A+ Certification / Beginners


An encrypted file is protected only against being read. This means that the file can be moved to another location on the same partition or renamed; these actions require modifying the directory table and do not constitute reading the file. The file may also be deleted if the appropriate NTFS permissions have not been applied to it.

To encrypt a file or folder, follow these steps:

  1. Right-click the file or folder and choose Properties. The Properties dialog box appears.
  2. Click the Advanced button. The Advanced Attributes dialog box pops up.
  3. You will be able to encrypt the file or folder by selecting the Encrypt Contents to Secure Data check box.

If the user who encrypted the file, moves or copies a file between NTFS partitions (even between computers), then the file will remain encrypted. This is different from Compression or NTFS permissions. If the file is copied to a non- NTFS partition, then the file is automatically decrypted. If you are not able to decrypt the file, then you will receive an Access Denied message when you attempt to move the files to a location which is on a different partition.

PKI (Public Key Infrastructure) is a system that allows for authentication users and encryption of data. PKI works with key pairs that are used for in conjunction to encrypt or decrypt data. The pair of keys is defined as private (known only to the user) and public (known to all other users of the infrastructure). Public keys are usually stored in certificates. When data is encrypted by using a public key, it can only decrypted by using the private key. EFS makes use of PKI, if you do not have an infrastructure, the local workstation will auto-generate keys on the local computer to support EFS. If you are using EFS within an organization, you should make use of an enterprise wide PKI, which can be implemented by using Microsoft's Windows Server 2003 Certificate Authority.

Windows does not allow you to both encrypt and compress a file. This is because compression requires that the file be rewritten, and encryption does not allow the file to be rewritten. The reason encryption does not allow the file to be rewritten is because the file header contains the file's encryption keys. These keys are protected by the public key of the user who encrypted the file as well as the public key of the Encrypted File System (EFS) Recovery Agents. The EFS Recovery Agent is specified in the local public key policies of the computer or in active directory. By default on a workstation or Active Directory domain, the EFS Recovery Agent will be set to the Administrator account. When a file is encrypted, the only people who can read the file is the user who enabled encryption, the EFS Recovery Agent, and any other users who have specifically had their public keys used to encrypt the file's encryption keys.

To allow other people to access your encrypted files, follow these steps for a file that has been encrypted:

  1. Right-click the file or folder and choose Properties. The Properties dialog box appears.
  2. Click the Advanced button. The Advanced Attributes dialog box pops up.
  3. Click the Details button. The Encryption Details for the file dialog box pops up. This will list all users who can transparently access the file.
  4. Click the Add button. The Select User dialog box pops up.
  5. If the user you want to grant access to is not on the list, click the Find User button to access the standard OS Select User dialog box; otherwise, select the user you want to add and click the OK button.

Click the OK button on each of the other dialogs that you had opened. If you do not have an enterprise PKI, you will not be able to access certificates for other users; so you will not be able to easily grant other users access to encrypted files.

Similar to compress.exe for compressing files, you can use the command-line utility cipher.exe to encrypt files from the command line or in batch files. In the same way that you could use compress.exe for compressed files, you can use cipher.exe for encrypted files. Table below reviews the switches that can be used with the cipher.exe command.

cipher.exe command switches
/AOperates on files as well as directories. The encrypted file could become decrypted when it is modified if the parent directory is not encrypted. It is recommended that you encrypt the file and the parent directory.
/DDecrypts the specified directories. Directories will be marked so that files added afterward will not be encrypted.
/EEncrypts the specified directories. Directories will be marked so that files added afterward will be encrypted.
/FForces the encryption operation on all specified objects, even those which are already encrypted. Already-encrypted objects are skipped by default.
/HDisplays files with the hidden or system attributes. These files are omitted by default.
/IContinues performing the specified operation even after errors have occurred. By default, CIPHER stops when an error is encountered.
/KCreates new file encryption key for the user running CIPHER. If this option is chosen, all the other options will be ignored.
/NThis option only works with /U. This will prevent keys being updated. This is used to find all the encrypted files on the local drives.
/QReports only the most essential information.
/RGenerates an EFS recovery agent key and certificate, then writes them to a .PFX file (containing certificate and private key) and a .CER file (containing only the certificate). An administrator may add the contents of the .CER to the EFS recovery policy to create the recovery agent for users, and import the .PFX to recover individual files.
/SPerforms the specified operation on directories in the given directory and all subdirectories.
/UTries to touch all the encrypted files on local drives. This will update user's file encryption key or recovery agent's key to the current ones if they are changed. This option does not work with other options except /N.
/WRemoves data from available unused disk space on the entire volume. If this option is chosen, all other options are ignored. The directory specified can be anywhere in a local volume. If it is a mount point or points to a directory in another volume, the data on that volume will be removed.
/XBackup EFS certificate and keys into file filename. If efsfile is provided, the current user's certificate(s) used to encrypt the file will be backed up. Otherwise, the user's current EFS certificate and keys will be backed up.
[Previous] [Contents] [Next]