Encrypting File System (EFS) aka NTFS encryption in Windows means making personal files and folders accessible only by the user who has the correct decryption key. If a user encrypts his/her files and folders, a certificate with a private key is created and stored automatically. After this, no one besides this user is able to open or modify the encrypted files.
The user can still export a decryption certificate without the private key for those who need to access his/her files. If a user loses encryption certificate (for example, due to a forcible password reset) and has no backup of it, he/she will lose all access to the encrypted files. Linux is of no help in such case, either - no third-party EFS driver is available there.
Only Professional/Business and Ultimate/Enterprise editions of Windows XP, Vista, 7, 8, 8.1 and 10 support file and folder encryption on NTFS file system. The feature is not available in Basic and Home editions, but you can still use encrypted files if you import the decryption certificate. FAT file systems and other file systems do not support Encrypting File System.
For Basic and Home edition users, free VeraCrypt (container-based, an open-source fork of now outdated TrueCrypt) and AxCrypt (file-based) are viable alternatives.
Caveats of EFS: Windows Search and File History
Encrypting files and folders with EFS will also prevent indexing the items. This means that Windows Search is unable to display these items - for example, if you encrypt your Documents folder, no search results will return from files in there.
This is a security and privacy measure, but you can bypass it by opening Indexing Options from Control Panel, clicking Advanced and enabling the Index encrypted files option in File Settings section.
EFS works only on NTFS-formatted volumes/drives. Windows will warn if you try to copy an encrypted file or folder to FAT/exFAT drive - this will decrypt the item.
In Windows 8, 8.1 and 10, File History does not back up items protected with EFS. Use Backup and Restore in Windows 8 and 10 or System Image Backup in Windows 8.1 to back up all files.
Encrypting files and folders in Windows
You can encrypt your own files and folders, but you should never encrypt system folders (Windows, Program Files, ProgramData), whole Documents and Settings or Users folder or whole system drives (the drive where Windows is installed). For example: if you encrypt Windows folder, Windows will not start anymore because it has no access to essential system files; if you encrypt the whole Users folder, other users will not be able to log on. If you encrypt the whole system drive using NTFS encryption, your computer won't boot at all.
To get full system disk encryption, use free VeraCrypt.
One should always encrypt folders, not individual files in them: if NTFS encryption is enabled for a folder, all files and sub-folders with their files in it will always be automatically encrypted.
If you encrypt an individual file only, no other files in the same or different folder will be automatically encrypted. An encrypted file inside an unencrypted folder can have unwanted consequences, such as unencrypted backup copies or decrypted original (potential data theft/loss).
Luckily, Windows warns about encrypting files inside an unencrypted folder. Either leave the Encrypt the file and its parent folder option selected and choose OK to encrypt the whole folder, or click Cancel, create a new folder for the file(s) you want to protect and apply encryption to the new folder.
To enable NTFS encryption for a folder, right-click or tap and hold it in Windows Explorer (File Explorer in Windows 8, 8.1 and 10) and select Properties from the menu. You can also hold down Shift or Ctrl key while selecting multiple adjacent or non-adjacent items. Keyboard shortcut for right-click is Shift+F10, and Alt+Enter works for properties.
Verify that the General tab is open and click or touch Advanced in the bottom part of the file or folder properties window.
In the Advanced Attributes window, enable the Encrypt contents to secure data check box. Please note that files and folders cannot be compressed and encrypted at the same time - encryption will always disable compression. Click OK in the current window.
Now click OK in the file or folder properties window. A Confirm Attribute Changes window appears. If you're NTFS-encrypting a folder, make sure the Apply changes to this folder, subfolders and files option is selected before clicking OK.
Please stand by until the process completes (the Applying Attributes window disappears). If a file or folder is in use (locked), the Error Applying Attributes window appears. Click Ignore All. Encryption will be enabled on the locked item after it is accessible again,
Things to know about encrypted files and folders in Windows
If you have enabled the Show encrypted or compressed NTFS files in color option in Folder Options of Windows/File Explorer, all encrypted items will be displayed in green color.
