Skip to main content

Encryption File System

aliases:

  • EFS

An obscure file system only supported by NTFS used for specific file encryption.

EFS encrypts specific files using both symmetric and asymmetric encryption. Using NTFS-Permissions, EFS supports custom user access by the owner of the file. Should a file encrypting using EFS be moved into a partition other than NTFS, the encryption will be dropped. However, the files will remain encrypted even when the drive itself is moved to another computer or another OS, since the encryption files needed to decrypt the file or folder don't exist there.

Symmetric Encryption

EFS will create a File Encryption Key for the file or folder being encrypted, storing it with the encrypted file. The FEK is responsible for both the encryption and decryption.

Asymmetric Encryption

EFS will create another FEK, but also generates an asymmetric key pair for much better security. It takes the FEK, encrypts it using the public key, and stores it with the encrypted file. When accessing the file moving forward, the system will use the user's private key to decrypt the FEK file, allowing for the file to be decrypted.

If the user doesn't have an asymmetric key pair, Windows will automatically create a keypair called the EFS Certificate and EFS will use that instead.

Back to top