Encrypting File System (EFS)

Encrypting File System (EFS) is a core file encryption technology used to store encrypted files on NTFS file system volumes. Encrypted files cannot be used unless the user has access to the keys required to decrypt the information.

You do not have to manually decrypt an encrypted file before you can use it. You can open and change the file as you normally do. Once you encrypt a file or folder, you work with the encrypted file or folder just as you do with any other file or folder.

Using EFS is similar to using permissions on files and folders. Both methods can be used to restrict access to data. However, an intruder who gains unauthorized physical access to your encrypted files or folders will be prevented from reading them. If the intruder tries to open or copy your encrypted file or folder, he or she receives an access denied message. Permissions on files and folders do not protect against unauthorized physical attacks.

You encrypt or decrypt a folder or file by setting the encryption property for folders and files just as you set any other attribute such as read-only, compressed, or hidden. If you encrypt a folder, all files and subfolders created in the encrypted folder are automatically encrypted. We recommend that you encrypt at the folder level.

You can also encrypt or decrypt a file or folder by using the Cipher command.

When you work with encrypted files and folders, consider the following information:

• Only files and folders on NTFS volumes can be encrypted. However, you can use Web distributed authoring and versioning (WebDAV), which also works with NTFS, to transfer files in encrypted form.
  
  
• Files or folders that are compressed cannot also be encrypted. If the user marks a file or folder for encryption, that file or folder will be uncompressed.
  
  
• Encrypted files are decrypted if you copy or move the file to a volume that is not an NTFS volume.
  
  
• Moving unencrypted files into an encrypted folder will automatically cause those files to be encrypted in the new folder. However, the reverse operation will not automatically decrypt files. Files must be explicitly decrypted.
  
  
• Files marked with the System attribute cannot be encrypted, nor can files in the system root directory structure.
  
  
• Encrypting a folder or file does not protect against the deletion or listing of files or directories. Anyone with the appropriate permissions can delete or list encrypted folders or files. For this reason, using EFS in combination with NTFS permissions is recommended.
  
  
• You can encrypt or decrypt files and folders located on a remote computer that has been enabled for remote encryption, but the data that is transmitted over the network by this process is not encrypted. Other protocols, such as Secure Socket Layer/Transport Layer Security (SSL/TLS) or Internet Protocol security (IPsec) must be used to encrypt data while it is in transmission over the network. (You can also use WebDAV, as described in the first bullet point, to transmit the file in encrypted form.)
  
  

EFS policy settings