If you encrypt files and folders in Windows, your data will become unreadable to unauthorized parties. Only someone with the correct password, or decryption key, can make the data readable again. This article will explain several methods Windows users can utilize to encrypt their devices and the data stored on them.
To encrypt files and folders in Windows, you can utilize two main built-in encryption capabilities. BitLocker is the preferred and most secure method, but it will not allow you easily to select and encrypt individual files and folders (you can do this by creating an encrypted file container using VHD.) Encrypting File System (EFS) is the alternative, but is not recommended for super-sensitive data. The third option to encrypt files and folders in Windows is to use third-party software; for Microsoft OS editions like Windows 10 Home, it is the only option.
Tip: Alternatively, if all you are concerned about is avoiding somebody snooping at home, you can encrypt or password-protect individual MS Word or MS Excel files quickly from within documents. ComputerHope shows you how.
Also see: How to encrypt email
Encryption trends for enterprises
Research by Gemalto found that 1,901,866,611 data records were breached in the first half of 2017, but less than 5 percent of breaches involved encrypted data.
The “2018 Global Encryption Trends Study” (paywall), sponsored by Thales, indicates that over the past 13 years there has been a steady increase in organizations with an encryption strategy applied consistently across the entire enterprise. In 2017, the figure was 43 percent.
Before you start to encrypt files and folders in Windows
- Encrypted files are not 100 percent secure. Hackers can, albeit with difficulty, bypass encryption. You’re at risk if you store cryptographic keys and passwords in an unencrypted file or if a hacker has planted a keylogger on your system. Keyloggers can be installed by malware on your computer. If you encrypt a single file with EFS, your computer will store an unencrypted version of that file in its temporary memory, so a hacker may still be able to access it. If your data is really valuable, consider a paid, expert, cloud encryption solution.
- Always make unencrypted backups of your files in case you lose your passwords. Store them in a safe physical location, preferably offline.
- Decide exactly what you want/need to encrypt. This will determine what encryption method you use. Read To encrypt or not to encrypt files and folders in Windows? below.
- An EFS encrypted file loses its encryption if you move it to a Fat 32 or exFAT drive, or transmit it via a network or email. EFS also does not protect files from being deleted unless you have used Windows permissions to protect it. You cannot encrypt a compressed file or folder with EFS; you need to extract the contents first.
How does Windows encrypt files and folders?
BitLocker encrypts an entire volume on your hard drive (or a removable device), no matter who is logged in. To unlock a drive that is protected with BitLocker, anyone wanting access must enter a password or use a USB drive that unlocks the PC when it is inserted.
BitLocker uses trusted platform module (TPM) hardware. A TPM chip enables your device to support advanced security features. For instance, when encryption is only at the software level, access may be vulnerable to dictionary attacks. Because TPM is at the hardware level, it can protect against guessing or automated dictionary attacks. (You can use BitLocker without a TPM chip by using software-based encryption, but it requires some extra steps for additional authentication.)
To check if your device has a TPM chip:
- Press the Windows key + X on your keyboard and select Device Manager.
- Expand Security devices.
- If you have a TPM chip, one of the items should read Trusted Platform Module with the version number.
BitLocker is available on:
- Windows Vista and Windows 7: Enterprise and Ultimate editions
- Windows 8 and 8.1: Pro and Enterprise editions
- Windows 10: Pro, Enterprise, and Education editions
- Windows Server 2008 and later
Note: BitLocker is not available for Windows Home editions.
Encrypting File System (EFS)
EFS is the Windows built-in encryption tool used to encrypt files and folders on NTFS drives. Any individual or app that does not have the key cannot open encrypted files and folders.
Rather than encrypting your entire drive, EFS allows you manually to encrypt individual files and directories. It works by making encrypted files available only if the user who encrypted the files is logged in. Windows creates the encryption key, which is itself encrypted and saved locally. The encryption process is easy but not very secure (it is possible, although difficult, for an attacker to hack the key.) It is also advisable to use a strong login password that other users of your PC cannot guess.
