Encrypted file attribute specifies if file or folder is encrypted to protect data from unauthorized access. EFS (Encrypting File System) adds an additional secure layer by encrypting files and folders at file system level. Files are automatically encrypted and decrypted with user encryption keys. Administrator account has a global key that allows to decrypt user files, however this key can be extracted and stored in a PFX file on a floppy disk or other data storage in order to make even administrator incapable to access user data. Usually only the user who encrypted the file can decrypt it, though group policy might be organized in a way that any of preconfigured group members may access encrypted files.
Since the encryption / decryption operations are automatically done by operating system user does not need to know much about keys or other specific issues. If file or folder has encrypted attribute encryption / decryption is done at file systems level which means that file appears to applications as a regular file (not encrypted one).
For maximum security default encryption on any folder has to be set. Also My Documents, Temp folder must be encrypted. Files opened through the network must be additionally protected with network protocols like SSL or IPSec. If encryption keys are changed, old ones must be saved until all encrypted files are updated.
- FAT file system does not support encryption.
- Windows Explorer can be configured to display encrypted files in green.