If you encrypt files and folders in Windows, your data will become unreadable to unauthorized parties. Only someone with the correct password, or decryption key, can make the data readable again. This article will explain several methods you can use to encrypt your data in Windows 11, 10, 8 or 7.
To encrypt files and folders in Windows, you can use the following:
- BitLocker is the preferred and most secure method, but it will not allow you to easily select and encrypt individual files and folders (you can do this by creating an encrypted file container using VHD.) Note that BitLocker encryption is not available for the Windows Home editions.
- Encrypting File System (EFS) is the alternative, but is not recommended for super-sensitive data. Again, this is only available on Professional, Enterprise and Education editions of Windows.
- The third option to encrypt files and folders in Windows is to use third-party software. This is the only option for users with the Windows Home edition.
Tip: Alternatively, if all you are concerned about is avoiding somebody snooping at home, you can encrypt or password-protect individual MS Word or MS Excel files quickly from within documents. ComputerHope shows you how.
See also: How to encrypt email
Research by Flashpoint found that 6.2 billion data records were stolen between January and September 2023. However, earlier research from Gemalto has shown that less than five percent of breaches involved encrypted data.
According to our own research into encryption statistics, some 60% of surveyed organizations transfer sensitive files to the cloud regardless of whether they are encrypted or otherwise made unreadable.
Before you start to encrypt files and folders in Windows
Keep the following information in mind before you encrypt your data in Windows:
Encrypted files are not completely resistant to hacks
Encrypted files are not 100 percent secure. Hackers can (albeit with difficulty) bypass encryption. You’re at risk if you store cryptographic keys and passwords in an unencrypted file or if a hacker has planted a keylogger on your system.
Keyloggers can be installed by malware on your computer. If you encrypt a single file with EFS, your computer will store an unencrypted version of that file in its temporary memory, so a hacker may still be able to access it. If your data is really valuable, consider a paid, expert, cloud encryption solution.
Always make unencrypted backups of your files in case you lose your passwords. Store them in a safe physical location. This will ensure you can easily retrieve them should your entire system become compromised.
Understand your encryption needs
Decide exactly what you want/need to encrypt. This will determine what encryption method you use. Scroll down to the “To encrypt or not to encrypt files and folders in Windows?” section for more on this.
Be aware of EFS limitations
An EFS encrypted file loses its encryption if you move it to a Fat 32 or exFAT drive, or transmit it via a network or email. EFS also does not protect files from being deleted unless you have used Windows permissions to protect it. You cannot encrypt a compressed file or folder with EFS; you need to extract the contents first.
How does Windows encrypt files and folders?
BitLocker encrypts an entire volume on your hard drive (or a removable device), no matter who is logged in. To unlock a drive that is protected with BitLocker, anyone wanting access must enter a password or use a USB drive that unlocks the PC when it is inserted.
BitLocker uses trusted platform module (TPM) hardware. A TPM chip enables your device to support advanced security features. For instance, when encryption is only at the software level, access may be vulnerable to dictionary attacks.
Because TPM is at the hardware level, it can protect against guessing or automated dictionary attacks. You can use BitLocker without a TPM chip by using software-based encryption, but it requires some extra steps for additional authentication.
To check if your device has a TPM chip:
- Press the Windows key + X on your keyboard and select Device Manager.
- Expand Security devices.
- If you have a TPM chip, one of the items should read Trusted Platform Module with the version number.
BitLocker is available on:
- Windows Vista and Windows 7: Enterprise and Ultimate editions
- Windows 8 and 8.1: Pro and Enterprise editions
- Windows 10: Pro, Enterprise, and Education editions
- Windows Server 2008 and later
- Windows 11: Pro, Enterprise and Education editions
Note: BitLocker is not available for Windows Home editions.
Encrypting File System (EFS)
EFS is the Windows built-in encryption tool used to encrypt files and folders on NTFS drives. Any individual or app that does not have the key cannot open encrypted files and folders.
Rather than encrypting your entire drive, EFS allows you manually to encrypt individual files and directories. It works by making encrypted files available only if the user who encrypted the files is logged in. Windows creates the encryption key, which is itself encrypted and saved locally. The encryption process is easy but not very secure (it is possible, although difficult, for an attacker to hack the key.) It is also advisable to use a strong login password that other users of your PC cannot guess.
