The whole purpose of encrypting one’s files and folders on the Windows platform is to make sure that your data is unreadable to any and all unauthorized parties.
So if you are going to do something why not do it properly.
Once you have managed to encrypt your data only a person with the right password and/or decryption key would be able to see your data and make it readable for someone else.
In this guide, we will explore ways in which Windows users can make use of the encryption technologies available to them on their devices and protect stored data.
So let’s get to it. VHD.
The second method for Windows users is the EFS or Encrypting File System.
This method does work but experts do not recommend it for users with super-sensitive stuff.
There is another option as well.
That option is to make use of some reputable third-party application.
You have to make sure that the third-party software that you use is actually compatible with various different Microsoft operating systems including Windows 10 Home.
Another alternative, which is pretty much an offline real-world alternative is to avoid allowing anyone snooping at your things.
Modern machines even allow users to password-protected. and/or encrypt individual MS Excel or MS Word files very quickly from within the application.
Click here to read a guide on that.
What about enterprise-level encryption products?
Gemalto presented a report a while back and found out that hackers breached around 2 billion data records in the first six months of 2017.
Moreover, the report also mentioned that of all those data records only 5 percent had encrypted data.
Another report sponsored by Thales called the 2018 Global Encryption Trends Study indicated that over the last 10+ years, the number of organizations engaging in encryption strategies had increased at a steady pace.
Most of such organizations had started to apply encryption technologies across all of their enterprises.
Back in 2013, the percentage of such organizations was around 43 percent.
Things you should understand before you go in there and start encrypting everything on your Windows machine
Firstly, just because you have encrypted your files and folders does not mean that no hacker will be able to get past your security.
Although it will be very hard but don’t think encryption guarantees your security 100 percent.
Hackers with enough ability and resources now have the ability to bypass strong encryption methods.
Users who tend to store their cryptographic password and keys in a file which is unencrypted are especially at risk.
If a hacker is able to plan a good keylogger on the user’s machine then hackers can get access to the user’s most sensitive passwords.
Hackers have the ability to install Keyloggers by making use of malware on the victim’s machine.
Now, if you manage to encrypt a given file with a technique like EFS then your machine should automatically store that file and an unencrypted version of it.
It will do that by storing all that information in its temporary memory.
That will still leave some doors open for the hacker.
And you can rest assured that the hacker will do anything and everything to bypass that encryption and get your key.
Now, if you feel that your machine data is very useful and sensitive then you should definitely consider signing up for a paid service.
We’re talking about an expensive but expert solution for cloud encryption.
The other thing you should keep in your mind is that it is always an idea to generate different unencrypted backups of all your important files.
If you lose your passwords and do not have any backups then you are toast.
You don’t want that.
So make backups and then store them in a safe and private physical location.
Try to have an offline copy as well.
Thirdly, you need to decide carefully what and where you want to encrypt something.
The kind of things that you want to encrypt will decide the method and software that you should use for encryption.
We will talk more about this in another guide on encrypting files and folders on the Windows 10 platform.
Finally, you should know that if you make use of the EFS encryption method on a file then you will lose the encryption on that file if you move the file to an exFAT or FAT 32 drive.
Even if you transmit the file via email or network, you will lose the encryption on it.
Apart from that, you should know that the EFS method does nothing to protect files from a malicious actor deleting them.
To guard against that, you yourself will have to make use of Windows permission in order to protect the file.
Moreover, Windows users cannot perform encryption on a file that is compressed.
The same goes for a compressed folder that was EFS on it.
To solve this, you need to take the file or folder and then extract its contents.
And then encrypt the content.
How does my Windows machine encrypt by folders and files?
In the case of BitLocker
The way BitLocker works is that it encrypts the user’s entire volume which exists on the hard drive.
That also holds true for a removable device.
Hence it doesn’t really matter who has logged in to the machine.
In order to successfully unlock a given drive that BitLocker has protected, the user desiring access to it must provide a password.
There is also an option of using a USB drive in order to unlock the PC whenever the device is inserted in the PC.
Not only that, BitLocker also makes use of the TPM or Trusted Platform Module hardware.
What does a TPM hardware do?
Of course, it (the TPM chip) allows the user’s device to have support for various different advanced security functions.
