Windows Security Β· File Encryption

How to Encrypt Files and Folders with EFS in Windows
Windows 10 Β· Windows 11 Β· EFS Certificate Backup

A practical guide to using Encrypting File System (EFS) to protect selected files and folders on NTFS drives, including certificate backup, decryption, command-line options, and troubleshooting.

⏱ 11 min read πŸ” EFS encryption πŸͺŸ Windows 10 πŸͺŸ Windows 11 πŸ’Ύ NTFS drives
Overview

What Is EFS in Windows and When Should You Use It?

Encrypting File System (EFS) is a built-in Windows feature that encrypts individual files and folders on NTFS-formatted drives. Unlike BitLocker, which protects an entire drive, EFS is designed for selective file-level encryption: you choose exactly which documents, folders, or project files should be protected.

EFS is tied to your Windows user account and its encryption certificate. When you are signed in as the correct user, encrypted files open normally. Other users on the same PC, users who boot another operating system, or people who copy the encrypted files without the certificate cannot read the original contents.

ℹ️
EFS vs BitLocker

Use EFS when you want to encrypt specific files or folders. Use BitLocker when you want full-drive protection, especially for a laptop that could be lost or stolen.

Best use cases for EFS encryption

When EFS is not the best choice

Preparation

Before You Encrypt Files with EFS in Windows 10 or Windows 11

EFS is simple to enable, but there are several important requirements and risks. The most important rule is this: back up your EFS certificate and private key immediately after encrypting your first file. Without that certificate, you may lose access to your encrypted data after reinstalling Windows, resetting the PC, deleting the user profile, or moving the files to another computer.

Requirement Details
Drive format The file or folder must be stored on an NTFS drive. EFS is not intended for FAT32 or exFAT drives.
Windows edition EFS is normally available in professional and business editions of Windows, such as Pro, Enterprise, and Education.
User account Encryption is linked to the current Windows user account and its certificate.
Certificate backup You should export the certificate to a password-protected .PFX file and store it safely.
Compression A file or folder cannot be both NTFS-compressed and EFS-encrypted at the same time.
⚠️
Important warning

Do not reinstall Windows, reset the PC, delete the user profile, or format the drive before backing up the EFS certificate. The files may remain encrypted, but you may no longer have the private key required to decrypt them.

Check whether the drive uses NTFS

  1. Open File Explorer.
  2. Right-click the drive where the files are stored.
  3. Select Properties.
  4. Look at File system. It should show NTFS.
File Explorer method

How to Encrypt a Folder with EFS in Windows File Explorer

The easiest way to use EFS is through the folder properties window. This method works well when you want all new files inside a folder to be encrypted automatically.

  1. Open File Explorer.
  2. Right-click the folder you want to protect.
  3. Choose Properties.
  4. On the General tab, click Advanced.
  5. Enable Encrypt contents to secure data.
  6. Click OK, then click Apply.
  7. When Windows asks how to apply the change, choose Apply changes to this folder, subfolders and files if you want to encrypt everything already inside the folder.
  8. Click OK and wait for Windows to finish encrypting the data.

After encryption is enabled, Windows may display file and folder names in green in File Explorer. This indicates that the items are encrypted with EFS.

βœ…
Recommended workflow

Create a dedicated folder such as Private Documents, enable EFS encryption for that folder, and then move sensitive files into it. New files created inside the folder will be encrypted automatically.

Single-file encryption

How to Encrypt a Single File with EFS in Windows

You can also encrypt one file without encrypting the whole folder. However, Windows may recommend encrypting the parent folder as well. That recommendation exists because some applications create temporary copies while editing files. If the folder is not encrypted, temporary data may be written unencrypted.

  1. Right-click the file you want to encrypt.
  2. Select Properties.
  3. On the General tab, click Advanced.
  4. Check Encrypt contents to secure data.
  5. Click OK.
  6. Click Apply.
  7. If prompted, choose whether to encrypt only the file or the file and its parent folder.

Should you encrypt the parent folder too?

In most cases, yes. Encrypting the whole folder gives better protection because temporary files, newly saved versions, and copied files inside that folder can remain protected automatically. Encrypting only one file is useful for quick protection, but it is less reliable as a long-term workflow.

Certificate backup

How to Back Up Your EFS Encryption Certificate and Private Key

The EFS certificate is the key to your encrypted data. If Windows asks you to back up your file encryption certificate, do it immediately. You can also start the export manually from Certificate Manager.

Method 1: Back up the EFS certificate from the Windows notification

  1. After encrypting your first file or folder, look for the Back up your file encryption certificate and key notification.
  2. Click the notification.
  3. Select Back up now.
  4. Follow the Certificate Export Wizard.
  5. Choose to export the private key.
  6. Select the Personal Information Exchange (.PFX) format.
  7. Set a strong password for the exported certificate file.
  8. Save the .PFX file to a secure location, such as an encrypted external drive.

Method 2: Export the EFS certificate manually

  1. Press Win + R.
  2. Type certmgr.msc and press Enter.
  3. Go to Personal β†’ Certificates.
  4. Find the certificate that lists Encrypting File System under its intended purposes.
  5. Right-click the certificate and choose All Tasks β†’ Export.
  6. In the wizard, select Yes, export the private key.
  7. Choose .PFX, set a password, and save the file.
πŸ”‘
Store the backup carefully

Anyone who has both the encrypted files and the exported .PFX certificate password may be able to decrypt the files. Store the certificate separately from the encrypted data and keep the password in a secure password manager.

