Another technology designed to protect data is the Encrypting File System (EFS). Files that have been protected using EFS are encrypted at the file-system level. The benefit of this is that the files can only be opened by the user with the appropriate private key and certificate. Even if you were to reinstall the operating system, the files would still be inaccessible.

To encrypt a folder, right click the file and select Properties. From the General tab, click the Advanced button. Select the Encrypt contents to secure data option. Click OK.

Once you complete these steps, the contents of the folder are encrypted and any files you add to the folder will automatically be encrypted. When you access a file within the folder, the contents are automatically decrypted. Any encrypted folders and files will appear “green” within Windows Explorer. This lets you easily identify what is and is not encrypted.

Note: EFS should be used in conjunction with Bitlocker Drive Encryption.

There are additional settings within the local computer policy that are used for further configuring EFS. Navigate to the following container:

Computer Configuration Windows Settings Security Settings Public Key Policies Encrypting File System

Right click the Encrypting File System folder and click Properties. You can choose the Allow or Disallow EFS. If Not defined is selected, EFS is still allowed. If you select Allow, you can configure the additional options.

Additional EFS related settings within the local computer policy includes:

• EFS recovery policy processing: Computer Configuration Administrative Templates System Group Policy – This setting determines when encryption policies are updated.
• Do not automatically encrypt files moved to encrypted folders: Computer Configuration Administrative Templates System – This setting determines whether Windows Explorer encrypts files that are moved into an encrypted folder.
• Encrypt the offline files cache: Computer Configuration Administrative Templates Network Offline Files – This setting determines whether files in the offline files cache are encrypted.
• Allow indexing of encrypted files: Computer Configuration Administrative Templates Windows Components Search – This setting determines whether encrypted items can be indexed by Windows Search.