Encrypting Your Data

Encrypting Your Data
You'll want to encrypt any folders that contain confidential files. The most likely container for such files is your My Documents folder, although you might have documents stored in other folders, too.

To encrypt a folder, follow these steps:

Right-click the folder, choose Properties, click the General tab, and then click the Advanced button. (If the properties dialog box doesn't have an Advanced button, the folder is not on an NTFS-formatted volume and you can't use EFS.)

Select Encrypt Contents To Secure Data.
Click OK twice. If the folder contains any files or subfolders, Windows displays a confirmation message:

NOTE
--------------------------------------------------------------------------------

If you select Apply Changes To This Folder Only in the confirmation dialog box, Windows doesn't encrypt any of the files currently stored in the folder. But any new files that you create in the folder, including files that you copy or move to the folder, will be encrypted.
To encrypt one or more files, follow the same procedure. You'll see a different confirmation message, shown in Figure 18-1, reminding you that the file's folder is not encrypted and giving you an opportunity to encrypt it. It's generally better not to encrypt individual files because the information you intend to protect can too easily become decrypted without your knowledge. For example, with some applications that create a copy of a document you have open for editing, the application saves the copy—which is not encrypted—and deletes the original, encrypted document. Static files that you use for reference only—but that you never edit—can safely be encrypted without encrypting the parent folder. Even in that situation, however, you'll probably find it simpler to encrypt the whole folder.


Figure 18-1. If you encrypt individual files, Windows prods you to encrypt the parent folder as well.
NOTE
--------------------------------------------------------------------------------

Some files can't be encrypted. For example, you can't encrypt any files that have the System attribute. Those files are usually system files, and the system might be rendered unusable if some of its essential files were encrypted. For the same reason, you can't encrypt any files in the %SystemRoot% folder or any of its subfolders. Files in roaming user profiles also can't be encrypted. And files can't be both compressed and encrypted; if you encrypt a compressed file, Windows uncompresses it.
Troubleshooting
--------------------------------------------------------------------------------

Windows reports an "error applying attributes."

If you see a message box similar to the one shown here when you attempt to encrypt a file, EFS has been disabled on your computer. (The text of the message can vary, depending on whether encryption is disabled for a particular folder or for the computer.) Although the four buttons might lead you to believe that you have a choice in the matter, you don't. Regardless of which button you click, Windows refuses to encrypt your files—just as if you had clicked Cancel.


To solve this problem, you need to enable the Encrypting File System. For instructions, see Disabling or Reenabling EFS.

INSIDEOUT
--------------------------------------------------------------------------------

Add encryption commands to shortcut menus

If you frequently encrypt and decrypt files and folders (for most users, it's a one-time "set it and forget it" operation), you'll find that it's rather tedious to right-click, choose Properties, click Advanced, select or clear a check box, and click OK twice every time you want to change encryption status. If you're comfortable using a command-line interface, you can use the Cipher command to perform these tasks. (For details, see Using the Cipher Command.) But if you'd prefer to work with Windows Explorer, you can use an easier way: Add encryption commands to the shortcut menu that appears when you right-click a folder or file.

To do that, follow these steps:

Use Registry Editor to open the HKLM\Software\Microsoft\Windows\ CurrentVersion\Explorer\Advanced key.
Open the Edit menu, and choose New, DWORD Value.
Name the new value EncryptionContextMenu.
Double-click the EncryptionContextMenu value and set its data to 1.
This change takes effect the next time you start Windows Explorer. When you right-click a folder or file that's not encrypted, the shortcut menu includes an Encrypt command; a Decrypt command appears if the target is already encrypted.