Windows 10

Encrypting information

Windows provides the following encryption tools for preventing the loss of confidential data:

  • Encrypting File System (EFS) encodes your files so that even if someone is able to obtain the files, he or she won't be able to read them. The files are readable only when you sign in to the computer using your user account.
  • BitLocker Drive Encryption provides another layer of protection by encrypting entire hard-disk volumes. By linking this encryption to a key stored in a Trusted Platform Module (TPM) or USB flash drive, BitLocker reduces the risk of data being lost when a computer is stolen or when a hard disk is stolen and placed in another computer. A thief's standard approach in these situations is to boot into an alternate operating system and then try to retrieve data from the stolen computer or drive. With BitLocker, that type of offline attack is effectively neutered.
  • BitLocker To Go extends BitLocker encryption to removable media, such as USB flash drives.
Note:
Encrypting File System and BitLocker Drive Encryption are not available in Windows 10 Home. Encrypting a removable drive with BitLocker To Go requires Windows 10 Pro or Windows 10 Enterprise; the resulting encrypted drive can be opened and used on a device running Windows 10 Home.

Using the Encrypting File System

The Encrypting File System (EFS) provides a secure way to store your sensitive data. Windows creates a randomly generated file encryption key (FEK) and then transparently encrypts the data, using this FEK, as the data is being written to disk. Windows then encrypts the FEK using your public key. (Windows creates a personal encryption certificate with a public/private key pair for you the first time you use EFS.) The FEK, and therefore the data it encrypts, can be decrypted only with your certificate and its associated private key, which are available only when you sign in with your user account. (Designated data recovery agents can also decrypt your data.) Other users who attempt to use your encrypted files receive an "access denied" message. Even administrators and others who have permission to take ownership of files are unable to open your encrypted files.

You can encrypt individual files, folders, or entire drives. (You cannot encrypt the boot volume-the one with the Windows operating system files-using EFS, however. For that, you must use BitLocker.) We recommend that you encrypt folders or drives instead of individual files. When you encrypt a folder or drive, the files it contains are encrypted, and new files that you create in that folder or drive are encrypted automatically.

To encrypt a folder, follow these steps:

  1. In File Explorer, right-click the folder, choose Properties, click the General tab, and then click Advanced, which displays the dialog box shown next. (If the properties dialog box doesn't have an Advanced button, the folder is not on an NTFS-formatted volume and you can't use EFS.)
  2. Select Encrypt Contents To Secure Data. (Note that you can't encrypt compressed files. If the files are already compressed, Windows clears the compressed attribute.)
  3. Click OK twice. If the folder contains any files or subfolders, Windows then displays a confirmation message.
Note:
If you select Apply Changes To This Folder Only, Windows doesn't encrypt any of the files currently in the folder. Any new files that you create in the folder, however, including files that you copy or move to the folder, will be encrypted.

After a file or folder has been encrypted, File Explorer displays its name in green. This minor cosmetic detail is the only change you are likely to notice. Windows decrypts your files on the fly as you use them and reencrypts them when you save.

Caution:
Before you encrypt anything important, you should back up your file recovery certificate and your personal encryption certificate (with their associated private keys), as well as the data recovery agent certificate, to a USB flash drive or to your OneDrive. Store the flash drive in a secure location. To do this, open User Accounts in Control Panel, and then click Manage Your File Encryption Certificates. If you ever lose the certificate stored on your hard drive (because of a disk failure, for example), you can restore the backup copy and regain access to your files. If you lose all copies of your certificate (and no data recovery agent certificates exist), you won't be able to use your encrypted files. No backdoor exists (none that we know of, at any rate), nor is there any practical way to hack these files. (If there were, it wouldn't be very good encryption.)

To encrypt one or more files, follow the same procedure as for folders. You'll see a different confirmation message to remind you that the file's folder is not encrypted and to give you an opportunity to encrypt it. You generally don't want to encrypt individual files because the information you intend to protect can too easily become decrypted without your knowledge. For example, with some applications, when you open a document for editing, the application creates a copy of the original document. When you save the document after editing, the application saves the copy-which is not encrypted-and deletes the original encrypted document. Static files that you use for reference only-but never for editing-can safely be encrypted without encrypting the parent folder. Even in that situation, however, you'll probably find it simpler to encrypt the whole folder.

Encrypting with BitLocker and BitLocker To Go

BitLocker Drive Encryption can be used to encrypt entire NTFS volumes, which provides excellent protection against data theft. BitLocker can secure a drive against attacks that involve circumventing the operating system or removing the drive and placing it in another computer. BitLocker provides the greatest protection on a computer that has TPM version 1.2 or later; on these systems, the TPM stores the key and ensures that a computer has not been tampered with while offline. If your computer does not have TPM, you can still use BitLocker on your operating system volume, but you must insert a USB startup key or enter a password each time you start the computer or resume from hibernation. Non-TPM systems do not get the system integrity check at startup.

BitLocker To Go, a feature introduced in Windows 7, allows you to encrypt the entire contents of a USB flash drive or other removable device. If it's lost or stolen, the thief will be unable to access the data without the password.

To apply BitLocker Drive Encryption or BitLocker To Go, right-click the drive in File Explorer and then click Turn On BitLocker. BitLocker asks how you want to unlock the encrypted drive-with a password, a smart card, or both. After you have made your selections and confirmed your intentions, the software gives you the opportunity to save and print your recovery key.

Your recovery key is a system-generated, 48-character, numeric backup password. If you lose the password you assign to the encrypted disk, you can recover your data with the recovery key. BitLocker offers to save that key in a plain text file; you should accept the offer and store the file in a secure location.

With all preliminaries out of the way, BitLocker begins encrypting your media. This process takes a few minutes, even if the disk is freshly formatted. However, if you are in a hurry, you can opt to encrypt only the used space on the drive. This choice can save you a considerable amount of time if your disk contains only a small number of files.

To read a BitLocker-encrypted removable disk, you need to unlock it by using whatever method you have stipulated. If you're prompted for a password that you have lost or forgotten, click More Options and then click Enter Recovery Key. In case you have several recovery-key text files, BitLocker To Go gives you the key's identification code:

Find the entry on OneDrive (onedrive.com/recoverykey) or the text file whose name matches the identification code, copy the recovery key from this text file to the BitLocker dialog box, and you'll be granted temporary access to the files, which is good until you remove the disk or restart the computer. At this point, you might want to change the password; open BitLocker Drive Encryption in the System And Security section of Control Panel and click Change Password.

To remove BitLocker encryption from a disk, open BitLocker Drive Encryption in Control Panel and click Turn Off BitLocker. The software will decrypt the disk; allow some time for this process.

[Previous] [Contents] [Next]

In this tutorial:

  1. Securing Windows 10
  2. What's new in Windows 10
  3. Monitoring your computer's security
  4. Blocking intruders with Windows Firewall
  5. Preventing unsafe actions with User Account Control
  6. Encrypting information
  7. Using Windows Defender to block malware