How to encrypt and decrypt using the Encrypting File System


The following steps encrypt and decrypt a file or folder using the Encrypting File System.
The drive must be formatted as NTFS to support EFS:
Right click on your C: and select Properties to check if NTFS is your File System type

Encrypting a folder

Although you can encrypt files individually, we strongly recommend that you designate a specific folder for storing encrypted data.

To encrypt a folder and its current contents, follow these steps:

  1. Right-click the folder that you want to encrypt, and then click Properties.
  2. In the Properties dialog box, click Advanced.
  3. The Advanced Attributes dialog box displays attribute options for compression and encryption. This dialog box also includes archive and indexing attributes.

    Note Although the NTFS file system supports both compression and encryption, it does not support both at the same time. This means that you can only select one or the other. A file or folder cannot be both encrypted and compressed at the same time.

    To encrypt the folder, click to select the Encrypt contents to secure datacheck box, and then click OK.
  4. Click OK to close the Advanced Attributesdialog box.
  5. If the folder you chose to encrypt in steps 1 to 3 already contains files, a Confirm Attribute Changes dialog box will appear.

    You can choose to encrypt only the folder so that all files subsequently moved to the folder or created in this folder will be encrypted. If you want to also encrypt all the contents of this folder, click Apply changes to this folder, subfolders, and files, and then click OK.
  6. Scroll down to section on Backing Up Certificates

Decrypting a folder

To decrypt a folder, use basically the same process but in reverse order:

  1. Right-click the folder that you want to decrypt, and then click Properties.
  2. Click Advanced.
  3. Click to clear the Encrypt contents to secure datacheck box to decrypt the data.
  4. Click OK to close the Advanced Attributesdialog box.
  5. Click OK to close the Propertiesdialog box.
  6. If the folder has files in it, the Confirm Attribute Changes dialog box appears. You can choose to decrypt only the folder.  However, this will not decrypt any files currently contained in the folder.

If you want to decrypt all the contents of this folder, click Apply changes to this folder, subfolders, and files, and then click OK.

Additional information

 

How files are encrypted

Files are encrypted through the use of algorithms that essentially rearrange, scramble, and encode the data. A key pair is randomly generated when you encrypt your first file. This key pair is made up of a private and a public key. The key pair is used to encode and decode the encrypted files.

If the key pair is lost or damaged and you have not designated a recovery agent then there is no way to recover the data.

Why you must back up your certificates

Because there is no way to recover data that has been encrypted with a corrupted or missing certificate, it is critical that you back up the certificates and store them in a secure location. You can also specify a recovery agent. This agent can restore the data. The recovery agent's certificate serves a different purpose than the user's certificate.

How to back up your certificate

To back up your certificates, follow these steps:

  1. Start Microsoft Internet Explorer.
  2. On the Tools menu, click Internet Options.
  3. On the Content tab, in the Certificates section, click Certificates.
  4. Click the Personal tab.
    NoteThere may be several certificates present, depending on whether you have installed certificates for other purpose.
  5. Select one certificate at a time until the Certificate Intended Purposes field shows Encrypting File System. This is the certificate that was generated when you encrypted your first folder.
  6. Click Export to start the Certificate Export Wizard, and then click Next.
  7. Click Yes, export the private key to export the private key, and then click Next.
  8. Click Enable Strong protection, and then click Next.
  9. Type your password. (You must have a password to protect the private key.)
  10. Specify the path where you want to save the key. You can save the key to a floppy disk, another location on the hard disk, or a CD. If the hard disk fails or is reformatted, the key and the backup will be lost. (If you back up the key to a floppy disk or CD, you must store that disk or CD in a secure location.)
  11. Specify the destination, and then click Next.

How to encrypt a file for multiple users

To do this, follow these steps:

  1. Start Microsoft Windows Explorer, and then select the encrypted file that you want to add additional users to.
  2. Right-click the encrypted file and then click Properties.
  3. Click Advancedto access the EFS settings.
  4. Click Detailsto add additional users.
  5. Click Add. The Add dialog box will display any other EFS-capable certificates in your personal store or those of any other users who may be in your "Other People" and "Trusted People" certificate stores.

    If you do not see the user who you want to add, click Find User to search Active Directory. The Select User window appears. A dialog box displays valid EFS certificates in Active Directory based on your search criteria. If no valid certificate is found for that user, a message will inform you that there are no appropriate certificates for the selected user. In this case, the intended users must send you a copy of their certificate for you to import. You can then add them to your encrypted file.
  6. Select the certificate of the user who you want to add, and then click OK. You will be returned to the Detailstab, and the tab will show the multiple users who will have access to the encrypted file and the users' EFS certificates.
  7. Repeat this process until you have added all the users who you want to add. Click OK to register the change and continue.

Note Any user who can decrypt a file can also remove other users if the user who does the decrypting also has write permissions on the file.