Windows 7 : Encrypting File System (part 1) – How to Encrypt a Folder with EFS, How to Create and Back Up EFS Certificates

October 20, 2020

EFS is a file encryption technology (supported only on NTFS volumes) that protects files from offline attacks such as hard disk theft. Because EFS works at the file system level, EFS is entirely transparent to users and applications. In fact, the encryption is apparent only when a user who doesn’t have a decryption key attempts to access an encrypted file. In that case, the file is completely inaccessible.

EFS is designed to protect sensitive data on mobile or shared computers, which are more susceptible to attack by techniques that circumvent the restrictions of access control lists (ACLs) such as file permissions. An attacker can steal a computer, remove the hard disk drives, place the drives in another system, and gain access to the stored files (even if they’re protected by file permissions). When the attacker does not have the decryption key, however, files encrypted by EFS appear as unintelligible characters.

In most ways, EFS in Windows 7 is exactly the same as it was in Windows XP and Windows Vista.

Note

VERSIONS OF WINDOWS 7 THAT DO NOT FULLY SUPPORT EFS

Windows 7 Starter, Windows 7 Home Basic, and Windows 7 Home Premium do not support EFS.

1. How to Encrypt a Folder with EFS

With EFS, you can encrypt specific files and folders. To enable EFS for a folder, perform these steps:

  1. Click Start, and then click Computer.A Windows Explorer window opens.
  2. Right-click the folder you want to encrypt and then click Properties. For example, if you want to encrypt the user’s profile, expand C:\Users\, right-click the user’s profile folder, and then click Properties.
  3. On the General tab, click Advanced.
  4. In the Advanced Attributes dialog box, select the Encrypt Contents To Secure Data check box.
  5. Click OK twice.
  6. In the Confirm Attribute Changes dialog box, accept the default setting to encrypt subfolders by clicking OK.

Note

RECOGNIZING EFS-ENCRYPTED FILES AND FOLDERS IN WINDOWS EXPLORER

In Windows Explorer, EFS-encrypted files and folders are colored green. Other users can still browse EFS-encrypted folders, but they cannot access EFS-encrypted files.

During the encryption process, you might receive error messages saying that a file (such as NTUSER.dat, the user registry hive) is currently in use. In addition, to prevent users from encrypting a file that might stop the computer from starting, you cannot encrypt any file that is marked with the System attribute. Encrypted files cannot be compressed with NTFS compression.

Note

EFS ENCRYPTED FILES CANNOT BE INDEXED

By default, EFS encrypted files are not indexed and will not be returned with search results. You can enable indexing of encrypted files by opening the Indexing Options tool in Control Panel, clicking Advanced, and then selecting the Index Encrypted Files check box. Alternatively, you can enable the Allow Indexing Of Encrypted File Group Policy setting at Computer Configuration\Administrative Templates\Windows Components\Search\.

2. How to Create and Back Up EFS Certificates

EFS uses certificates to encrypt and decrypt data. If you lose an EFS certificate, you will be unable to decrypt your files. Therefore, it is extremely important to back up EFS certificates.

The backup tools built into Windows automatically back up your certificates. In addition, Windows 7 provides a wizard interface for manually creating and backing up EFS certificates. To use the interface, perform these steps:

  1. Click Start, and then click Control Panel.
  2. Click the User Accounts link. Then, click the User Accounts link again.
  3. In the left pane, click the Manage Your File Encryption Certificates link.The Encrypting File System Wizard appears.
  4. On the Manage Your File Encryption Certificates page, click Next.
  5. On the Select Or Create A File Encryption Certificate page, as shown in Figure 1, select Use This Certificate if an EFS certificate already exists (Windows 7 automatically generates a certificate the first time a user encrypts a file) and you want to back it up. To select a different certificate than the default, click Select Certificate. If you want to generate a certificate manually, select Create A New Certificate.

    Figure 1. Using the Encrypting File System Wizard to back up EFS certificates

  6. If you are creating a new certificate, the Which Type Of Certificate Do You Want To Create? page appears. If you want to use a smart card to store the certificate, insert your smart card and select A Self-Signed Certificate Stored On My Smart Card. If your domain has an enterprise CA available, select A Certificate Issued By My Domain’s Certification Authority. Otherwise, leave the default setting and click Next.
  7. On the Back Up The Certificate And Key page, click Browse to select an unencrypted folder in which to save the certificate. For best results, you should save it to removable media that will be stored securely. Then, type your password into the Password and Confirm Password boxes. Click Next.
  8. If the Update Your Previously Encrypted Files page appears, it means some files were encrypted with a different key than you selected. To avoid problems decrypting files in the future, you should always update encrypted files. Select the All Logical Drives check box, and then click Next. The Encrypting File System Wizard updates the keys associated with all encrypted files. This might take a few minutes, or it might take several hours, depending on how many files need to be updated.The Encrypting File System Wizard backs up your key and saves it to the specified file. Keep this file safe.
  9. On the last page, click Close.

To restore an EFS certificate, simply double-click the certificate, and then follow the steps in the Certificate Import Wizard. For step-by-step instructions, read Exercise 3 at the end of this lesson.

As an alternative to using Control Panel, you can back up EFS certificates in Windows Explorer by performing these steps:

  1. Open Windows Explorer and select a file that you have encrypted. You must select a file, not a folder.
  2. Right-click the file and then select Properties.
  3. On the General tab, click Advanced.
  4. In the Advanced Attributes dialog box, click Details to open the User Access dialog box.
  5. Select your user name and then click Back Up Keys to open the Certificate Export Wizard.
  6. Click Next to select the file format to use.
  7. Click Next and enter a password to protect the key. Repeat the entry and then click Next.
  8. Enter a path and file name to save the file to or browse for a path. Click Next.
  9. Click Finish to export the certificate, and then click OK to confirm that it was saved successfully.

Anyone with access to an EFS certificate can decrypt that user’s files. Therefore, it is extremely important to keep the backup secure.

Windows 7 : Encrypting File System (part 2) – How to Grant an Additional User Access to an EFS-encrypted File , How to Import Personal Certificates

Windows 7 : Encrypting File System (part 3) – How to Recover to an EFS-encrypted File Using a Data Recovery Agent