EFS encryption isn't as secure as other encryption methods, like BitLocker, because the key that unlocks the encryption is saved locally. There's also a chance that data can leak into temporary files since the entire drive is not encrypted. Still, EFS is a quick and easy way to protect individual files and folders on a PC that's shared amongst several users. Encrypting with EFS doesn't take long — let's take a look at how it's done. What you'll need before you begin EFS is only available on Pro, Enterprise, and Education versions of Windows 10.
Nov 1, 2018 - Software and ways to encrypt files or folders in Windows 10. But before we show you how to encrypt your files with EFS, we have to warn you. Aug 21, 2016 - How To Enable/ Disable Windows Encrypting File System (EFS) Feature. The Encrypting File System (EFS) feature is available in almost all currently. How to Fix Can't connect to this network on Windows 10 Computer.
If you're using Windows 10 Home, you're out of luck. You also need to be using a password with your user account, preferably strong and difficult to crack. Once you've encrypted a file or folder, Windows will automatically remind you that you should create a backup key in case you run into a problem where you can no longer log into your user account that's tied to the encrypted files. This requires some sort of removable media. In our case, we use a USB thumb drive. How to enable EFS on Windows 10 Have a file or folder in mind for encryption? Here's how to enable EFS.
Launch File Explorer from your Start menu, desktop, or taskbar. Right-click a file or folder. Click Properties. Click Advanced. Click the checkbox next to Encrypt contents to secure data. Click Apply. A window will pop up asking you whether or not you want to only encrypt the selected folder, or the folder, subfolders, and files.
Click either Apply changes to this folder only or Apply changes to this folder, subfolders, and files. Files that you've encrypted with EFS will have a small padlock icon in the top-right corner of the thumbnail or icon. How to back up your EFS encryption key After enabling EFS, a small icon will appear in the system tray in the bottom-right corner of your screen.
This is your reminder to back up your EFS encryption key. Plug your USB drive into your PC. Click the EFS icon in the system tray. Click Back up now (recommended). Click Next. Click Next. Click the checkbox next to Password.
Type a password in the first Password field. Type the same password in the Confirm password field. Click Next. Click Browse. Click the USB drive. Click the File name field. Type a filename.
Click Save. Click Next. Click Finish. If you ever lose access to your user account, the backup key can be used to access the encrypted files on the PC.
More encryption resources.
Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. 5 minutes to read. Contributors.
In this article Applies to:. Windows 10, version 1607 and later.
Windows 10 Mobile, version 1607 and later If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.
Important If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the article on TechNet. For more general info about EFS protection, see.
If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. Manually create an EFS DRA certificate. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate.
Run this command: cipher /r: EFSRA Where EFSRA is the name of the.cer and.pfx files that you want to create. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1.
Important Because the private keys in your DRA.pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as. Verify your data recovery certificate is correctly set up on a WIP client computer. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it’s encrypted by WIP.
Open an app on your protected app list, and then create and save a file so that it’s encrypted by WIP. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: cipher /c filename Where filename is the name of the file you created in Step 1.
Make sure that your data recovery certificate is listed in the Recovery Certificates list. Recover your data using the EFS DRA certificate in a test environment. Copy your WIP-encrypted file to a location where you have admin access. Install the EFSDRA.pfx file, using its password. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: cipher /d encryptedfile.extension Where encryptedfile.extension is the name of your encrypted file. For example, corporatedata.docx.
Recover WIP-protected after unenrollment It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once. Important To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device.
Have the employee sign in to the unenrolled device, open an elevated command prompt, and type: Robocopy '%localappdata% Microsoft EDP Recovery' ' newlocation'. /EFSRAW Where ' newlocation' is in a different directory.
This can be on the employee’s device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent. To start Robocopy in S mode, open Task Manager.
Click File Run new task, type the command, and click Create this task with administrative privileges. If the employee performed a clean installation and there is no user profile, you need to recover the keys from the System Volume folder in each drive. Type: Robocopy ' driveletter: System Volume Information EDP Recovery' ' newlocation'. /EFSRAW. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing: cipher.exe /D ' newlocation'. Have your employee sign in to the unenrolled device, and type: Robocopy ' newlocation' '%localappdata% Microsoft EDP Recovery Input'. Ask the employee to lock and unlock the device.
The Windows Credential service automatically recovers the employee’s previously revoked keys from the Recovery Input location. Auto-recovery of encryption keys Starting with Windows 10, version 1709, WIP includes a data recovery feature that lets your employees auto-recover access to work files if the encryption key is lost and the files are no longer accessible.
This typically happens if an employee reimages the operating system partition, removing the WIP key info, or if a device is reported as lost and you mistakenly target the wrong device for unenrollment. To help make sure employees can always access files, WIP creates an auto-recovery key that’s backed up to their Azure Active Directory (Azure AD) identity. The employee experience is based on sign in with an Azure AD work account. The employee can either:. Add a work account through the Windows Settings Accounts Access work or school Connect menu.OR-. Open Windows Settings Accounts Access work or school Connect and choose the Join this device to Azure Active Directory link, under Alternate actions. Note To perform an Azure AD Domain Join from the Settings page, the employee must have administrator privileges to the device.
After signing in, the necessary WIP key info is automatically downloaded and employees are able to access the files again. To test what the employee sees during the WIP key recovery process. Attempt to open a work file on an unenrolled device. The Connect to Work to access work files box appears. Click Connect. The Access work or school settings page appears.
Sign-in to Azure AD as the employee and verify that the files now open Related topics.