locked
Win 10 Pro - File Encryption (EFS) Not Working As Expected RRS feed

  • Question

  • Followed the process below to encrypt file using EFS. File icon shows lock so it appears that the file successfully encrypted. To test, sent file to colleague and he was able to open the file, so obviously encryption didn't work. Why?  Thanks in advance. 

    Right-click (or press and hold) a file or folder and select Properties.

    Select the Advanced button and select the Encrypt contents to secure data check box.

    Select OK to close the Advanced Attributes window, select Apply.

    A new window will ask if you want to encrypt the selected folder or the folder, subfolder and its files. Select folder, subfolder and its files, and then click OK.
    Wednesday, June 24, 2020 6:01 PM

All replies

  • EFS is a property of the NTFS file system.
    When you send a file via mail it is no longer on the file system and thus not encrypted.


    Wednesday, June 24, 2020 6:35 PM
  • Thank you. That makes sense. Are you aware of a way to prevent Windows/NTFS from decrypting the file before it is attached to an email?  
    Wednesday, June 24, 2020 8:43 PM
  • I don't understand your question.
    How could the files system prevent that the file has to be decrypted before the content of the file is attached to an email?
    Wednesday, June 24, 2020 8:52 PM
  • Perhaps I don't undertand the process.  When a file is stored in NTFS, and EFS has been enabled, I assume it is in an encrypted state.  When the email app copies the file from the file system to the application, I assume it is decrypted before it is attached to the message.  Assuming this describes the process - and it may not - then my question is whether there would be a way to stop the file system from decrypting the file when it is copied from NTFS.   
    Wednesday, June 24, 2020 9:07 PM
  • Hello DEG55,

    NTFS supports a more complex notion of a "file" than just an uninterpreted sequence of bytes. An NTFS file can have several independent "streams" of data and EFS makes use of this feature. If a file is accessed in a way which ignores this complexity then some default processing takes place. In the case of EFS, this will result in the "main" file data being accessed in its unencrypted form (if the requesting user possesses the necessary asymmetric key data to decrypt the symmetric key to decrypt the encrypted data) or access being denied.

    An e-mail client could be written to be EFS "aware" and to package the multiple NTFS EFS data streams in an e-mail message, but this would be of very limited utility. I don't know of any standard for packaging the multiple EFS data streams or e-mail client that attempts packaging/unpackaging; also the asymmetric key material used by EFS is normally only accessible/usable within a Windows "domain" (i.e. not suitable for exchange/sharing of data outside of a domain).

    Gary

    Sunday, June 28, 2020 7:54 PM
  • Very helpful. Thank you.  
    Tuesday, July 14, 2020 6:11 PM