How To Encrypt Files, Folders With EFS

The Encrypting File System (EFS) has been part of all professional versions of Windows since Windows 2000. The feature provides file level encryption for data stored on NTFS systems, and is directly linked to a specific user account on an operating system. Only the user who encrypted the files and folders will be able to access them after they have been encrypted. The encrypted data is protected from outside access as well, as it cannot be accessed by booting into another operating system or analysis of the hard drive.
For the user in question, the files and folders appear as any other files on the system, with the exception that they are are highlighted in green.
Here are some examples of where it may make sense to use EFS encryption:
- Protecting your Dropbox configuration files
- Protecting your KeePass database, or another database
- Protecting files that you do not want anyone else to open, ever
EFS Support
The following versions and editions of Windows support EFS:
- Windows 2000, XP Professional
- Windows Server (all)
- Windows Vista Business, Enterprise, Ultimate
- Windows 7 Professional, Enterprise, Ultimate
Encrypting Data With EFS
You can encrypt data in Windows Explorer. Select one or multiple files and folders in Windows Explorer, right-click the selection afterwards and select Properties from the context menu.
Click on Advanced and locate Encrypt contents to secure data on the new window. If you have selected at least one folder, you will be asked if you only want to encrypt the root files of that folder, or files in sub-folders as well.
The files and folder in question are then displayed in green in Windows Explorer. Congratulations, you have just encrypted your first files or folders with EFS.
You can work with the files and folders normally as long as you are logged into the right user account. Please note that even system administrators cannot access the encrypted files.
Decrypting Data With The Encrypting File System
The time may come where you may want to decrypt the data, for instance before moving the files to a new computer system. This is done by repeating the exact same process.
Select the files and folders, right-click on them afterwards and select Properties. Click on the Advanced button and remove the checkmark from Encrypt contents to secure data.
EFS Backup
The encryption is directly linked to the account and password, which means that any change to the password or account has the effect that the files cannot be decrypted anymore. This can be problematic, considering that you may forget your account password, which would then make all encrypted files inaccessible.
Backup is the solution in this case. Microsoft Windows generates a certificate after you have used EFS for the first time. You can backup the certificate to restore file access even if the account or operating system changes.
Use Windows-r to bring up the run command box. Type certmgr.msc in the box and hit enter. This opens the Windows Certificate Manager. Go to Personal > Certificates under Current User. You should see a certificate for your user account.
Right-click that entry and select All Tasks -> Exports from the context menu.
This launches the Certificate Export Wizard. Click Next on the start screen, and switch to Yes, export the private key on the next screen.
Do not change the default settings on the Export File Format screen, just select Next.
You are now asked to enter a password which will be used to protect the private key from third party access. Someone with access to the key and the right password could import the certificate on another system to gain access to the encrypted files on your system.
You need to select a location and file name for the private key in the last step. You are free to choose any filename and location you want, for instance on a True Crypt or Bitlocker volume or container.
Imports of certificates do not take that long fortunately. Just double-click the file that you have created. This will prompt for the password that you have selected during creation. If the password is correct, the certificate will be imported, after which it becomes active and the encrypted files and folders readable.
This is for instance handy if you want to access your encrypted files on multiple computer systems.
Words of Caution
It is important to backup the certificate, as this is your only option to re-gain access to the encrypted files should you forget your password, re-install Windows or accidentally delete the user account used to encrypt the files. It is essential to select a secure backup certificate password, to protect the certificate from unauthorized users.
I for one suggest to store the backup of the certificate on encrypted storage space for additional security.
Advertisement
What mental age of reader are you targeting with the first sentence? 10?
Why not write an article on how to *avoid* upgrading from W10 to W11. Analogous to those like me who avoided upgrading from 7 to 10 for as long as possible.
If your paymaster Microsoft permits it, of course.
5. Rufus
6. Ventoy
PS. I hate reading these “SEO optimized” articles.
I used Rufus to create an installer for a 6th gen intel i5 that had MBR. It upgraded using Setup. No issues except for Win 11 always prompting me to replace my local account. Still using Win 10 Pro on all my other PCs to avoid the bullying.
bit pointless to upgrade for the sake of upgrading as you never know when you’ll get locked out because ms might suddenly not provide updates to unsupported systems.
ps…. time travelling?
written. Jan 15, 2023
Updated • Jan 13, 2023
This happens when you schedule a post in WordPress and update it before setting the publication date.
