Encrypting and decrypting data with Encrypting File System

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Encrypting and decrypting data with Encrypting File System

You can use Encrypting File System (EFS) to:

  • Encrypt data

  • Access encrypted data

  • Copy, move or rename encrypted data

  • Decrypt data

Encrypting data

The default configuration of the Encrypting File System (EFS) requires no administrative effort--users can begin encrypting files immediately. EFS automatically generates an encryption key pair for a user if one does not exist.

EFS can use either the expanded Data Encryption Standard (DESX) or Triple-DES (3DES) as the encryption algorithm.

Encryption services are available from Windows Explorer. Users can also encrypt a file or folder using the command-line function cipher. For more information about the cipher command, type cipher /? at a command-line prompt.

Users encrypt a file or folder by setting the encryption property for files and folders just as you set any other attribute, such as read-only, compressed, or hidden. If a user encrypts a folder, all files and subfolders created in or added to the encrypted folder are automatically encrypted. It is recommended that users encrypt at the folder level.

Files or folders that are compressed cannot also be encrypted. If the user marks a compressed file or folder for encryption, that file or folder will be uncompressed. Also, folders that are marked for encryption are not actually encrypted. Only the files within the folder are encrypted, as well as any new files created or moved into the folder.

Accessing encrypted data

Users access encrypted files just as they do unencrypted files. Thus, when a user accesses an encrypted file that is stored on disk, the user is able to read the contents of the file in the normal way. When the user stores the file on disk again, EFS transparently encrypts the file again.

Copying, moving or renaming encrypted data

Copying or moving unencrypted files into an encrypted folder will automatically encrypt those files in the new folder. However, the reverse operation will not automatically decrypt files. Files retain their encrypted property until explicitly decrypted or moved to a non-NTFS volume. Similarly, renaming an encrypted file does not alter its encrypted status.

Decrypting data

You can decrypt a file by clearing the Encryption check box in a the file's Properties dialog box. Once decrypted, the file remains decrypted until you encrypt the file again. There is no automatic re-encryption of a file, even if it exists in a directory marked as encrypted.

Users can decrypt a file by either clearing the Encryption check box on the file's Properties dialog box, or using the cipher command.