Operating system security

Encrypted file system (EFS) in windows 10

Greg Belding
April 29, 2020 by
Greg Belding

Everybody is talking about information security these days because it literally impacts anyone who uses (relatively) modern electronic devices. Of the many ideas to bolster information security, encryption is a recommended measure according to any security expert. 

Encryption is a strong information privacy safeguard, supports information integrity, and can even help you avoid regulatory fines if you are in a heavily regulated industry. Windows has kept up with this trend and offers users a couple different options for information encryption. Among these options in Windows 10 is Encrypted File System (EFS). 

Learn Windows 10 Host Security

Learn Windows 10 Host Security

Build your Windows skills with 13 courses covering Windows registry, services, processes, toolset and more.

This article will detail EFS in Windows 10 and will explore what it is. We’ll look at the File Encryption Key, EFS versus BitLocker, as well as how to enable EFS, how to back up your File Encryption Key and how to decrypt files.

A little about EFS

EFS is a file encryption service offered in Windows 10 and all previous versions of Windows going back to Windows 2000. Referred to as a cousin to BitLocker, EFS offers some notable functionality over BitLocker, but more on this later. EFS is a quick way to encrypt files and folders and is especially useful when these files are stored on a Windows 10 system with multiple users. This is because EFS is connected to the user, not machine, so multiple users could have their files encrypted without risking the other users gaining access. 

EFS takes an incremental approach to encryption. This means that it has the ability to encrypt individual files and folders and is not performed at the drive level. This offers greater user choice than other encryption methods.

This encryption method is a fast, reliable way to encrypt on Windows 10 systems. Despite this fact, it is not without its security drawbacks. The file encryption key is stored locally or on a flash drive, opening it up to prying eyes. Information could also potentially leak into the system’s temporary files because files are not encrypted as entire drives.

File encryption key

Windows 10’s EFS uses symmetric key encryption with a symmetric algorithm called DESX. Symmetric encryption. This symmetric key encryption is made up of two components — the file encryption key (FEK) and public key technology. 

When a file or folder is encrypted, the FEK is stored in the encrypted file’s header and the public key is stored with the user. This symmetric encryption gives EFS a distinct time advantage over its asymmetric counterpart by encrypting files a thousand times faster. Backing up your key is strongly advised and can even give you access to your encrypted files should you ever lose access to the user account. 

EFS versus BitLocker

There are some notable differences between these two encryption features in Windows 10. EFS has the capability to perform a more granular encryption than BitLocker, where EFS can encrypt individual files and BitLocker can only encrypt entire drives.

EFS is not as security-minded as BitLocker, mainly because with EFS the public key is attached to the user and encrypted information may leak into the system’s temporary files. If you want to encrypt individual files and are short on time (remember, a thousand times faster), EFS is a smart choice.

How to use EFS

To encrypt files, you need to enable EFS on the files you want to encrypt. Interestingly, enabling EFS is all you have to do to encrypt the file. To do this:

  1. From File Explorer, click on the file or folder you want to encrypt
  2. Right-click on this file or folder
  3. Select Properties
  4. Click Advanced
  5. Click on the check box for Encrypt contents to secure data
  6. Click OK
  7. Click Apply
  8. You will now be faced with a window asking if you want to encrypt the selected folder or the folder, subfolder and its files
  9. Click on the selection of your choice and then click OK
  10. This file will be encrypted with EFS shortly

Backup file encryption key 

As mentioned earlier, backing up your FEK is a recommended. To back up your FEK, first plug your USB drive into your Windows 10 system. Then:

After enabling EFS, you will notice a padlock icon in your system tray. Double-click on this icon. The point of this icon is to be your reminder to back up your FEK.

  1. Click on Backup Now
  2. Click next
  3. Click next
  4. You will notice a checkbox next to “password.” Click this checkbox
  5. Enter your password in the first password field
  6. Enter this same password in the “Confirm password” field
  7. Click Next
  8. Click Browse and then click on the USB drive you plugged in
  9. Click in the “File name” field and enter the filename for the password
  10. Click Save
  11. Click Next
  12. Click Finish
  13. Click OK

Your File Encryption Key is now backed up.

How to decrypt

For many encryption solutions, decryption is a time-consuming process. Luckily, this process is as easy as unchecking a checkbox. 

To decrypt, simply right-click on the encrypted file and select properties and then click on Advanced. Click on the check box you checked to encrypt the file and you will see that the checkbox is unchecked. This is all you have to do to decrypt the file for the folder.


Encrypted File System is an option for file and folder encryption for Windows 10 users. This is a good option for those that want to encrypt individual files and folders and also for those who are looking for a quick solution for encryption. Those looking for the most security-minded encryption solution will likely want to choose another encryption option as EFS is not the best encryption option from a security perspective.

Learn Windows 10 Host Security

Learn Windows 10 Host Security

Build your Windows skills with 13 courses covering Windows registry, services, processes, toolset and more.


Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.