Command line

How to Use the Cipher Command to Encrypt Files with EFS

Advanced users can manage EFS from Command Prompt or Windows Terminal with the cipher command. This is useful for scripting, checking encryption status, or encrypting many files at once.

Encrypt a folder and its existing files

Command Prompt
cipher /e /s:"C:\Users\YourName\Documents\Private"

This command enables EFS encryption for the selected folder and processes files in subfolders.

Decrypt a folder and its files

Command Prompt
cipher /d /s:"C:\Users\YourName\Documents\Private"

Show encryption status

Command Prompt
cipher "C:\Users\YourName\Documents\Private"

Back up the current EFS certificate from the command line

Command Prompt
cipher /x "%USERPROFILE%\Desktop\EFS-Backup.pfx"

Windows will prompt you to protect the exported certificate with a password. Move the .PFX file from the desktop to a secure backup location after export.

Decryption

How to Decrypt EFS Files and Folders in Windows

Decryption is done from the same Advanced Attributes window used for encryption. You must be signed in as a user who has access to the EFS private key.

  1. Right-click the encrypted file or folder.
  2. Select Properties.
  3. Click Advanced on the General tab.
  4. Clear Encrypt contents to secure data.
  5. Click OK, then Apply.
  6. If you are decrypting a folder, choose whether to apply the change to the folder only or to all subfolders and files.

Decrypt using Command Prompt

Command Prompt
cipher /d "C:\Users\YourName\Documents\Private\file.docx"

For a whole folder tree, use the /s option:

Command Prompt
cipher /d /s:"C:\Users\YourName\Documents\Private"
Access control

How to Share Access to EFS-Encrypted Files with Another User

EFS can allow additional Windows users to access an encrypted file, but this is not the same as normal folder sharing. The other user must have a suitable EFS certificate, and access must be added to the encrypted file.

  1. Right-click the encrypted file.
  2. Open Properties.
  3. Click Advanced.
  4. Click Details next to the encryption option.
  5. Click Add.
  6. Select the user certificate that should be allowed to access the file.
  7. Apply the changes.
πŸ‘₯
Folder sharing and EFS are different

Sharing a folder over the network does not automatically give another person the ability to decrypt EFS-protected data. File permissions and EFS certificates are separate layers of access control.

Fixes

EFS Troubleshooting: Common Problems and Solutions

The β€œEncrypt contents to secure data” option is grayed out

This usually happens because the file is not on an NTFS drive, the Windows edition does not support EFS encryption, the file is marked as compressed, or encryption has been disabled by policy.

You cannot open encrypted files after reinstalling Windows

Import the previously exported .PFX certificate into the current user account:

  1. Double-click the .PFX backup file.
  2. Use the Certificate Import Wizard.
  3. Import it into the Current User certificate store.
  4. Enter the password you used when exporting the certificate.
  5. Try opening the encrypted files again.
❌
No certificate backup?

If the original Windows profile and private key are gone and no EFS certificate backup exists, recovering the encrypted file contents is usually not possible. EFS is designed to prevent access without the private key.

Encrypted files lose encryption after copying

EFS behavior depends on the destination. Copying files to a non-NTFS drive, uploading them through some apps, or saving them inside an archive may remove EFS protection. If you need portable encryption, use a password-protected encrypted container or archive instead.

Files are encrypted but the folder name is not green

File Explorer color display can be disabled. To check the real status, open the file properties or run the cipher command against the folder.

FAQ

Frequently Asked Questions About EFS Encryption in Windows

Q Is EFS the same as BitLocker?
No. EFS encrypts selected files and folders. BitLocker encrypts entire drives or volumes. For best protection on laptops, BitLocker is often the better first layer, while EFS can be used for specific sensitive files.
Q Can I use EFS on a USB flash drive?
Only if the drive uses NTFS and the computer has the required EFS certificate. For removable drives that must open on different PCs, BitLocker To Go or another portable encryption method is usually easier to manage.
Q Will EFS protect files if someone knows my Windows password?
If someone can sign in as your Windows user, they can usually open your EFS-encrypted files because the private key is available in that user profile. EFS mainly protects data from other accounts, offline access, and unauthorized copying without the certificate.
Q What happens if I copy an EFS-encrypted file to another computer?
The file may remain encrypted, but it will not open unless the target computer has the correct EFS certificate and private key imported for the user who needs access.
Q Can an administrator decrypt my EFS files?
A local administrator cannot automatically decrypt your files without the needed certificate or a configured recovery agent. In managed business environments, an organization may configure EFS recovery policies.
Q Should I encrypt system folders with EFS?
No. Do not encrypt Windows system folders, program folders, browser profile directories, or other application folders unless you fully understand the consequences. EFS is best used for personal documents and dedicated data folders.

Conclusion: The Safe Way to Use EFS in Windows

EFS is a convenient built-in way to encrypt selected files and folders in Windows 10 and Windows 11. The safest approach is to encrypt a dedicated folder, keep sensitive files inside it, and immediately back up the EFS certificate with the private key to a password-protected .PFX file.

Remember that EFS depends on your Windows user profile and certificate. If you plan to reinstall Windows, move data to another PC, or reset your account, export the certificate first. Without that backup, encrypted files may become permanently inaccessible.