Using Windows EFS (Encrypted File System)

computer security and data protection represented by lock and keys next to laptop


If you're still rocking Microsoft Windows XP, it comes with the ability to securely encrypt your data so that nobody but you will be able to access or view the files. This encryption is called EFS, or Encrypted File System.

Windows XP Home edition does not come with EFS. To secure or protect data with encryption on Windows XP Home, you will need to use a 3rd-party encryption software of some sort.

Protecting Data With EFS

To encrypt a file or folder, follow these steps:

  1. Right-click the file or folder.
  2. Select Properties.
  3. Click the Advanced button under the Attributes section.
  4. Check the box next to "Encrypt contents to secure data."
  5. Click OK.
  6. Click OK again on the file/folder Properties box.
  7. An Encryption Warning dialogue box will appear. The message will vary depending on whether you are trying to encrypt just a file or an entire folder:
    1. For a file, the message will provide two choices:
      1. Encrypt the file and the parent folder.
      2. Encrypt the file only.
      3. Note: There is also an option to check to Always encrypt only the file for all future file encryption actions. If you check this box, this message box will not appear for future file encryptions. Unless you are sure of that choice, however, we recommend you leave this box unchecked.
    2. For a folder, the message will provide two choices:
      1. Apply changes to this folder only.
      2. Apply changes to this folder, subfolders, and files.
  8. After making your selection, click OK and you are done.

If you later wish to unencrypt the file so that others may access and view it, you can do so by following the same first three steps from above and then uncheck the box next to "Encrypt contents to secure data". Click OK to close the Advanced Attributes box and OK again to close the Properties box and the file will again be unencrypted.

Backing up Your EFS Key

Once a file or folder is encrypted with EFS, only the private EFS key of the user account that encrypted it will be able to unencrypt it. If something happens to the computer system and the encryption certificate or key are lost, the data will be irrecoverable.

To ensure your continued access to your own encrypted files, you should perform the following steps to export the EFS certificate and private key and store it on a floppy disk, CD or DVD for future reference.

  1. Click Start.
  2. Click Run.
  3. Enter 'mmc.exe' and click OK.
  4. Click File, then Add/Remove Snap-in.
  5. Click Add.
  6. Select Certificates and click Add.
  7. Leave selection on 'My user account' and click Finish.
  8. Click Close.
  9. Click OK.
  10. Select Certificates - Current User in the lefthand pane of the MMC console.
  11. Select Personal.
  12. Select Certificates. Your personal certificate information should appear in the righthand pane of the MMC console.
  13. Right-click on your certificate and select All Tasks.
  14. Click Export.
  15. On the Welcome screen, click Next.
  16. Select 'Yes, export the private key' and click Next.
  17. Leave the defaults on the Export File Format screen and click Next.
  18. Enter a strong password, then re-enter it in the Confirm Password box, then click Next.
  19. Enter a name to save your EFS certificate export file and browse to choose a destination folder to save it in, then click Save.
  20. Click Next.
  21. Click Finish.

Make sure you copy the export file to a floppy disk, CD or other removable media and store it in a safe place away from the computer system the encrypted files are on.