none
Encrypt Content to secure data doesn't encrypt new files (but it should do) RRS feed

  • Question

  • Hello EveryBody!

    Suddenly I found out that the marvelous feature that let me  to keep my files in security doesn't work as it is expected. This is true for two my PCs running with Win10ProNx64.

    The case is very simple. I create a folder or select it (NTFS of cource). Press right mouse button and select Properties of the folder. Then I go to Advanced and select "Encrypt Content to secure data". Next confirmation that it should encrypt this folder and all subfolders and files inside.

    After a couple of minutes I have a fresh encrypted folder with subfolders and files. But...

    If I add some new files to this folder, for example just create a new file or use OneDrive for syncing the content with other computers. These new files are not encrypted.

    Could someone help me with that trouble? Why the EFS doesn't encrypt my new files?

    PS. Both cases are with SSD drives...

    Thursday, February 16, 2017 4:38 PM

All replies

  • Can it be because of enabled by OneDrive attribute "Index files content..."?
    Thursday, February 16, 2017 4:43 PM
  • Hi,

    Please open group policy editor and go to this path:

    Computer Configuration\Administrative Templates\System

    Select GPO: Do not automatically encrypt files moved to encrypted folders and disable it.

    Description

    Prevents Windows Explorer from encrypting files that are moved to an encrypted folder.

    If you disable this policy, Windows Explorer automatically encrypts files that are moved to an encrypted folder.

    This policy applies only to files moved within a volume. When files are moved to other volumes, or if you create a new file in an encrypted folder, Windows Explorer encrypts those files automatically.

    Besides, there is a similar case can be regarded as a reference.

    http://superuser.com/questions/1088696/efs-and-encrypting-new-files-automatically

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    As a workaround, you can create an VHD as a specific encrypted folder, then use BitLokcer to encrypt it, when you add new files into this VHD, everything will be encrypted.

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 17, 2017 6:14 AM
    Moderator
  • >

    Prevents Windows Explorer from encrypting files that are moved to an encrypted folder.

    If you disable this policy, Windows Explorer automatically encrypts files that are moved to an encrypted folder.

    This policy applies only to files moved within a volume. When files are moved to other volumes, or if you create a new file in an encrypted folder, Windows Explorer encrypts those files automatically.

    I've just test this suggestion and unfortunately it doesn't work. I create a new file in OneDrive at one computer it is encrypted on it. Then it has been passed to another one. But there it is not encrypted.

    Creation of VHD is a good workaround but it would be better to find a solution without it.

    Sunday, February 19, 2017 4:38 PM
  • In my opinion, the directory of OneDrive should be a shared place, the files here will be sync to the OneDrive server, but on OneDrive server, these files are just the copy(only content), not original files, then, when your friend download your shared files from other place, he just download the copy on server, not get the files from your computer local directly.

    Therefore, these files are not be encrypted.

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 21, 2017 9:35 AM
    Moderator
  • >

    In my opinion, the directory of OneDrive should be a shared place, the files here will be sync to the OneDrive server, but on OneDrive server, these files are just the copy(only content), not original files, then, when your friend download your shared files from other place, he just download the copy on server, not get the files from your computer local directly.

    Therefore, these files are not be encrypted.

    ----------

    I don't agree with such a description of OneDrive folder. OneDrive App syncs documents between computers of one user and with the OneDrive Cloud. So the files are stored at the computers of one user and the cloud. The security at the cloud is OK and we can trust to it. But ordinary computers can be stolen and the third party can get access to the files.

    So there are two option to protect the files:

    1. Use BitLocker for the entire driver (if you computer supports TMP) or for Virtual Driver.

    2. Use Encrypted Files System (EFS) in order to protect particular directories or files.

    For me usage of BitLocker for entire drive is not a good option it is obvious. Even for VHD. But EFS is a good answer for security breaches. But here I faced a problem:

    I have two PCs (actually more) with my account under Win10, installed OneDrive app, setupped EFS for OneDrive folder at local HDD. When I create a file at one PC at OneDrive folder it is encrypted with EFS. Then the file is synced by OneDrive app. It is synced without any kind of encryption (this is a way how EFS works). And appears at the second PC in OneDrive folder (local not cloud). The folder is encrypted but the new file doesn't.

    The change of the group policy didn't help (but should). So I think that is an issue.


    • Edited by kvv213 Tuesday, February 21, 2017 10:16 AM
    Tuesday, February 21, 2017 10:15 AM