File Level Encryption (Windows 10 Pro-only)


Why do I need to encrypt my data?

Many people and organizations unfortunately put protecting their data on the back-burner. Although you can put a password on your computer, Windows passwords are still infamously easy to access, especially if you share a PC with a co-worker or anyone else. There is often very little done to keep co-workers from accessing confidential information. One method of protecting confidential information is by encrypting data.

Encryption is the process of coding data into a different and undecipherable form. It is essentially translated into gibberish so that no human can look at encrypted data and figure out what it means just by reading it. There are a few different methods of encryption. For example, there is hardware-level encryption, or whole drive encryption. In this article, we will talk about encrypting individual files and directories, and the easiest way to do this is by utilizing an encrypting file system (EFS).

What is EFS?

When a user clicks ok, EFS uses standard public key cryptography to encrypt the file, generating a key called an SDK. This key itself is encrypted as well with a public key unique to the user. So when the user tries to access the file or folder, it is decrypted with users’ private key. This process is done automatically, and the user will not be prompted for keys/passwords if the user is logged into the account the encryption tied to. This will make it difficult for other users on the same computer to browse files.

On Windows 10 Pro Edition, EFS is easily achievable by simply right clicking on File > Properties > Advance > Encrypt.

Having EFS doesn’t mean there is no longer a need for strong passwords. If the user sets a weak password, it can still make it easier for an attacker to log into an unauthorized account. More importantly, a weak password can also weaken the encryption on the files. Cryptographic keys that Windows generates for encryption purposes are based on the user’s password. If your business does not want all of their data to be accessible with just a single login, then your business might need to look for a third-party encryption tool. Usually these tools do not work as passively as EFS, but they will provide your business with another layer of security. Though these encryption tools will not be tied to user logins, they still offer options such as stronger encryption algorithms or the ability to create hidden virtual drives. These steps make it even harder for attackers to uncover important data.

The best method to secure individual private files is to combine EFS with hardware-based whole disk encryption to ward off different types of cyberattacks. Additionally, if you plan to take important files on business trips, use an encrypted USB flash drive. Some USB flash drives erase their data contents after ten failed password attempts and automatically install antivirus upgrades. Encrypted USB flash drives are used in a wide variety of settings, from personal use to confidential government scenarios, so there is sure to be one that can meet your business needs.


Right click on the folder or file you wish to encrypt. Go to “Properties,” and click “Advanced.” Select the check mark next to “Encrypt contents to secure data.” In the new window, you will have two options.

  1. Apply changes to this folder only, which means ONLY the selected folder will be encrypted.
  2. Apply changes to this folder, subfolders, and files, which means everything within the selected file is encrypted.


If EFS is disabled, please take the following steps:

Step 1: Windows key + R to open run.program.

Step 2: Type in “ regedit” and click OK.

Step 3: The following window should display:

Step 4: Select HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

Step 5: Press the > arrow to the left of Hkey_local_machine to expand and view the folder contents.

Step 6: Click on the SYSTEM folder.

Step 7: Click on CurrentControlSet.

Step 8: Click on Control.

Step 9: Click on FileSystem folder.

Step 10: Look for NTFSDISABLEENCRYPTION.  This is usually set to ‘1’ if the EFS is disabled. The value must be set to ‘0’ in order to work. Double-click and set value data to 0, then click OK.

Congratulations! EFS and the ability to encrypt your files is now enabled.