How to Configure the EFS File Encryption System in Windows 10

There is no doubt that Windows has multiple features that were always available to us. However, we don’t always take the time to explore them. On this occasion, we will talk about the file encryption system (EFS) . This EFS will allow us to encrypt our files with a few steps, and it will not be necessary to make downloads or traditional adjustments. Today in this article we are going to show you what it is, how to activate it and how you can use it to protect your files correctly.

Anyone who is interested in Computer Security or who works in the field has noticed an increase in awareness regarding our security and privacy. Furthermore, due to the fact that people must stay at home to carry out all their activities: work, studies and many other activities. We know that connecting to a home network is not as secure as connecting to an internal network specially configured by an organization. The security measures applied differ greatly from the home network. Consequently, the desire to know how to protect against multiple security threats also increases.

Configure the EFS File Encryption System in Windows 10

Today we will talk about the Windows 10 file encryption system. It is mainly known by its English acronym EFS , which stands for Encrypted File System . This is an encryption service that is present in both Windows 10 and previous versions. It was first implemented with Windows 2000.

What is the File Encryption System (EFS)?

EFS is a fast way to encrypt files and folders. It is especially useful when dealing with files that are available over the network to multiple users. The peculiarity of this system is that it is connected to the user, not to the computer. Consequently, more than one user will be able to encrypt their files at the same time, without the risk that others may have access.

This encryption method is characterized by being fast and generally very reliable. However, you should keep in mind that the encryption key of the files is stored on a flash storage device, so it becomes a somewhat vulnerable method. Also, the content of the encrypted files may be exposed in the Windows temporary file logs.

We must remember that in Windows we have Bitlocker, a free tool that allows us to encrypt removable storage devices such as pendrivers or hard drives, we can encrypt disk partitions, and even the main partition (where the operating system is installed). We recommend you read our complete tutorial on how to configure Bitlocker and encrypt our computer , you can also use PowerShell to configure Bitlocker .

Operating scheme

It uses the symmetric encryption method to encrypt files, although it also uses a symmetric algorithm called DESX . This algorithm is a variant of the classic DES method which in English stands for Data Encryption Standard . The main objective of this algorithm is to increase the difficulty of attacks that seek to decrypt data such as brute-force .

This symmetric encryption method is divided into two main elements:

  • The File Encryption Key (FEK)
  • The public key

As soon as a file or folder with multiple files is encrypted, the FEK key is stored in the file or folder header. In addition, the public key remains in the hands of the user who proceeded with the encryption. As we can see, it is a practical application of the public key-private key scheme. Unlike asymmetric encryption methods, symmetric encryption has the ability to proceed with encryption much more quickly.

How does EFS work?

It is much easier than you think! You don’t need to do any additional installation or configuration adjustments. The first step is to know what file or folder you are going to encrypt.

Right-click and select the Properties option. Next, a pop-up window will appear and you will be in the General tab . Then, go to the Advanced Options button:

Click the check box that says “Encrypt content to protect data .

Then click OK and you will return to the General tab and click Apply . A window will appear asking if you want to encrypt only the folder or also the subfolders and files. Once you select that option, click OK .

How to protect your EFS public key

A notification will automatically appear recommending that you back up your file encryption key. Click on it and you will have the following options:

If you select the first option, which would be the most recommended, another window will appear where you will interact with the Certificate Export Wizard :

Then the format in which the backup will be generated will appear. In this case, no adjustment is necessary, we can click Next. This is so, since it has the recommended security settings.

Then you must indicate a password and select one of the encryption methods for it. Click the password check box and type it in. You can leave the encryption method already selected or select the other option.

It will ask you to indicate the name of the backup. Simply choose the one of your preference and click Next.

Finally, a window will appear indicating that the process has been carried out successfully . Then click Finish. In the case we have demonstrated, it has been stored in the default location that would be in the Documents folder. As we can see above, it is possible to choose the location that suits us best.

As you are solely responsible for your public key to decrypt the files, a good practice is to use backup copies so that, in the event that you lose the main source where your keys are located, you can quickly recover it. In any case, it is highly recommended that you have your keys on devices such as one of USB storage that are for non-shared use.

We recommend you also read about Veracrypt to create encrypted containers, encrypt removable storage devices and even entire disks or partitions. Also, Bitlocker is another very good option to encrypt entire drives.