In Windows, what is the Encrypting File System, and how can I use it to protect sensitive data?

The Encrypting File System (EFS) is a component of the NTFS file system on Windows 2000, Windows XP Professional, and Windows Server 2003; it allows you to encrypt files stored on your local computer or on a Windows 2000 or 2003 server. The encryption and decryption process requires either a private key stored in your profile, or a master recovery key stored by a designated "recovery agent"; for more on the master recovery key, see At IU, how can I recover Windows encrypted files without a private key? The private key is protected with your passphrase; without access to the master recovery key, therefore, anyone who gains access to the EFS encrypted file would need to know your passphrase to turn the encrypted data into usable information.

To encrypt a file or folder:

1. From the Start menu, select Programs or All Programs, then Accessories, and then Windows Explorer.
   
   
2. Right-click the file or folder you want to encrypt, and then click Properties.
   
   
3. On the General tab, click Advanced.
   
   
4. Check Encrypt contents to secure data.
   
   
   • If you have chosen to encrypt a single file, you can also encrypt the folder that contains it. In the Encryption Warning window, select Encrypt the file and the parent folder. All files created in the encrypted folder will now be automatically encrypted.
     
     
   • If you encrypt a folder instead of a single file, you can encrypt all the contents of the folder as well. Select Apply changes to this folder, subfolders and files.

To decrypt a file or folder, follow the instructions below.

1. From the Start menu, select Programs or All Programs, then Accessories, and then Windows Explorer.
   
   
2. Right-click the file or folder you want to decrypt, and then click Properties.
   
   
3. On the General tab, click Advanced.
   
   
4. Clear the Encrypt contents to secure data checkbox.

When you decrypt a folder, you must decide whether to decrypt the folder only or to decrypt the folder and all files and subfolders contained within it. If you choose to decrypt the folder only, the files and subfolders within the folder remain encrypted. However, when you add new files and subfolders to the folder, they will not be automatically encrypted.

This information was adapted from the Microsoft article Help keep your data safe.

Also see:

• Best practices for computer security