The Complete EFS (Encrypted File System) Tutorial

NTFS5, the native file system used by Windows XP has a very cool feature called EFS, or Encrypted File System. EFS is an invisible file encryption method that is built directly into the file system. This provides an extra layer of protection for keeping your folders private.

This guide will explain what it is and how to use it effectively. Please note that the EFS features have been removed from Windows XP Home Edition. “Removed?” You ask. Yes, removed, as I said earlier EFS is built into NTFS (NT File System), the ability to enable it has been removed from XP Home Edition.

So what operating system have this feature? Any Microsoft operating system 2000 or newer has this feature. However, only the Professional and Server releases have it enabled. So here’s the list as it stands at the time of this writing.

Windows 2000 Pro or Server, Windows XP 32-bit Pro, Windows XP 64-bit Pro, and Windows Server 2003. I’m not sure, but I assume the same rule will apply to Windows Vista releases.

So the techies might be asking, “How can they remove EFS if it’s native to the file system?” The answer, the Home and Pro versions use different NTFS drivers.

Encrypting a File or Folder with EFS

  1. Browse to a file or folder in either My Computer or Explorer, right-click and choose Properties…
  2. Click the Advanced… button
  3. Put a checkmark in the box that says “Encrypt contents to secure data” and click OK
  4. Click OK to close the Properties dialog.
  5. If you are changing a folder that already contains files, you will recieve a confirmation dialog. Click OK

The process for removing the EFS attributes is just the opposite the the above. Follow the same procedure and remove the checkmark we just added.

Okay, so now we know how to do it, but how does EFS work? Well, I’m going to be as basic as possible in my approach. I’m not about to begin trying to explain encryption in this single post.

Basically, your computer creates a sort of password hash using your user information and then applies it to an algorithm and encodes your files. In basic english, that means that without being logged on with your user ID and password, the computer literally cannot read the file’s contents. You might compare it to trying to read an Arabic newspaper. (That, of course, assuming you can’t read Arabic.)

By default EFS uses DESX (56-bit) in Windows 2000 and DESX (128-bit) in Windows XP. Windows XP SP1 and higher use AES (256-bit) by default. Optionally 3DES (168-bit) in Windows XP and Windows 2003 (and Windows 2000 with High Encryption Pack) may be used. All of these algorithms make use of a random cipher key so they present a fairly strong encryption. Your average joe is not going to crack this thing in any reasonable amount of time, especially if you use a strong Windows password. Also note that 3DES complies with Federal Information Processing Standards (FIPS 140-1 Level 1) and is significantly stronger than the default DESX encryption. You have to enable the use of 3DES. I’ll show you that later in this article.

Now we have a basic understanding of what it does and how to do it, but is there anything else we should know. Well, yes. Let’s suppose you reload Windows and can’t log on with the user that originally encrypted the files. (Even recreating a user with the same name will not work.) You won’t be able to view the files because your current user won’t be able to decrypt them. That’s could make for a big nightmare.

Luckily, Windows provides a way for us to backup our EFS information to prevent this from happening. The backup that is created can be used to grant any user (current or future) access to the files by using a created floppy disk. Don’t worry, not anyone who finds this floppy disk can use it. The backup procedure will setup the floppy so that it requires a password to use it. (I knew what you were thinking…)

Without wasting any more time, here’s how to create the backup.

Backing Up Your EFS Key – Method 1

  1. Click the Start button and choose Run…
  2. Type mmc and click OK.
  3. On the File menu, choose Add/Remove Snap-in and then click Add.
  4. Under Available Standalone Snap-ins, click Certificates, and then click Add.
  5. On the Certificates snap-in dialog, select My user account and then click Finish.
  6. Click Close and OK to finish installing the new snap-in.
  7. In the left pane of the console window you will see a new heading has been created on the tree display. Click the plus sign next to Certificates – Current User to expand it.
  8. Next expand Personal and then expand Certificates.
  9. In the right pane, select the entry that says File Recovery in the Intended Use column.
  10. Right-click the certificate you just found and point to All Tasks and then click Export to start the Certificate Export Wizard.
  11. Click Next.
  12. Select Yes, export the private key and click Next.
  13. Select Personal Information Exchange – PKCS #12 (.PFX) and also select Enable strong protection and then click Next to continue.
  14. Specify a password. (Note: this is the password that will be required to reinstall you backup. Make sure to pick a strong password that you will remember. I recommend choosing a password that is different from your Windows Login password.)
  15. Specify a filename and location to save the exported key. I recommend using your Windows user name for the filename and saving it to a removable storage device such as a floppy disk or USB thumb drive. You may also burn the file to a CD.
  16. Verify the settings and then click Finish.

In the future you will not have to add the Certificates snap-in. Instead you will be able to start at step 7.

Backing Up Your EFS Key – Method 2

  1. Start Microsoft Internet Explorer.
  2. On the Tools menu, click Internet Options.
  3. On the Content tab, in the Certificates section, click Certificates.
  4. Click the Personal tab.
  5. Select one certificate at a time until the Certificate Intended Purposes field shows Encrypting File System. This is the certificate that was generated when you encrypted your first folder.
  6. Click Export to start the Certificate Export Wizard, and then click Next.
  7. Click Yes, export the private key to export the private key, and then click Next.
  8. Click Enable Strong protection, and then click Next.
  9. Type your password. (I recommend not using your Windows password.)
  10. Specify the path where you want to save the key. You can save the key to a floppy disk, another location on the hard disk, or a CD. If the hard disk fails or is reformatted, the key and the backup will be lost. (If you back up the key to a floppy disk or CD, you must store that disk or CD in a secure location.)
  11. Specify the destination, and then click Next.

Windows 2003 user have the option to backup using a button on the Details page under Advanced Properties when encrypting a file.

As I said, Windows XP Pro and higher give the option to use the stronger 3DES algorithm, however, it is not installed by default.

Enabling Advanced Encryption By Using 3DES

  1. Click the Start button and choose Run…
  2. Type gpedit.msc and click OK to start the Group Policy Editor.
  3. In the left pane navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
  4. Open the System Cryptography: Use FIPS compliant algorithms for encryption object. (Note that this settings applies to EFS and IPSec)
  5. Select enabled and click OK

Once 3DES is enabled, you will still be able to open files that were encrypted with DESX. So you can enable this option at any time.

Allowing Multiple User Access to Protected Files
You may find that you want to share an encrypted resource. Note that you cannot share an EFS encrypted folder. You must allow access on a per file basis.

  1. Right-click the file and choose Properties…
  2. Click Advanced and then click Details
  3. Click the Add button to allow users.

“But I’ve disabled share-level access to my files and allow access only to the users that I want. What good will EFS do me?”

Okay, the permissions here rely on ACL’s or Access Control Lists. ACL’s are extremely effective, but the problem here is that they are completely useless outside of the Windows environment. In other words, if someone connects your computer (or connects your hard drive to a computer) running a different operating system such as Linux your ACL’s don’t mean a thing. They’ll be browsing through your files like they weren’t even there.

“I don’t have anything to hide. Why waste my time?”

EFS is just an added bonus feature for the home PC owner. And since it works by itself in the background, it doesn’t require any extra effort to use it. Besides, a little extra security never hurt anyone.


Like the read? Share it!

Leave a Reply


Wanna say hello?
Drop us a line!

You'll find us here

1 Microsoft Way,
WA 98052, United States