Encrypting File System (EFS) is a core file encryption technology used to store encrypted files on NTFS file system volumes. Encrypted files cannot be used unless the user has access to the keys required to decrypt the information.

You do not have to manually decrypt an encrypted file before you can use it. You can open and change the file as you normally do. Once you encrypt a file or folder, you work with the encrypted file or folder just as you do with any other file or folder.

Using EFS is similar to using permissions on files and folders. Both methods can be used to restrict access to data. However, an intruder who gains unauthorized physical access to your encrypted files or folders will be prevented from reading them. If the intruder tries to open or copy your encrypted file or folder, he or she receives an access denied message. Permissions on files and folders do not protect against unauthorized physical attacks.

You encrypt or decrypt a folder or file by setting the encryption property for folders and files just as you set any other attribute such as read-only, compressed, or hidden. If you encrypt a folder, all files and subfolders created in the encrypted folder are automatically encrypted. We recommend that you encrypt at the folder level.

You can also encrypt or decrypt a file or folder by using the Cipher command.

When you work with encrypted files and folders, consider the following information:

EFS policy settings

You can use Group Policy to configure a number of EFS policy settings. These policy settings are located in Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System.

Allow or disallow EFS

You can choose to allow or disallow the use of EFS altogether. If you do not configure any policy settings for EFS, it is allowed.

If you choose to allow EFS, you can also select a number of options, such as whether to automatically encrypt a user's Documents folder, to require a smart card for use with EFS, to cache keys created based on a smart card, to create a caching-capable user key from a smart card, or to notify users to make backup copies of their encryption keys.

Allow or disallow Elliptic Curve Cryptography encryption

You can choose to allow or disallow the use of Elliptic Curve Cryptography (ECC) encryption with EFS. If you do not configure any policy settings for EFS, ECC encryption is allowed. ECC encryption enables organization to be compliant with Suite B encryption standards.

Suite B is a set of cryptographic algorithms. Suite B's components are: Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits for symmetric encryption, Elliptic Curve Digital Signature Algorithm (ECDSA) for digital signatures, Elliptic Curve Diffie-Hellman (ECDH) for key agreement, and Secure Hash Algorithm (SHA-256 and SHA-384) for message digest.