Anyone willing to downgrade to this awful OS must like inflicting themselves with harm.
I have become convinced now that anybody who has no qualms with using Windows 11/10 must fit into one of the following brackets:
1) Too young to remember a time before W10 and W11 (doesn’t know better)
2) Wants to play the latest games on their PC above anything else (or deeply needs some software which already dropped W7 support)
3) Doesn’t know too much about how computers work, worried that they’d be absolutely lost and in trouble without the “”latest security””
4) Microsoft apologist that tries to justify that the latest “features” and “changes” are actually a good thing, that improve Windows
5) Uses their computer to do a bare minimum of like 3 different things, browse web, check emails, etc, so really doesn’t fuss
Obviously that doesn’t cover everyone, there’s also the category that:
6) Actually liked W7 more than 10, and held out as long as possible before switching, begrudgingly uses 10 now
Have I missed any group off this list?
You have missed in this group just about any professional user that uses business software like CAD programs or ERP Programs which are 99% of all professional users from this list.
Linux doesn’t help anyone who is not a linux kid and apple is just a fancy facebook machine.
Microsoft has removed KB5029351 update
only from windows update though
KB5029351 is still available from the ms update catalog site
1. This update is labaled as PREVIEW if it causes issues to unintelligent people, then they shouldn’t have allowed Preview updates ot install.
2. I have installed it in a 11 years old computer, and no problems at all.
3. Making a big drama over a bluescreen for an updated labeled as preview is ridiculous.
This is probably another BS internet drama where people ran programs and scripts that modified the registry until they broke Windows, just for removing stuff that they weren’t even using just for the sake of it.
Maybe people should stop playing geeks and actually either use Windows 10 or Windows 11, but don’t try to modify things just for the sake of it.
Sometimes removing or stopping things (like defender is a perfect example) only need intelligence, not scripts or 3rd party programs that might mess with windows.
Windows 11 was a pointless release, it was just created because some of the Windows team wanted to boost sales with some sort of new and improved Windows 10. Instead, Microsoft cannot support one version well let alone two.
Windows 11 is the worst ugly shame by Microsoft ever. They should release with every new W11 version a complete free version of Starallback inside just to make this sh** OS functionally again.
motherboard maker MSI has recently released a statement regarding the “unsupported processor” blue screen error for their boards using Intel 600/700 series chipsets & to avoid the KB5029351 Win11 update:
https://www.msi.com/news/detail/MSI-On–UNSUPPORTED-PROCESSOR–Error-Message-of-Windows-11-Update-KB5029351-Preview-142215
check out the following recent articles:
Neowin – Microsoft puts little blame on its Windows update after UNSUPPORTED PROCESSOR BSOD bug:
https://www.neowin.net/news/microsoft-puts-little-blame-on-its-windows-update-after-unsupported-processor-bsod-bug/
BleepingComputer – Microsoft blames ‘unsupported processor’ blue screens on OEM vendors:
https://www.bleepingcomputer.com/news/microsoft/microsoft-blames-unsupported-processor-blue-screens-on-oem-vendors/
While there may be changes or updates to the Windows 10 Store for Business and Education in the future, it is premature to conclude that it will be discontinued based solely on rumors.
My advice, I left win 15 years ago. Now I’m a happy linux user (linuxmint) but there is Centos, Fedora, Ubuntu depending on your needs.
motherboard maker MSI has recently released new BIOS/firmware updates for their Intel 600 & 700 series motherboards to fix the “UNSUPPORTED_PROCESSOR” problem (Sept. 6):
https://www.msi.com/news/detail/Updated-BIOS-fixes-Error-Message–UNSUPPORTED-PROCESSOR–caused-BSOD-on-MSI-s-Intel-700-and-600-Series-Motherboards-142277
I try to disable the Diagnostics Tracking Service (Connected Devices Platform User Services) but it wont let me disable it, any help will be greatly appreciated.
Tank you for your help