- Only available on Professional, Enterprise and Education editions of Windows
Some experts advise to just use BitLocker as it is more secure. However, it does depend on your personal circumstances. For home users, EFS may well be sufficient protection from nosy family members.
Let’s take a look at how to encrypt files and folders in Windows 10, 8, or 7 step-by-step. Windows Home editions do not ship with EFS or BitLocker. You will have to upgrade or use a third-party app to encrypt your data. For other editors of Windows, the basic process is the same; it is just the look-and-feel of the interface that is a bit different.
Note: To encrypt your files and folders, you need to be comfortable navigating your OS, e.g. know how to access the Control Panel. You’ll also need to be using either the Professional, Enterprise or Education editions of Windows.
How to encrypt files and folders in Windows 11, 10, 8, or 7
To encrypt a file or folder:
- In Windows Explorer, right-click on the file or folder you wish to encrypt.
- From the context-menu, select Properties.
- Click on the Advanced button at the bottom of the dialogue box.
- In the Advanced Attributes dialogue box, under Compress or Encrypt Attributes, check Encrypt contents to secure data.
- Click OK.
- Click Apply.
- If you selected a folder to encrypt, a Confirm Attribute Change dialogue box will be displayed asking if you want to encrypt everything in the folder. Select Apply change to this folder only or Apply changes to this folder, subfolders and files, and click OK.
- Click on the Back up your file encryption key pop-up message. If the message disappears before you can click it, you can find it in the Notification Area for your OS.
- Ensure you have a USB flash drive plugged into your PC.
- Click Back up now (recommended).
- Click Next to continue.
- Click Next to create your certificate.
- Accept the default file format to export and click Next.
- Check the Password: box, enter your password twice, and click Next.
- Navigate to your USB drive, type a name for the certificate and key you want to export, and click Save. The file will be saved with a .pfx extension.
- Click Next, Finish, and then OK.
- Eject your USB drive and put it somewhere safe.
To decrypt a file or folder:
- Follow the first six steps above, but uncheck the Encrypt contents to secure data box in Step 4.
You can choose to unlock your drive during startup by inserting a USB flash drive or entering a password. The process to encrypt an entire hard drive is time-consuming. Depending on the amount of data you have stored, it can take a long time, so make sure your computer is connected to an uninterrupted power supply for the duration. You will need to reboot for changes to take effect but you can work while the drive is being encrypted.
To set up BitLocker:
- Go to the Control Panel.
- Click System and Security.
- Click BitLocker Drive Encryption.
- Under BitLocker Drive Encryption, click Turn on BitLocker.
- Select Enter a password or Insert a USB flash drive. If you have chosen to use a USB flash drive as a trigger to unlock your drive, you can choose to do this with a password or smart card. In this example, we will use a password.
- Enter a password and confirm it, and then click Next.
- Select how to save a recovery key to regain access to your drive in case you forget your password (e.g. on a USB flash drive or to your Microsoft account), and click Next.
- Select an encryption option: Encrypt used disk space only (faster) or Encrypt entire drive (slower), and click Next.
- Choose from two more encryption options: New encryption mode (best for fixed drives) or Compatible mode (best for removable devices), and click Next.
- Check Run BitLocker system check, which ensures that the recovery and encryption keys will work, and click Continue.
- Last, verify that BitLocker is turned on. To do this, go to My PC in Windows Explorer and check for a Lock icon displayed next to the drive.
To disable or suspend BitLocker:
- Press the Windows key + E to open Windows Explorer.
- Click This PC.
- Right-click the encrypted drive and select Manage BitLocker.
- For each drive or partition encrypted, you can select to suspend BitLocker or completely disable it. Select the option you want and follow the wizard.
Third-party software to encrypt files and folders in Windows
See the section on 5 free encryption apps for Windows you can use with Home editions below.
Troubleshooting: Encrypt contents to secure data option is grayed out [Solved]
The most common problem with some Windows editions is that sometimes when attempting EFS encryption, the Encrypt contents to secure data option is grayed out. This is typically because you’re using a Home edition of Windows. You’ll need to upgrade to the Pro or Enterprise edition to use the Encrypting File System. Alternatively, you can use third-party software to encrypt your files.
