Hack 26 Hiding Folders and Files with the Encrypting File System


Protect all the information on your PC from prying eyes, using XP Professional's built-in encryption scheme.

If you have Windows XP Pro, you can use the Encrypting File System (EFS) to encrypt your files so that no one else can read them.

Home Edition users won't be pleased to know that EFS isn't available for Windows XP home users.

EFS lets you encrypt only the files and folders of your choice; you can encrypt a single file or folder, or all of your files and folders. Encrypted files and folders show up in Windows Explorer as green, so you can tell at a glance which have been encrypted. You can work with encrypted files and folders transparently. In other words, after you encrypt them, you open them and close them as you normally would any other file. They're decrypted on the fly as you open them, and then decrypted as you close them. You're the only person who can read or use the files. Encryption is tied to your account name, so even other accounts on the same computer won't be able to read or use them, unless you specifically grant access to certain accounts.

Each time you encrypt a file, EFS generates a random number for that file called the file encryption key (FEK). EFS uses that FEK to encrypt the file's contents with variant of the Data Encryption Standard (DES) algorithm, called DESX. (DESX features more powerful encryption than DES.) The FEK itself is encrypted as well, using RSA public key-based encryption.

EFS does have a few minor limitations you should be aware of:

  • EFS works only on NTFS volumes. If you have a FAT or FAT32 volume, you'll have to convert it to NTFS if you want to use EFS [Hack #31].

  • EFS won't work on compressed files. [Hack #31]. You'll have to decompress them if you want to encrypt them. Similarly, if you want to compress an encrypted file, you'll have to decrypt it.

  • EFS can't compress files in the C:\Windows folder or any files marked with the System attribute.

When you work with encrypted files and folders, they seem to behave like any other files on your hard disk. In fact, though, their behavior is somewhat different, and you may notice files you thought were encrypted suddenly become decrypted for no apparent reason. So, before you turn on encryption, you should understand the common actions you can take with encrypted files and folders, and what the results will be. Table 3-5 lists what you need to know.

Table 3-5. How encrypted files and folders behave



Move or copy unencrypted files into an encrypted folder.

The files are automatically encrypted.

Move or copy encrypted files from an encrypted folder to an unencrypted folder.

The files remain encrypted.

Move or copy encrypted files from an encrypted folder to a non-NTFS volume.

The files are decrypted, though you are first given a warning and a chance to cancel the move or copy operation.

Back up files using XP's backup utility.

The backed-up files and folders remain encrypted.

Rename an encrypted file.

The file remains encrypted after it is renamed.

Delete an encrypted file.

The restorable file in the Recycle Bin remains encrypted.

3.7.1 Encrypting Files and Folders

To encrypt a file or folder, right-click on the folder or file and choose Properties General Advanced. The Advanced Attributes dialog box appears, as shown in Figure 3-12.

If no Advanced button appears on the Properties dialog box, it means that you aren't using NTFS, so you can't use encryption.

Figure 3-12. Encrypting files or folders using the Advanced Attributes dialog box

Check the box next to "Encrypt contents to secure data." Note that you can't check both this box and the "Compress contents to save disk space" box. You can either compress the item or encrypt it, but not both.

Click OK and then OK again. If you're encrypting a folder, the Confirm Attributes Changes dialog box appears, as shown in Figure 3-13. You have a choice of encrypting the folder only, or encrypting the folder plus all subfolders and all the files in the folder and subfolders. If you encrypt the folder only, none of the files currently in the folder will be encrypted, but any new files you create, move, or copy into the folder will be encrypted.

Figure 3-13. Encrypting the folder only, or all the subfolders and files as well

If you're encrypting a file in an unencrypted folder, the Encryption Warning box will appear, as shown in Figure 3-14. You have the choice of encrypting the file only, or the file and the parent folder. As a general rule, you should encrypt the folder as well as the file, because if you encrypt only the file, you may accidentally decrypt it without realizing it. Some applications save copies of your files and delete the original; in those instances, the files become decrypted simply by editing them. If you encrypt the folder as well, all files added to the folder are encrypted, so the saved file is automatically encrypted. Click OK after you make your choice.

