Managing File Systems
Encrypted File System (EFS)
Rules for Using Encrypted Files
When you work with encrypted files and folders, keep in mind the following points:
- Only files and folders on NTFS volumes can be encrypted.
- You cannot encrypt files or folders that are compressed. Compression and encryption are mutually exclusive file attributes. If you want to encrypt a compressed file or folder, you must decompress it first.
- Only the user who encrypted the file and the designated recovery agent(s) can open it. (You'll learn more about recovery agents shortly.)
- If you encrypt a file in a shared directory, it is inaccessible to others.
- Windows 7 displays encrypted files and folders in green (compressed files and folders are displayed in blue).
- Encrypted files become decrypted if you copy or move the file to a volume or partition that is not formatted with NTFS.
- You should use Cut and Paste to move files into an encrypted folder. If you use the drag-anddrop method to move files, they are not automatically encrypted in the new folder.
- System files cannot be encrypted.
- Encrypting folders or files does not protect them against being deleted, moved, or renamed. Anyone with the appropriate permission level can manipulate encrypted folders or files. (These users just can't open them.)
- Temporary files, which are created by some programs when documents are edited, are also encrypted as long as all the files are on an NTFS volume and in an encrypted folder. I recommend that you encrypt the Temp folder on your hard disk for this reason. Encrypting your original files keeps them safe from prying eyes, but programs often leave behind temp files-usually in the Temp folder-and these files remain vulnerable.
- The page file (used for virtual memory) can be encrypted in Windows 7 through Group Policy settings. You can also configure the Local Security Policy to clear the page file when you shut down the system. Just enable the Shutdown: Clear Virtual Memory Pagefile policy under the Local Policies, Security Option section.
- On a domain network, you can encrypt or decrypt files and folders located on a remote computer that has been enabled for remote encryption. Check with your system administrator to see whether your company's servers support this capability. Keep in mind, however, that opening an encrypted file over a network still exposes the contents of that file while it is being transmitted. A network administrator should implement a security protocol such as IPSec to safeguard data during transmission.
- You should encrypt folders instead of individual files so that if a program creates temporary files and/or saves new copies during editing, they will be encrypted as well.
- Encrypted files, like compressed folders, perform more slowly than unencrypted ones. If you want maximum performance when folders or files in the folders are being used extensively (for example, by database programs), think twice before encrypting them. You might want to perform benchmark tests using encrypted and unencrypted folders with similar data to determine whether your system can handle the performance hit.