Windows Desktop File Encryption with EFS
On this page:
Note: encryption can result in irretrievable loss of data if the keys/passwords are misplaced or destroyed; consult a qualified system administrator if you feel you need assistance.
Is this for me?
- are using Windows 2000 or XP;
- log on to the Stanford Windows Domain; or
- want to secure files on your computer in case it is stolen
then you may be a good candidate for using Windows Encrypting File System (EFS). This is recommended especially for Restricted data stored on your computer.
What It Protects
EFS protects your files if your computer is lost or stolen. If someone tries to break into your system to retrieve files, they will not be able to open the file even if they can see that it exists (as long as they do not have your SUNet ID and password). This is most useful for:
- Laptop computers
- Desktop systems with Restricted Data
What It Doesn't Protect or Prevent
EFS is limited to protecting the files while they are on your computer. It does not provide encryption to files that are:
- sent via email;
- kept on a separate flash drive/thumb drive/USB drive/floppy disk; or
- moved over the network via shared folders.
When you are about to move an encrypted file, Windows will warn you that you will lose your EFS encryption. Keep in mind that whenever you move a file off of your computer, it is probably no longer protected by EFS.
- Submit a HelpSU request stating that you’re planning to use EFS to encrypt your files.
- A Data Recovery Agent (DRA) will be assigned to you. Usually this is your local tech support person. If you ever lose your encryption key, the DRA can recover your files for you if they have access to your computer.
- Choose the files or folders you want to encrypt.
- We recommend you encrypt all Restricted Data that is stored on your computer.
- You may create a special folder for encrypted files and encrypt that folder so that anything placed in that folder becomes encrypted.
- Encrypt your files using the instructions on the How to Encrypt a File page.
- Copy your key onto removable media using the instructions on the How to Back-up Your EFS Certificate and Keys page.
- To be extra safe, you have the option of deleting your key from your computer.
- This means you’ll have to have the removable media with your key every time you want to access the file, but it does provide an extra layer of protection.
- This is most useful for mobile users with laptops where the private key is initially removed before transit, and imported back to the laptop upon arrival.
- If you lose the removable media, your DRA will be able to recover your files.
- Use the instructions on the How to Remove EFS Key From My Computer page.
Limitations and Caveats
- The best way to protect Restricted Data is to avoid saving it at all on any desktop system. If you do not have a need to store Restricted Data on your workstation, please delete it.
- The use of encryption technologies always involves the risk of loss of data. For those who depend heavily on EFS for their day to day work, IT Services strongly recommends simulating loss of encryption keys, and practicing file recovery using your DRA. Please submit a HelpSU to schedule time for this practice session.
- Your DRA must have access to the computer on which the files are stored. There are serious limitations to recovering encrypted files from remotely connected machines.
- For those who travel or work remotely often and use EFS, IT Services recommends storing copies of encrypted files on Stanford local fileservers to mitigate the probability of needing to access your DRA.
- EFS is an “encryption at rest” technology. Before an EFS file is transferred over a network link, including via email attachment, the file is decrypted. The file can be encrypted again at the destination with the proper settings and share permissions.
- There are some recovery situations where the DRA who recovers your documents will be able to view the file in a decrypted state. If this is an issue, please work with your DRA to set up a practice session where decryption is done without read access to the decrypted file.