Figure 3-14. Encrypting the parent folder as well as the file

Note that you won't be able to encrypt every file on your system. Files that have the System attribute, as well as files located in C:\Windows and its subfolders can't be encrypted.

3.7.2 Decrypting Files and Folders

You decrypt files and folders in the same way that you encrypted them. Right-click on the file or folder, choose Properties Advanced, clear the check from the box next to "Encrypt contents to secure data," and click OK and then OK again.

3.7.3 Letting Others Use Your Encrypted Files

When you encrypt files, you can still share them with others and let them use them as if they were not encrypted?what XP calls "transparently." You'll be able to share them this way only with others users on the same computer or with others on your network. You designate who can use the files and who can't. To allow specified people to use your encrypted files, right-click on an unencrypted file and choose Properties General Advanced. The Advanced Attributes dialog box appears. Click Details. The Encryption Details dialog box appears, as shown in Figure 3-15. It lists all the users who are allowed to use the file transparently. Click Add.

Figure 3-15. The Encryption Details dialog box

The Select User dialog box appears. Choose the user you want to be able to use your encrypted files, and click OK. Only users who have Encrypting File System certificates on the computer will show up on this list. The easiest way for someone to create a certificate is to encrypt any file; that automatically creates a certificate.

3.7.4 Encrypting and Decrypting from the Command Line

If you prefer the command line to a graphical interface, you can encrypt and decrypt using the cipher.exe command-line tool. To find out the current state of encryption of the directory you're in, type cipher without parameters at a command prompt. cipher tells you the state of the directory. For individual files, it lists a U next to files that are not encrypted, and an E next to those that are encrypted.

When used with parameters, cipher can encrypt and decrypt files and folders, show encryption information, create new encryption keys, and generate a recovery agent key and certificate.

To encrypt or decrypt a folder or file, use the complete path, filename (if you're acting on a file), and any appropriate switches, as outlined in Table 3-6. The /E switch encrypts folders or files, and the /D switch decrypts them. To perform the task on multiple folders or files, separate them with single spaces. For example, to encrypt the \Secret and \Topsecret folders, issue this command:

cipher /E \Secret \Topsecret

Note that you can use wildcards with the cipher command. Using the command line instead of the graphical interface is particularly useful for performing bulk or batch operations?for example, simultaneously encrypting or decrypting multiple folders or files, or types of files within folders. Let's say, for example, you want to encrypt every .doc file in the \Secret and \Topsecret folders, but not touch any other files in those folders. You issue this command:

cipher /E  /A \Secret\*.DOC  \Topsecret\*.DOC

Table 3-6 lists the most useful command-line switches for cipher. For more help, type cipher /? at the command line.

Table 3-6. Command-line switches for cipher


What it does


Acts on individual files within folders.


Decrypts the specified folder.


Encrypts the specified folder.


Forces encryption on all specified objects, including those that have already been encrypted.


Displays all files in a folder, including those that have hidden or system attributes. By default, hidden or system attributes are not displayed when using the cipher command.


Continues to perform the specified operation, even if errors are encountered. By default, cipher halts when errors are encountered.


Creates a new file encryption key for the user running cipher. If this option is chosen, all the other options will be ignored.


Generates an EFS recovery agent key and certificate, then writes them to a .pfx file (containing the certificate and a private key) and a .cer file (containing only the certificate).


Performs the operation on the folder and all its subfolders.


Updates the user's file encryption key or recovery agent's key on every encrypted file.

/U /N

Lists every encrypted file and does not update the user's file encryption key or recovery agent's key.


Lists only basic information about the file or folder.


Wipes data from available, unused disk space on the drive. Normally, when a file is deleted in XP, only the entry in the filesystem table is deleted; the data itself remains untouched until another file overwrites it. This switch deletes all the data in those previously deleted files. It does not harm existing data.