To take an example, if for a given user the encryption is only present at the software level, hackers could try and access the user’s data by exploiting the system’s vulnerability to dictionary attacks.
Now, because of the fact that TPM works at the hardware level instead of the software level, the chip has the ability to protect users against automated dictionary attacks and guessing.
Users have the option of using BitLocker without any kind of TPM chips by only utilizing software-based encryption methods.
However, such a system would require a number of extra steps in order to ensure proper authentication.
In order to check if a given device indeed supports TPM chips, the user should,
- First, press the button X + Windows key on his/her keyboard and then choose the option that says, Device Manager.
- From there the user should click on Security devices.
- After that, if the user’s machine has a TPM chip, an item should appear in the list which should say Trust Platform Module.
Just beside this text, there should be a version number.
Keep in mind that BitLocker comes as a built-in security feature on,
- Windows Server 2008 or newer
- Windows 10: Education, Enterprise and Pro editions
- Windows 8.1 and Windows 8: Enterprise and Pro editions
- Windows 7 and Windows Vista: Ultimate and Enterprise editions
Users should keep in mind that currently, the BitLocker feature is not available to Windows home users.
EFS or Encrypting File System
As mentioned before, the Encrypting File System comes as a built-in Windows encryption tool.
Users can make use of this tool in order to encrypt folders and files on NTFS drives.
A given app or an individual person can never gain enough permissions to open encrypted folders and files.
EFS is a good encryption method for the reason that it does not encrypt the whole of the user’s drive.
Encrypting File System works by encrypting files and then making them available only to that user who encrypted the folder or file provided that the same user has also logged in.
EFS leaves it to the Windows operating system to generate the encryption key.
The encryption key itself gets encrypted and then saved locally.
Everybody knows that for any encryption feature, encrypting the data is the easy part.
However, where most services lack is securing the process of encryption.
What we are trying to say here is that even though it is very difficult but a hacker can possibly hack the encryption key.
Security experts also advise users to make use of a long and strong login password so that no other users of your machine is able to guess your login password.
Again, the EFS feature is only available to users on Windows,
Again, there are security experts that recommend users to only make use of the Bitlocker service as it is often considered more secure of the two above-mentioned options.
With that said, in the real world, it depends on the user’s own personal preferences and circumstances.
In other words, for users who regard themselves as home users or somewhat casual users, the EFS method can more than suffice as protection from spying family members.
With that out of the way, let’s talk a little bit about how Windows users should go about encrypting folders and files on the Windows 10 operating system.
Windows 7 and 8 users will also find this step by step guide pretty useful.
We have already mentioned that the official Windows Home versions do not offer either BitLocker or EFS.
In other words, if you want to use these features on your operating system then you will either have to upgrade your edition or purchase a third-party application to do the same job of encrypting your data.
People who are making use of other editions of Microsoft Windows should know that no matter what their version is, the basic process remains pretty much the same.
The only thing that changes from one Windows version to another is the look and feel of the user interface and arrangement of the shown options.
There is not much else going on in later versions of Windows.
The other thing users need to note here is that in order to encrypt your folders and files, you must be pretty comfortable digging deep into your operating system.
To put it in simpler terms, you should not have to think hard on how to access your machine’s Control Panel.
Step by step guide on how to encrypt your folders and files in Windows 10, 8 and 7.
If you want to encrypt a specific folder or file you need to follow the below-mentioned steps.
- First, you open up Windows Explorer.
Then you need to perform a right-click on the folder or file that you desire to encrypt.
- After that, from the shown context menu you need to choose the option that says Properties.
- When that is done, you need to click on the button that says Advanced which appears near the bottom of the screen or the dialogue box.
- Now, look at the Advanced Attributes section.
You need to go to Compress or Encrypt Attributes and then tick the option that says Encrypt contents to secure data.
- Then you click on the option that says OK.
- After that, you click on Apply.
- And then you select a file or a folder that you want to encrypt.
When that is done, you click the dialogue box that says Confirm Attribute Change.
Once you do so, the screen should ask you if you really want to encrypt each and everything that is inside the folder (or the file if you chose a file in the previous step).
You need to choose the option that says Apply change to this folder only.
You can also select the option that says Apply changes to this folder, files and subfolders.
Once done you need to click on the button that says OK.