- Only available on Professional, Enterprise and Education editions of Windows
Some experts advise to just use BitLocker as it is more secure. However, it does depend on your personal circumstances. For home users, EFS may well be sufficient protection from nosy family members.
Let’s take a look at how to encrypt files and folders in Windows 10, 8, or 7 step-by-step. Windows Home editions do not ship with EFS or BitBlocker. You will have to upgrade or use a third-party app to encrypt your data. For other editors of Windows, the basic process is the same; it is just the look-and-feel of the interface that is a bit different.
Note: To encrypt your files and folders, you need to be comfortable navigating your OS, e.g. know how to access the Control Panel.
How to encrypt files and folders in Windows 10, 8, or 7
To encrypt a file or folder:
- In Windows Explorer, right-click on the file or folder you wish to encrypt.
- From the context-menu, select Properties.
- Click on the Advanced button at the bottom of the dialogue box.
- In the Advanced Attributes dialogue box, under Compress or Encrypt Attributes, check Encrypt contents to secure data.
- Click OK.
- Click Apply.
- If you selected a folder to encrypt, a Confirm Attribute Change dialogue box will be displayed asking if you want to encrypt everything in the folder. Select Apply change to this folder only or Apply changes to this folder, subfolders and files, and click OK.
- Click on the Back up your file encryption key pop-up message. If the message disappears before you can click it, you can find it in the Notification Area for your OS.
- Ensure you have a USB flash drive plugged into your PC.
- Click Back up now (recommended).
- Click Next to continue.
- Click Next to create your certificate.
- Accept the default file format to export and click Next.
- Check the Password: box, enter your password twice, and click Next.
- Navigate to your USB drive, type a name for the certificate and key you want to export, and click Save. The file will be saved with a .pfx extension.
- Click Next, Finish, and then OK.
- Eject your USB drive and put it somewhere safe.
To decrypt a file or folder:
- Follow the first six steps above, but uncheck the Encrypt contents to secure data box in Step 4.
You can choose to unlock your drive during startup by inserting a USB flash drive or entering a password. The process to encrypt an entire hard drive is time-consuming. Depending on the amount of data you have stored, it can take a long time, so make sure your computer is connected to an uninterrupted power supply for the duration. You will need to reboot for changes to take effect but you can work while the drive is being encrypted.
To set up Bitlocker:
- Go to the Control Panel.
- Click System and Security.
- Click BitLocker Drive Encryption.
- Under BitLocker Drive Encryption, click Turn on BitLocker.
- Select Enter a password or Insert a USB flash drive. If you have chosen to use a USB flash drive as a trigger to unlock your drive, you can choose to do this with a password or smart card. In this example, we will use a password.
- Enter a password and confirm it, and then click Next.
- Select how to save a recovery key to regain access to your drive in case you forget your password (e.g. on a USB flash drive or to your Microsoft account), and click Next.
- Select an encryption option: Encrypt used disk space only (faster) or Encrypt entire drive (slower), and click Next.
- Choose from two more encryption options: New encryption mode (best for fixed drives) or Compatible mode (best for removable devices), and click Next.
- Check Run BitLocker system check, which ensures that the recovery and encryption keys will work, and click Continue.
- Last, verify that BitLocker is turned on. To do this, go to My PC in Windows Explorer and check for a Lock icon displayed next to the drive.
To disable or suspend BitLocker:
- Press the Windows key + E to open Windows Explorer.
- Click This PC.
- Right-click the encrypted drive and select Manage BitLocker.
- For each drive or partition encrypted, you can select to suspend BitLocker or completely disable it. Select the option you want and follow the wizard.
Third-party software to encrypt files and folders in Windows
See the section on 5 free encryption apps for Windows you can use with Home editions below.
Troubleshooting: Encrypt contents to secure data option is grayed out [Solved]
The most common problem with some Windows editions is that sometimes when attempting EFS encryption, the Encrypt contents to secure data option is grayed out. If you are running a Windows OS Home edition, your only options are to upgrade to a Pro or Enterprise edition or use third-party software to encrypt your files.
