Using Windows EFS (Encrypted File System)

computer security and data protection


If you're still rocking Microsoft Windows XP, it comes with the ability to securely encrypt your data so that nobody but you will be able to access or view the files. This encryption is called EFS, or Encrypted File System.

Windows XP Home edition does not come with EFS. To secure or protect data with encryption on Windows XP Home, you will need to use a 3rd-party encryption software of some sort.

Protecting Data With EFS

To encrypt a file or folder, follow these steps:

  1. Right-click the file or folder
  2. Select Properties
  3. Click the Advanced button under the Attributes section
  4. Check the box next to "Encrypt contents to secure data"
  5. Click OK
  6. Click OK again on the file/folder Properties box
  7. An Encryption Warning dialogue box will appear. The message will vary depending on whether you are trying to encrypt just a file or an entire folder:
    1. For a file, the message will provide two choices:
      1. Encrypt the file and the parent folder
      2. Encrypt the file only
      3. Note: There is also an option to check to Always encrypt only the file for all future file encryption actions. If you check this box, this message box will not appear for future file encryptions. Unless you are sure of that choice, however, I recommend you leave this box unchecked
    2. For a folder, the message will provide two choices:
      1. Apply changes to this folder only
      2. Apply changes to this folder, subfolders, and files
  8. After making your selection, click OK and you are done.

If you later wish to unencrypt the file so that others may access and view it, you can do so by following the same first three steps from above and then uncheck the box next to "Encrypt contents to secure data". Click OK to close the Advanced Attributes box and OK again to close the Properties box and the file will again be unencrypted.

Backing Up Your EFS Key

Once a file or folder is encrypted with EFS, only the private EFS key of the user account that encrypted it will be able to unencrypt it. If something happens to the computer system and the encryption certificate or key are lost, the data will be irrecoverable.

To ensure your continued access to your own encrypted files, you should perform the following steps to export the EFS certificate and private key and store it on a floppy disk, CD or DVD for future reference.

  1. Click Start
  2. Click Run
  3. Enter 'mmc.exe' and click OK
  4. Click File, then Add/Remove Snap-in
  5. Click Add
  6. Select Certificates and click Add
  7. Leave selection on 'My user account' and click Finish
  8. Click Close
  9. Click OK
  10. Select Certificates - Current User in the lefthand pane of the MMC console
  11. Select Personal
  12. Select Certificates. Your personal certificate information should appear in the righthand pane of the MMC console
  13. Right-click on your certificate and select All Tasks
  14. Click Export
  15. On the Welcome screen, click Next
  16. Select 'Yes, export the private key' and click Next
  17. Leave the defaults on the Export File Format screen and click Next
  18. Enter a strong password, then re-enter it in the Confirm Password box, then click Next
  19. Enter a name to save your EFS certificate export file and browse to choose a destination folder to save it in, then click Save
  20. Click Next
  21. Click Finish

Make sure you copy the export file to a floppy disk, CD or other removable media and store it in a safe place away from the computer system the encrypted files are on.