for the selected file or folder. Click OK.

Now click OK in the file or folder properties window. A Confirm Attribute Changes window appears. If you're NTFS-encrypting a folder, make sure the Apply changes to this folder, subfolders and files option is selected before clicking OK.
Confirm Attribute Changes. Click OK.

Please stand by until the process completes (the Applying Attributes window disappears). If a file or folder is in use (locked), the Error Applying Attributes window appears. Click Ignore All. Encryption will be enabled on the locked item after it is accessible again,
Error Applying Attributes. Click Ignore All.

Things to know about encrypted files and folders

If you have enabled the Show encrypted or compressed NTFS files in color option in Folder Options of Windows/File Explorer, all encrypted items will be green.
Windows Explorer, 'Show encrypted or compressed NTFS files in color' option enabled. All encrypted files and folders are green.

After encrypting an item, any other user without your EFS certificate will receive an "Access denied" error message while opening the item.

If you are copying or moving encrypted items to a file system other than NTFS, you will receive a warning that the items cannot be copied or moved without losing its encryption.
In Windows XP, you can click Ignore or Ignore All to copy or move the items and lose encryption; or Cancel to stop the action.
In Windows Vista and later, you can click Yes to copy or move the items without encryption; or Cancel to stop the process. The Do this for all current items check box is useful for applying the decision to all items at once.
Windows XP, Encrypted File, The file cannot be copied or moved without losing its encryption. Click 'Ignore' or 'Ignore All' to copy or move the items anyway. Click 'Cancel' to stop the process. Windows 7, Confirm Encrypteion Loss, Do you want to copy this file without encryption. Click Yes to copy the item anyway. Click Cancel to stop the process.

Now it is time to backup your file encryption certificate.

Backing up Encrypting File System certificates in Windows

To secure yourself against accidental loss of encryption certificate due to forcible password reset, computer breakdown or theft, you must export the automatically generated certificate next. Please note that most backup programs also keep the encryption attribute - you must have the decryption key to use your files.

Windows Vista, 7, 8 and 8.1 users are automatically advised to back up the certificate after enabling NTFS encryption - a notification in Taskbar Notification Area appears. Click the notification or icon.
In the Encrypting File System window, click Back up now (recommended).
Windows 7, Back up your file encryption key notification. Click it to start Certificate Export Wizard.

In Windows XP, use keyboard shortcut Windows Key+R to open Run dialog. Alternatively, open Start menu and click Run.
Type certmgr.msc and click OK. Windows Vista, 7, 8 and 8.1 users can use the same process for starting Certificate Management later, if needed.
Windows XP, Run dialog. To open Certificate Manager, type 'certmgr.msc' and click OK.

Expand the Personal branch on top left and click Certificates. Right-click the certificate that has "Encrypting File System" written in the Intended Purpose column and open All Tasks, Export.
Windows XP, Certificate Manager. Expand Personal, Certificates. Right-click the certificate that is intended for Encrypting File System. Click All Tasks, Export.

Certificate Export Wizard starts with a Welcome screen. Click Next.
Certificate Export Wizard, Welcome. Click Next.

If you started export from Certificate Manager console, you will see the Export Private Key screen next. Choose the Yes, export the private key option and click Next.
Please note that EFS certificate without the private key is useless - it will never decrypt any files or folders!

In Windows XP, activate Include all certificates in the certification path if possible and Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above) options.
In Windows Vista and later, put check marks into Include all certificates in the certification path if possible and Export all extended properties boxes.
Never activate the Delete the private key if export is successful option or you will lose access to your encrypted items!
Click Next.
Windows XP, Certificate Export Wizard, Export File Format. Put a check mark in 'Include all certificates in the certification path if possible' check box. Then click Next. Windows 7, Certificate Export Wizard, Export File Format. Put a check mark in 'Include all certificates in the certification path if possible' and 'Export all extended properties' check boxes. Then click Next.

Create a new and strong password for the certificate. Follow the guidelines in Passwords article and use Password Safe for storing the passphrase securely.
Click Next.
Certificate Export Wizard, Password. Type and confirm a new password. Then click Next.

In File to Export screen, click Browse and select an external media, such as USB stick or external hard drive. Do not store the certificate in the same folder you just encrypted - you might lose all access to the file in case of password reset or hard drive failure. If possible, upload the certificate file to a cloud backup service, but keep the file outside encrypted folders! Another copy of your EFS certificate on a different USB thumb drive (stored in a fire-proof safe) will not hurt, either.
Click Next after choosing a destination folder and file name.
Certificate Export Wizard, File to Export. Click Browse and select an external USB flash drive or hard drive. Then click Next.

Finally, click Finish to export your Encrypting File System certificate.
Certificate Export Wizard, Completing. Click Finish.

After the export completes, click OK.
Certificate Export Wizard, The export was successful. Click OK.

Decrypting files and folders in Windows

The decryption process is almost the same as encryption. To decrypt any file or folder, just right-click it again and select Properties from the menu.
Verify that the General tab is open and click Advanced in the bottom part of the file or folder properties window.
In the Advanced Attributes window, disable the Encrypt contents to secure data check box. Click OK twice.
If you're decrypting a folder, make sure the Apply changes to this folder, subfolders and files option is selected before clicking OK in the Confirm Attribute Change window.
Confirm Attribute Changes. Click OK.

Please stand by until the process completes (the Applying Attributes window disappears).

Importing Encrypting File System certificates in Windows

To import an NTFS encryption certificate, locate the exported .pfx file and double-click it. Certificate Import Wizard appears with Welcome screen. Click Next.
Certificate Import Wizard, Welcome. Click Next.

In File to Import dialog, click Next. Please note that the location here (Public Folders aka Shared Folders) is a very bad example of where to keep an encryption cert. You should always store your EFS certificate in a safe place where no one except you has access.
Certificate Import Wizard, File to Import. Click Next.

In Password screen, always enable the Include all extended properties option after typing the certificate password.
If you are recovering the certificate after losing access to your files, you should also put a check mark in the Mark this key as exportable box. This allows creating backups of the cert later, if needed.
Click Next.
Certificate Import Wizard, Password. Type the cert password and enable the 'Include all extended properties' option. Click Next.

Leave the automatic selection on in the Certificate Store screen. This will add the imported cert to the current user's Personal store.
Certificate Import Wizard, Certificate Store. Click Next.

Just click Finish in the last screen of Certificate Import Wizard.
Certificate Import Wizard, Completing. Click Finish.

After the import process completes, click OK.
Certificate Import Wizard, The import was successful. Click OK.

All items encrypted with the imported certificate are now accessible.