After encrypting an item, any other user without your EFS certificate will receive an "Access denied" error message while opening the item.
If you are copying or moving encrypted items to a file system other than NTFS, you'll see a warning that the items cannot be copied or moved without losing encryption.
In Windows XP, you can click Ignore or Ignore All to copy or move the items and lose encryption; or Cancel to stop the action.
In Windows Vista and later, you can click Yes to copy or move the items without encryption; or Cancel to stop the process. The Do this for all current items check box is useful for applying the decision to all items at once.
Now it is time to backup your file encryption certificate.
Backing up Encrypting File System certificates in Windows
To secure yourself against accidental loss of encryption certificate due to forcible password reset, computer breakdown or theft, you must export the automatically generated certificate. Please note that most backup programs also keep the encryption attribute - you must have the decryption key to use your files.
Windows Vista, 7, 8/8.1 and 10 users are automatically advised to back up the certificate after enabling NTFS encryption - a notification in Taskbar Notification Area appears. Click the notification or icon.
In the Encrypting File System window, click Back up now (recommended).
In Windows XP, use keyboard shortcut Windows Key+R to open Run dialog. Alternatively, open Start menu and click Run.
Type certmgr.msc and click OK. Windows Vista, 7, 8, 8.1 or 10 users can use the same process for starting Certificate Management later, if needed.
Expand the Personal branch on top left and click Certificates. Right-click the certificate that has "Encrypting File System" written in the Intended Purpose column and open All Tasks, Export.
Certificate Export Wizard starts with a Welcome screen. Click Next.
If you started export from Certificate Manager console, you will see the Export Private Key screen next. Choose the Yes, export the private key option and click Next.
Please note that EFS certificate without the private key is useless - it will never decrypt any files or folders!
In Windows XP, activate Include all certificates in the certification path if possible and Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above) options.
In Windows Vista and newer, tick the Include all certificates in the certification path if possible and Export all extended properties check boxes.
Never activate the Delete the private key if export is successful option, or you will lose access to your encrypted items!
Click Next.
Create a new and strong password for the certificate.
Click Next.
In File to Export screen, click Browse and select an external media, such as USB stick or external hard drive. Do not store the certificate in the same folder you just encrypted - you might lose all access to the file in case of password reset or hard drive failure. If possible, upload the certificate file to a cloud backup service, but keep the file outside encrypted folders!
Another copy of your EFS certificate on a different USB thumb drive (stored in a fire-proof safe) will not hurt, either.
Click Next after choosing a destination folder and file name.
Finally, click Finish to export your Encrypting File System certificate.
After the export completes, click OK.
Decrypting files and folders in Windows
The decryption process is similar to that of encryption. To decrypt a file or folder, just right-click or touch and hold it again and select Properties from the menu.
Verify that the General tab is open and click Advanced in the bottom part of the file or folder properties window.
In the Advanced Attributes window, disable the Encrypt contents to secure data check box. Click OK twice.
If you're decrypting a folder, make sure the Apply changes to this folder, subfolders and files option is selected before clicking OK in the Confirm Attribute Change window.
Please stand by until the process completes (the Applying Attributes window disappears).
Importing Encrypting File System certificates in Windows
To import an NTFS encryption certificate, locate the exported .pfx file and double-click it. Certificate Import Wizard appears with Welcome screen. Click Next.
In File to Import dialog, click Next. Please note that the location here (Public Folders aka Shared Folders) is a very bad example of where to keep an encryption cert. You should always store your EFS certificate in a safe place where no one except you has access.
In Password screen, always enable the Include all extended properties option after typing the certificate password.
If you are recovering the certificate after losing access to your files, you should also put a check mark in the Mark this key as exportable box. This allows creating backups of the cert later, if needed.
Click Next.
Leave the automatic selection on in the Certificate Store screen. This will add the imported cert to the current user's Personal store.
Just click Finish in the last screen of Certificate Import Wizard.
After the import process completes, click OK.
All items encrypted with the imported certificate are now accessible.