Here are some suggestions you can try to solve the problem in other versions:
- Scan for and fix any corrupted files on your computer, and ensure your user account has not been compromised.
- Windows 10: Enable EFS using Windows Registry or the Command Line.
- Windows 11: Enable EFS using Windows Registry or by restarting the service
- All versions: Enable the EFS service.
- If you have the Compress contents to save disk space option checked, the Encrypt contents to save data option will be automatically grayed out so you need to uncheck the former.
Note: Ensure you back up your files and registry before attempting these fixes.
5 free encryption apps for Windows you can use with Home editions
AxCrypt Free 2.1 for Windows is, as it’s name suggests, free. The software changes the file extension to a .AXX suffix, and the file can only be opened with AxCrypt if you provide the password used to encrypt it. The software is very intuitive to use and is invoked from its own sub-menu in Windows Explorer.
- Double-click to edit/view with any application
- Automatic re-encryption after modification
- Absolutely no user configuration necessary (or possible) before use
- Open source under GNU General Public License
- Extensive command-line interface for scripting and programming
Free file archiver with a high compression ratio and strong AES-256 encryption in 7z and ZIP formats.
Note: In Windows 7 and Windows Vista you must run 7-Zip File Manager in administrator mode. To do this, right-click the 7-Zip File Manager icon and then click Run as administrator.
- Self-extracting capability for 7z format
- Integration with Windows Shell
- Powerful File Manager
- Powerful command line version
Cannot encrypt single files but it can protect partitions or entire drives. Veracrypt is a fork of its popular predecessor, TrueCrypt which is no longer maintained but still widely used.
- Encrypts an entire partition or storage device such as a USB flash drive or hard drive
- Encrypts a partition or drive where Windows is installed (pre-boot authentication)
- Encryption is automatic, real-time (on-the-fly) and transparent
- Provides plausible deniability in case an attacker forces you to reveal the password: Hidden volume (steganography) and hidden operating system
GnuPG is a complete and free implementation of the OpenPGP standard that allows you to encrypt and sign your data.
- A versatile key management system
- Access modules for all kinds of public key directories
- Command line tool includes features for easy integration with other applications
- A wealth of frontend applications and libraries
- Provides support for S/MIME and Secure Shell (ssh)
If you do not want to use third-party software, an interesting alternative from Laptop Mag is to create a FolderLocker to password-protect Windows 10 folders. It is rather a drawn-out process initially but once you have set up a FolderLocker, you can easily drag and drop files into it. The writer warns, “…yes, the FolderLocker file can be reverse engineered by someone who understands the process, but this isn’t meant to keep tech-savvy folks out, just nosy family members who you don’t trust.”
To encrypt or not to encrypt files and folders in Windows?
If you have files and/or folders on your computer that contain sensitive information, it is a good idea to use encryption to keep this information from prying eyes. Encryption will also make it difficult, if not impossible, for hackers to access this data if it falls into the wrong hands.
No encryption is 100 percent un-crackable, but trying to do so is often just not worth the effort or within the means of criminals. However, if you use your computer for work or other people have their own accounts on your machine, your data is vulnerable. Good security and encryption practices can help safeguard it.
Encrypt files and folders in Windows that include the following data:
- Tax invoices
- Password lists – Store passwords and pins on a separate device or use a password manager like LastPass, DashLane, or TrueKey (only allows you to store up to 15 passwords)
- Bank information
- Personally Identifiable Information (PII)
- Privileged employer information
- Intellectual property
If you do not want certain information to appear on the internet or would shred it if it were a hard copy, chances are those files or folders should be encrypted.
Be warned: The FBI and NSA can require U.S. companies to hand over data or encryption keys with a court order. If you have encrypted files that may contain illegal data or provide information to help law enforcement agencies to investigate a crime, the law can legally compel you to decrypt them yourself. Whether you do so, of course, is up to you. In 2020, a man was released by the US Court of Appeals having spent the previous five years in custody for refusing to decrypt two of his hard drives.