What is Encrypting File System (EFS)?
The Encrypting File System (EFS) is a file system driver that provides file system-level encryption in Microsoft Windows operating systems. It is available in all versions of Windows later than Windows 2000 except Windows XP Home Edition, and the Starter, Basic, and Home Premium editions of Windows Vista and Windows 7. Implementations for Linux and IBM AIX (6.1 and later) operating systems are also available. The technology enables files to be transparently encrypted on NTFS file systems to protect confidential data from attackers with physical access to the computer.
What does Encrypting File System (EFS) do?
User authentication and access control lists can protect files from unauthorized access while the operating system is running, but are easily circumvented if an attacker gains physical access to the computer. One solution is to store the files encrypted on the disks of the computer. EFS does this using public key cryptography, and aims to ensure that decrypting the files is extremely difficult without the correct key. However, EFS is in practice susceptible to brute-force attacks against the user account passwords. In other words, encryption of files is only as strong as the password to unlock the decryption key.
How to Encrypt a File with Encrypting File System (EFS)?
You can encrypt files only on volumes that are formatted with the NTFS file system. To encrypt a file:
Click Start, point to All Programs, point to Accessories, and then click Windows Explorer.
Locate the file that you want, right-click the file, and then click Properties.
On the General tab, click Advanced.
Under Compress or Encrypt attributes, select the Encrypt contents to secure data check box, and then click OK. Click OK. If the file is located in an unencrypted folder, you receive an Encryption Warning dialog box.
Use one of the following steps:
If you want to encrypt only the file, click Encrypt the file only, and then click OK.
If you want to encrypt the file and the folder in which it is located, click Encrypt the file and the parent folder, and then click OK.
If another user attempts to open an encrypted file, that user is unable to do so. For example, if another user attempts to open an encrypted Microsoft Word document, that user receives a message similar to:
Word cannot open the document: username does not have access privileges
If another user attempts to copy or move an encrypted document to another location on the hard disk, the following message appears:
Error Copying File or Folder
Cannot copy filename: Access is denied.
Make sure the disk is not full or write-protected and that the file is not currently in use.
- You cannot encrypt files or folders on a volume that uses the FAT file system.You must store the files or folders that you want to encrypt on NTFS volumes.
- You cannot store encrypted files or folders on a remote server that is not trusted for delegation.To resolve this issue, configure the remote server as being trusted for delegation. To do this:
- Log on to a domain controller with an account with administrator privileges.
- Start the Active Directory Users and Computers snap-in.
- In the left pane, expand the domain container. Locate the server you want, right-click it, and then click Properties.
- On the General tab, select the Trust computer for delegation check box (if it is not already selected). Click OK to respond to the “Active Directory” message that appears.
- Click OK, and then quit Active Directory Users and Computers.
- You cannot gain access to encrypted files from Macintosh client computers.
You cannot open documents that were stored by others in an encrypted folder that you created.
Remember to backup the encrypting key to other secure place, otherwise, you cannot open the encrypted files after your reinstall Windows or restored the operating system.