The name conjures images of Jack Bauer and Chloe O’Brian from 24. I can picture Chloe huddled over her laptop in an unmarked windowless van, typing esoteric commands into a black terminal screen while Jack is stalking a special agent in an abandoned warehouse. Choloe just hacked into the closed circuit security camera network and is giving Jack real-time commands to bypass thugs with guns.
24 is the quintessential TV show and I seriously hope they make it into a movie.
This guide won’t give you the deft skills of Jack Bauer but it’ll certainly make your files and folders more secure. Keep reading to see how easy it is to encrypt files and folders without installing any additional software.
I’m going to show you why it makes sense to encrypt your files with the Encrypting File System (EFS). Then I’ll explain some arguments against EFS and finally I’ll close with a quick tutorial on how to start encrypting stuff with it.
As always the tutorial is replete with screenshots so you really don’t even need to read anything.
If you need to encrypt something in a hurry, just scroll through the screenshots and you’ll get going in less than a minute. I understand that your time is valuable and not everyone can wade through reams of text. I wouldn’t want anyone to waste my time so I certainly won’t waste yours!
Okay, enough with my prolix prelude, let’s get down to business:
Why you should encrypt your stuff
Let’s say you lose your computer.
No wait, that’s not interesting enough.
Let’s say someone breaks into your home and steals your computer. You come home from work one day and your house has been ransacked. Everything is in disarray.
Your family pictures are scattered across the floor, dresser drawers are open with cloths flung all over the place and every cabinet in your kitchen is open.
There’s shattered porcelain in the foyer and assorted accouterments sprawled out in the living room. In dismay, you walk into your bedroom and are aghast when you see the mattress overturned and shards of glass peppered on the floor.
It’s a disaster and you’re so overwhelmed with emotion you can barely speak.
You feel angry.
But you also feel shocked.
Confused and surreal.
How could this happen to me?
And then you walk into the mini-office and see your laptop is missing!
But that’s a problem. That’s a big problem because the financial records from your small business were stored on the hard drive. Also digital copies of your medical records were there along with various account numbers, passwords and credit cards.
But then you experience a spontaneous moment of relief:
I use a pretty long password so my documents are good right? It would take someone a long time to crack it so am I safe?
And to that I reply:
Did you use encryption?
Here’s the cold hard facts: A strong user account password doesn’t preclude the possibility of data theft.
Just because you took the time to carefully create a password that uses numbers, capital letters and even a few symbols, doesn’t mean I couldn’t view the data on your hard drive.
Think about it.
Let’s say I stole your computer, ripped out the hard drive and installed it in my computer as a secondary disk. Now when I boot into the operating system I can easily view everything on the disk without ever entering a password.
Another way to render your password useless would be to boot to your stolen computer using something like a Linux Live CD. Thus, there is a need to secure your hard drive with something stronger than just a user account password.
How do we circumvent this intractable problem?
… and that’s when Mr Encryption steps on to the stage, takes a bow and says in a bold orotund voice:
I’ll take care of you
Encryption is the way to go
Encryption has actually been available in Windows all the way back to the stone ages of Windows 2000. In fact, almost every Pro version of Windows has the encrypting file system in some form. For example, Windows XP Pro, Windows Vista Business, Windows 7 Pro, Windows 8 Pro and Windows 8.1 Pro all have EFS built in.
The advantage of EFS is that it’s now super easy to obfuscate almost any data you want. In addition, encryption and decryption happens at a layer below the file system so it happens transparently without bothering you.
EFS files are inaccessible from outside the file system. So mounting the stolen drive as a secondary volume or attempting to view it from a Linux Live CD is futile.
On the flip side, the encryption strength is only as strong as your login password so if your computer account password is something silly such as password123 or love123 then when someone cracks it (in zero-seconds) they’ll obviously gain access to all your files.
The other thing to note is that with EFS inaccessibility isn’t the same thing as invisibility.
In other words, just because no one can read or write to your files doesn’t mean they can’t see that the file is there. EFS doesn’t make stuff invisible to other users logged in the computer but it does prevent people from opening them. Not even other Administrator accounts can access EFS files.
Here’s how to get started:
Encrypting with EFS
Press the Windows Logo key + e to right click a folder in Explorer containing the stuff you want to encrypt.
Choose Properties from the context menu.
Hit the Advanced… button in the lower right corner of the General tab
In the bottom section of the Advanced Attributes box there’s a section called Compress or Encrypt attributes. Put a check to the left of Encrypt contents to secure data.
Click OK to close the Advanced Attributes box then click OK on the folder properties box.
A warning box will sprout asking you to confirm that you want to encrypt the folder and everything inside it. Click OK to confirm.
Notice the folder named personal is now green indicating that its encrypted.
You should see a little notification peek onto the screen near the system time. We need to click this little icon when it appears so we can backup your encryption key.
If it vanishes before you had a chance to grab it, you can click the tiny up arrow in the bottom right corner of the screen to view all notifications. In the graphic below, the up arrow is immediately to the left of my battery icon.
Fortunately the key backup process is pretty straightforward.
We don’t want to procrastinate this step so let’s backup your new key now. After clicking the notification balloon you’ll see backup up encryption key screen.
Click Back up now to launch the Certificate Export Wizard.
This little tool will export the key and protect it using a password you define. Once exported, we can stash the key to a USB stick or cloud drive. Hopefully you’ll never need to use it but it’ll be there for you just-in-case.
On the next screen you’ll see a list of key file formats. Just keep the defaults and keep going.
Next we’ll create a password to protect the key.
Password protecting the key is critical because even if someone somehow appropriated your key they couldn’t use it to decrypt your files without the password you enter here.
I suggest entering a strong password: meaning it’s at least 10 characters long and contains at least one number, symbol and capital letter.
Now we’re going to pick a place to save the key. Click the Browse button.
You can save the key anywhere you want but I recommend saving it to a dedicated USB drive that you can store away from your computer. You can buy a cheapola 4GB USB drive on Amazon for less than $10 bucks.
Since my protected folder is named “personal”, I saved my key as personalEFSkey
Click Next to confirm the path
Verify the summary on the final screen and head to the finish line.
A popup shoots on the screen telling you everything went well.
Click OK to close and you’re done.
Incidentally, if you ever want to remove folder and file encryption you can do that by right clicking the folder or file, going to Properties and unchecking Encrypt contents to secure data.
A confirmation box will ask to you confirm the decrypt attribute and then everything will be like it was before.
No green folders but also no protection so use with caution!
By the way, you can read more about EFS in Microsoft KB 223316. Microsoft has a pretty good guide on best practices so it could be worth your time.