Here are some suggestions you can try to solve the problem in other versions:
- Scan for and fix any corrupted files on your computer, and ensure your user account has not been compromised.
- Windows 10: Enable EFS using Windows Registry or the Command Line.
- Windows 8: Enable EFS using Windows Registry or by restarting the service
- All versions: Enable the EFS service.
- If you have the Compress contents to save disk space option checked, the Encrypt contents to save data option will be automatically grayed out so you need to uncheck the former.
Note: Ensure you back up your files and registry before attempting these fixes.
5 free encryption apps for Windows you can use with Home editions
Changes the file extension to a .AXX suffix, and the file can only be opened with AxCrypt if you provide the password used to encrypt it. The software is very intuitive to use and is invoked from its own sub-menu in Windows Explorer.
- Double-click to edit/view with any application
- Automatic re-encryption after modification
- Absolutely no user configuration necessary (or possible) before use
- Open source under GNU General Public License
- Extensive command-line interface for scripting and programming
Free file archiver with a high compression ratio and strong AES-256 encryption in 7z and ZIP formats.
Note: In Windows 7 and Windows Vista you must run 7-Zip File Manager in administrator mode. To do this, right-click the 7-Zip File Manager icon and then click Run as administrator.
- Self-extracting capability for 7z format
- Integration with Windows Shell
- Powerful File Manager
- Powerful command line version
Cannot encrypt single files but it can protect partitions or entire drives. Veracrypt is a fork of its popular predecessor, TrueCrypt which is no longer maintained but still widely used.
- Encrypts an entire partition or storage device such as a USB flash drive or hard drive
- Encrypts a partition or drive where Windows is installed (pre-boot authentication)
- Encryption is automatic, real-time(on-the-fly) and transparent
- Provides plausible deniability in case an attacker forces you to reveal the password: Hidden volume (steganography) and hidden operating system
GnuPG is a complete and free implementation of the OpenPGP standard that allows you to encrypt and sign your data.
- A versatile key management system
- Access modules for all kinds of public key directories
- Command line tool includes features for easy integration with other applications
- A wealth of frontend applications and libraries
- Provides support for S/MIME and Secure Shell (ssh)
If you do not want to use third-party software, an interesting alternative from Laptop Mag is to create a FolderLocker to password-protect Windows 10 folders. It is rather a drawn-out process initially but once you have set up a FolderLocker, you can easily drag and drop files into it. The writer warns, “…yes, the FolderLocker file can be reverse engineered by someone who understands the process, but this isn’t meant to keep tech-savvy folks out, just nosy family members who you don’t trust.”
To encrypt or not to encrypt files and folders in Windows?
If you have files and/or folders on your computer that contain sensitive information, it is a good idea to use encryption to keep this information from prying eyes. Encryption will also make it difficult, if not impossible, for hackers to access this data if it falls into the wrong hands. No encryption is 100 percent un-crackable, but unless you’re the Bank of America, trying to do so is often just not worth the effort or within the means of criminals. However, if you use your computer for work or other people have their own accounts on your machine, your data is vulnerable. Good security and encryption practices can help safeguard it.
Encrypt files and folders in Windows that include the following data:
- Tax invoices
- Password lists – Store passwords and pins on a separate device or use a password manager like LastPass, DashLane, or TrueKey (only allows you to store up to 15 passwords)
- Bank information
- Personally Identifiable Information (PII)
- Privileged employer information
- Intellectual property
If you do not want certain information to appear on the internet or would shred it if it were a hard copy, chances are those files or folders should be encrypted.
Be warned: The FBI and NSA can require U.S. companies to hand over data or encryption keys with a court order. If you have encrypted files that may contain illegal data or provide information to help law enforcement agencies to investigate a crime, the law can force you to decrypt them yourself. Reported by ITGS news, “(In 2016) a court ordered Paytsar Bkhchadzhyan from Los Angeles to unlock her iPhone device using her fingerprint. As iPhone storage is encrypted and the device was locked with Apple’s Touch ID, this was the only way for police to access the data […] Bkhchadzhyan’s defence claimed a 5th Amendment protection, but this was overruled by the court.“