Windows Server Cookbook for Windows Server 2003 and Windows 2000

2017-07-07 02:10:07

Recipe 4.15. Encrypting a File or Folder

Problem

You want to encrypt a file or folder so that other users cannot read its contents.

Solution

Using a graphical user interface

Open Windows Explorer.

In the left pane, browse to the parent folder of the file or folder you want to compress. Click on the parent folder. This displays the list of subfolders and files in the right pane.

In the right pane, right-click on the target file or folder and select Properties.

Click the Advanced button.

Check the box beside Encrypt contents to secure data.

Click OK and Apply.

Using a command-line interface

With the cipher.exe command, you can encyrpt and decrypt files and folders. Running it without any options lists the files in the current directory with a flag indicating which ones are encrypted (U = unencrypted, E = encrypted):

> cipher

The following command encrypts a single file:

> cipher /e /a <FileName>

Here is an example:

> cipher /e /a mysecretfile.doc

The following command causes any new file added to the scripts directory to get encrypted. Existing files are not encrypted:

> cipher /e d:\scripts

The following command encrypts all files in a directory and any subdirectories:

> cipher /e /f /a /s:d:\scripts

This is the same command, with /e replaced by /d, which causes everything within the d:\scripts directory to become unencrypted:

> cipher /d /f /a /s:d:\scripts

Discussion

NTFS supports the Encrypting File System (EFS) for encrypting the contents of files. Similar to compression, EFS is built into the file system so encryption and decryption of EFS-enabled files and folders is seamless to the enduser. And just like compression, enabling EFS should only be done after much thought about its impact. EFS can have a significant hit on the performance of a server and the access times for files.

For more on how to use EFS, including the recovery mechanisms built-in to EFS, see MS KB 324897.