Hello, friends! In this article we will deal with the data encryption system EFS and how you can use it to produce file encryption. Data is usually encrypted to limit access to third parties. And, especially for this, Microsoft developed the EFS data encryption system. Starting with Windows 2000 and all later versions of operating systems, there is a data encryption system. Unlike BitLocker, you can use EFS to encrypt individual files and folders. To take advantage of all its benefits, you need an operating system with a Professional rank or higher. EFS is an extension of the NTFS file system. EFS will not work on other file systems. When copying encrypted data to a disk with a file system other than NTFS, all information is automatically decrypted.

The EFS data encryption system encrypts information transparently to the user. That is, the user said, “Encrypt the folder” and all the information in it will be encrypted automatically. When accessing encrypted files, they are automatically decrypted. This is one of the advantages of EFS over creating a password archive.

No, the archive is of course convenient. But not so universal. You need to unpack the archive, work with the files and remember to pack it again. + on top of that, when you delete files from which you created an archive with a password, they are not physically deleted. And this is a gap in the defense.

EFS works as follows. When it is necessary to encrypt a file, the system generates a random key called FEK - File Encryption Key. This key encodes the file using a symmetric encryption algorithm. Symmetric means the file is encrypted and decrypted with one key - FEK.

The first time you need to encrypt information, Windows creates two keys user: open and closed. The FEK is encrypted using an asymmetric algorithm using the user's public key. An asymmetric encryption algorithm means that the file is encrypted with one key (in our case, public), and decrypted with another (private). The encrypted FEK is written next to the encrypted file.

The private key is encrypted with the user's password. Therefore, the security of your information directly depends on the complexity of your password. Therefore, it is recommended to specify it with more than 8 characters, including lower and upper case letters, numbers and special characters

To decrypt data, you must log in under the account of the user who encrypted the files. In this case, the private key is automatically decrypted when the correct password is entered. Using the latter, FEK is decrypted - File Encryption Key, which decrypts the desired file.

File encryption

You can encrypt a file as follows. Using the right mouse button on the file, call up the context menu and select Properties. On the General tab, in the Attributes section, click Other…

In the window that opens, put a tick. And OK

Click Apply or OK in the document properties window. An encryption warning appears where It is recommended to encrypt the folder containing it along with the file. Select the recommended option and click OK

The same window explains why it is necessary to encrypt the folder along with the file - since editing programs create temporary files that will not be encrypted. Usually temporary files are deleted, but the program may crash or there may be a power failure to the computer, and you are without . In this case, the temporary file will remain and it will not be encrypted, and this is another security hole. Therefore, it is recommended to encrypt the file along with the folder containing it, or encrypt the entire folder with all its contents.

Encrypted files are usually marked in green if specified in the settings

You can check this as follows. In Explorer, on the toolbar, click Arrange and choose Folder and search options

In the Folder Options window, go to the tab View and check the box

It is worth noting that in Windows operating systems it is possible to either encrypt a file or compress it to save space. I doubt that anyone will save in the era of 3, 4 and 5 terabyte hard drives.

Decrypt file You can copy it to an unencrypted folder and uncheck the corresponding box in the Other attributes box.

For the convenience of encrypting and decrypting files, you can enable the corresponding item in the context menu

This is done by editing the registry. Call the regedit utility from the search in the Start menu

Go to section

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

and create a parameter

"EncryptionContextMenu"=dword:00000001

To create a parameter, right-click on an empty space and select New > DWORD Value (32 bits)

It works for me despite the fact that Windows 7 is 64-bit.

Now you have the corresponding items included in the menu and encryption will become even easier.

Certificates

The first time you encrypt something, two keys are created: a public key and a private key. The open key is used to encrypt the FEK key, and the closed key is decrypted. Both of these keys (public and private) are placed in the certificate. Accordingly, these certificates can be exported to decrypt data on another computer.

This is done as follows.

If you have a simpler explanation of how the EFS file encryption system works, please share it in the comments.