Encrypting File System in Windows 7

Before you start

Objectives: Learn how to encrypt file or folder, how to designate recovery agents, and how to generate self signed keys.

Prerequisites: you have to know what is Encryption File System in general.

Key terms: EFS, Encrypting File System, configuration, Windows 7, Recovery Agent, certificates

 How to Enable EFS

For this demo we have created a sample directory named “EFS-demo” on our C drive.  If we check NTFS permissions on that folder, we will see that Authenticated Users group has the Modify permission set. This means that anyone can create and modify files in that directory.

 1 NTFS Permissions

NTFS Permissions

On our computer we have a user named “Kim Verson”. If we log on with that user account, we can create a file in a EFS-demo folder. That’s because all authenticated users have the permission to work in that folder. For this demo, Kim Verson will create a file named “Verson CV.txt”.

 2 Verson CV

Verson CV File

The next thing we will do is encrypt that file. To do that we have to go to the properties of the file, and click on the Advanced button on the General tab. This will open the Advanced Attributes window.

 3 Advanced Attributes

Advanced Attributes

Here we have to select the “Encrypt contents to secure data” option. When we click OK, the system will prompt us to encrypt the whole folder. Since we are encrypting a specific file, the parent folder will remain unencrypted, so any files that we put in the folder will remain unencrypted. The recommended practice is to encrypt folders, and not files. When we encrypt folder, and file that we create in that folder will automatically be encrypted.

 4 Encryption Warning


For this demo we will only encrypt the file, and not the folder. Notice that the Details button is grayed out. It will become available when we encrypt our file. When we click OK, the color of our file will change to green, indicating that our file is now encrypted. Also, we will get a prompt to back up our encryption key.

5 File Color

File Color

 6 Backup Prompt

Backup Prompt

Keep in mind that when we are not in a domain environment, our computer will locally generate certificates for EFS encryption. That’s why it is very important to back up our encryption keys.

So, to recap, Kim Verson created the file “Verson CV” in a folder accessible by all users on the computer. Kim encrypted that file, and because of that, other users won’t be able to access it, despite of NTFS permissions. Let’s try this now. We will log on as a different user and try to open Verson CV file.

 7 Denied

Access Denied Message

As we can see, the access to the file is denied to other users. So, each user can encrypt their own files, and other users wont be able to open them, despite all NTFS permissions.

EFS Certificates

EFS certificates for each user are created when the user first encrypts some file. In local environment, each certificate is stored locally within the users profile. This means that if we copy our encrypted file to another computer, we wont be able to open them (since there is no EFS key for our user on the other computer). In order to be able to open our encrypted files on other local computers, we have to export our private keys and import them on other computers.

Let’s add another file called Marko CV to the same folder and encrypt it. If we open properties of our encrypted files and open the Advanced Attributes, we’ll notice that now we can click the Details button. When we do that, we will see the list of users who can access the file.

 8 List of Users

List of Users

Notice that here we have an Add button. With this we can add more users to the list of users who can access our files. When we click the Add button, we will be presented with the list of user certificates. We have to select the certificate of the user to which we want to allow access.

 9 List of Certificates

List of Certificates Available to Select

So, we can share an encrypted file with multiple users, as long as we have access to their certificates. Keep in mind that other users will be able to provide access to other users as well.

Recovery Admin

By default, in Windows 7 there is no default recovery agent designated in local environments. There is no single user which can access all files. To create a recovery agent, we first must generate a pair of recovery keys. To do that, we will open CMD as Administrator. In CMD, we will run the “cipher /r:RecoveryAgent” command. In our case we have logged on to our computer as an Admin user which is a member of the Administrators group.

 10 Cipher Command

Cipher Command

We will have to enter the password which will be used to protect our generated files. With this we get a self signed local certificate and a local private key certificate with the name of “RecoveryAgent”.  The next thing to do is to import those keys into local Group Policy. To do that, we will open local group policy (enter gpedit.msc in search) and go to Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Encrypting File System. Next, we have to right-click the Encrypting File System and select the Add Data Recovery Agent option.

 11 Right-Click

Add Recovery Agent Option

The wizard will open. On the Select Recovery Agents screen we have to browse to our generated certificates in EFS-demo folder. When we select our certificate we will get a warning that Windows can’t determine if the certificate has been revoked. This is because this is a self-signed certificate, so we can click Yes in this case. When we do that, we will see our certificate in the list.

 12 Certificate Added

Certificate Selected

When we click Next and Finish, we will see our Recovery Agent certificate in the Encrypting File System node. This certificate will allow our Admin user (we have created this certificate with the Admin user) to recover encrypted files as well.

 13 Admin Certificate

Certificate Added

 We can add multiple recovery agents (different users). All we have to do is generate keys while logged on as a specific user.

When we have designated our recovery agents, we have to run the “cipher /u” command in order to update all encrypted files with the designated recovery agents. We will enter that command as Admin user.

 14 Cipher Update

Cipher Update Command

Notice that Marko CV file was updated (file created by Admin), while the Verson CV file couldn’t be decrypted. To decrypt Verson CV file we have to log on as Kim Verson and then run the cipher /u command again. We have to do that for all user accounts. This is because we have created Recovery Agents after the users have already encrypted their files. That’s because it is best to designate recovery agents before users start to encrypt their files. That way recovery agents will be added automatically, so we don’t have to run cipher /u command.

Backing Up  Keys

It is very important to back up EFS keys. There are two ways to do that. We can click on the prompt to back up our key. We can also go to Control Panel > User Accounts and click on the “Manage your file encryption certificates” option. When exporting certificates we will be able to choose the format. We should export all certificates in the certification path.

 15 Exporting Certificates Options

Export Options

On the next screen we will have to enter our password for the exported certificates, to keep them secure.

 16 Password For Exported Certificates

Password For Exported Files

We will also have to specify the location of the exported file. We should always copy this file and keep it in a safe place. Make sure that you know the location and the password for exported certificates.

 17 Certificate Location

Location For Exported Files

Another way to work with certificates is the Certificate Snap-in in the MMC console. We can also export our keys from there.