- After that, you should click on the pop-up message that says Back up your file encryption key.
Now, if you see that your message has disappeared before you had the opportunity to click it then you can easily find it in your operating system’s Notification Area.
So go there.
- After that, you need to make sure that you have plugged in a USB flash drive into your machine running the Windows operating system.
- Then you need to click on the option that says Back up now (recommended).
- With that out of the way, you need to click the button that says Next.
- After that, you should click the button that says Next again in order to finally create your own certificate.
- When that’s done, you need to accept the given default file format.
Once you do, your machine should export your data to it.
Then you should click the button that says Next.
- Now, check the box that says Password.
Then enter your desired password twice.
After doing that you need to click the box that says Next.
- Now you need to navigate directly to your newly-inserted USB drive.
From there you need to type any relevant name for your certificate.
Also, give the key that you want to export a name.
Then click on the button that says Save.
Once you are done with this step, your machine should save the new file with the extension .pfx.
- In this step, you need to click the button Next and then Finish and after that, OK.
- When you are finished with the previous step you need to finally eject your previously-inserted USB drive and then place it somewhere no one but you can see it. Keep it safe, in other words.
Now when you want to decrypt a given folder or file you need to follow the below-mentioned steps.
- All you really need to do here is to follow the above-mentioned six steps as they are mentioned except Step 4 where you need to uncheck the box that says Encrypt contents to secure data.
As mentioned before, if you want to, you can select the option of inserting one of your USB flash drive to unlock your hard drive while your machine is starting up.
Or you can go the route of entering a difficult password.
The actual process of encrypting one’s entire hard disk is somewhat time-consuming.
Encryption can actually take a ton of time depending on the actual amount of files or data that you have on your drive.
Hence, you need to make sure that your machine has a solid connection to a quality uninterrupted power supply which can last the whole duration of the process.
Keep in mind that after everything is done, you will have to reboot your machine for all the changes to take full effect.
With that said, it is true that while BitLocker is doing its thing you can quietly work in the background.
In order to set up Bitlocker the proper way you need to take the following steps:
- First, click on the Windows icon in the bottom left corner of the screen and then search for the option that says Control Panel.
Click it once you have found it.
- After that click on the option System and Security
- Then perform another click on BitLocker Drive Encryption
- After that, you need to look under the heading BitLocker Drive Encryption.
From there you need to click the option that says Turn on BitLocker.
- Now you need to choose the option that says Enter a Password or select Insert a USB flash drive.
Now, if you finished this step by choosing the option of using a flash drive as the primary trigger to have access to your encrypted drive, you can actually select to do just that either with a smart card or a password.
For the rest of this section of the guide, we will make use of a password.
- Now, enter your password and then confirm it.
After that, you need to click the button that says Next.
- When that is done you need to choose an option on how you want to save a valid recovery key in order to regain full access to your encrypted drive in a situation where you have forgotten your password.
You can either set it to using a USB flash drive or by making use of your official Microsoft account.
After you have done that you need to click the option that says Next.
- With that out of the way, you should select one encryption option from Encrypt entire drive (which is a slow process) or Encrypt used disk space only (which is a significantly faster process).
Now you need to click on the button that says Next.
- You are still not done as you have to choose two more options related to encryption.
You can either choose New encryption mode (our research shows that this mode is best for fixed hard drives) or you can choose the Compatible mode (this mode is the best mode for removable storage devices).
Then you need to click the button Next.
- Now you need to check the box that says Run BitLocker system check.
Doing so will ensure that both your encryption key and recovery key will work as they are supposed to.
Once you are done you need to click on Continue.
- As a final step, you need to verify that you have turned on BitLocker.
In order to get started on that, you need to open Windows Explorer and then check the box for the Lock icon.
This icon is usually displayed right next to your machine’s hard drive.
For suspending or disabling BitLocker:
- Hold E and Windows Key.
- Hit This PC.
- Then perform a right-click on the drive that you have encrypted.
After that, choose the option Manage BitLocker.
- Remember that for each of your partition or hard drive that you have encrypted, you have the option of choosing whether or not to disable BitLocker on the specific drive or disable it completely.
Choose this option carefully and then follow the on-screen wizard.
Now that wasn’t too hard or was it?