Managing File Systems
Encrypted File System (EFS)
Encrypting Files and Folders
The Encrypting File System (EFS) provides a secure way to store your sensitive data. Windows creates a randomly generated file encryption key (FEK) and then transparently encrypts the data, using this FEK, as it is being written to disk. Windows then encrypts the FEK using your public key. (Windows creates a personal encryption certificate with a public/private key pair for you the first time you use EFS.) The FEK, and therefore the data it encrypts, can be decrypted only with your certificate and its associated private key, which are available only when you log on with your user name and password. (Designated data recovery agents can also decrypt your data.) Other users who attempt to use your encrypted files receive an "access denied" message. Even administrators and others who have permission to take ownership of files are unable to open your encrypted files. EFS, which uses Advanced Encryption Standard (AES) with a 256-bit key as its default encryption algorithm, provides extremely strong protection against attackers.
You encrypt or decrypt a folder or file by setting the encryption property for the folder or file just as you set any other attribute (such as read-only, compressed, or hidden), through a file or folder's Advanced Attributes dialog box. Right-click the desired file or folder, choose Properties, and from the General tab click the Advanced button to open the Advanced Attributes dialog box.
After you set the option to encrypt a folder and click OK in a folder's Properties dialog box, you are prompted to confirm the attribute change. From this dialog box, you can set the option to encrypt all the subfolders and files within the folder you are encrypting. Once all folders, subfolders, and files are encrypted an Encrypted File System dialog box appears reminding you to back up your file encryption certificate and key. You're given three options: Back Up Now (Recommended), Back Up Later, or Never Back Up. We suggest you take care of this now so you never have to worry about it later. Back Up Now takes you to the Certificate Export Wizard, which gives you step-by-step instructions.
It is recommended that you encrypt at the folder level rather than mark individual files, so that new files added to the folder will also be encrypted. This point is crucial because most editing programs write a new copy of the file each time you save changes and then delete the original. If the folder containing an encrypted file isn't marked for encryption, too, editing an encrypted file results in your saving an unencrypted version.
After a file or folder has been encrypted, Windows Explorer displays its name in green.