What files should I encrypt on Windows?

You should encrypt any files that contain important or sensitive data. Some examples of these are the files containing: App/websites credentials and passwords Financial accounts and information Health insurance information Personal information and images Intellectual property Employee and other HR data, for those owning firms Your children's information and images

Can encrypted files still be violated?

Unfortunately, yes. While encryption significantly increases the security of your files, it still carries certain risks. Encrypted data can be snatched by more skillful or persistent hackers or criminal groups. And, let's not forget the risks of lost or stolen keys, which can be particularly dangerous.

How to encrypt files in Windows | Protect files & folders

If you have important personal or business content such as Intellectual Property on your Windows PC, you may wonder how to ensure that data is secure. If a laptop is lost or stolen, it is possible that thieves could access the contents of the hard drive. The solution is to encrypt your files and folders in Windows 10.

Encrypting files on your computer ensures that it will be much more difficult to steal your valuable information, even if your computer is hacked. In this guide, we will explain how to encrypt files in Windows using native features and third-party apps.

What should I encrypt?

This is your choice, but most people use encryption to protect the following kinds of data assets:

Personally Identifiable Information
Passwords
Tax invoices
Banking information and documents
Scans of ID documents such as passports or drivers’ licenses
Privileged employer information
Intellectual Property

How can I encrypt files and folders in Windows?

There are two main ways to encrypt files on a Windows machine - Windows’ built-in Encrypting File System (EFS) or BitLocker. Alternatively, you could use a third party encryption application.

If you are looking for a way to encrypt text files such as Word documents and PDFs, you can also encrypt those files inside Microsoft Office. And, if you want to encrypt Excel databases, you can do that too. Below we will walk you through some of the most popular methods for encrypting on your computer.

Encrypting in Windows using built in Encrypting File System

The easiest and fastest way to encrypt files securely on your hard drive is to use Windows native encryption tool. Windows’ Encrypting File System (EFS) uses secure symmetric encryption using a File Encryption Key (FEK). This kind of encryption is secure and fast, which means it can be used to encrypt any individual files you need to secure - no matter their size.

Windows 10 Home Edition users

EFS is only available in Windows 10 Pro, Enterprise, and Education. If you are a Home Edition user, you will need to encrypt files using a third party encryption app instead, which we cover later in this guide.

How to enable Windows Encrypting Files System (EFS)

If you have got a compatible version of Windows 10, you can encrypt files almost right away. Before you get to this, however, you will need to do two things:

Ensure that your Windows user account has been set up with a password that is strong and hard to crack. Using EFS requires your user account to have a password, and unless that password is strong, it might be brute forced by someone with physical access to the computer. Your file encryption will only be as strong as your user password, so make sure it is robust.
Get a USB thumb drive so you can save the backup key. This will allow you to access your encrypted files if you lose access to your user account.

Password managers are very useful if you plan on password protecting your documents as they can generate long complex passwords and save them securely. Check out our article on the best password managers for a list of the best services and the pros and cons of using one.

Now that you have done the preliminary preparation steps, you are ready to enable EFS for specific files or folders. To do so, follow these simple steps:

Right-click on your Start button and open File Explorer
Locate the file or folder that you wish to encrypt in your file manager.
Right-click the file or folder and click Properties.
In the General tab, click Advanced.
Tick the checkbox next to Encrypt contents to secure data.

Click OK.
Click Apply.

A window will pop up asking you whether you want to encrypt the selected folder, or the folder, sub-folders, and files.
Choose either Apply changes to this folder only or Apply changes to this folder, sub-folders, and files.
Click OK.

A small padlock symbol should appear in the top-right of the file or folder you've encrypted.

Back up your Key

Now that you have encrypted your first file, Windows EFS will serve you an icon in the system tray in the bottom right-hand side of your screen. Click on it to back up your key.

Back up your file encryption key notification

Plug your USB thumb drive into your Windows computer.
Click the EFS icon in the system tray.
Click Back up now (recommended).
On the Certificate Export Wizard click Next.
Leave the default settings on the Export File Format screen and click Next.
On the security screen, tick the box next to Password and type in a password. You will need to enter it twice to confirm it is the right password.
Click Next.
On the next screen click Browse and select your USB thumb drive.
Now click the filename field and type in EFSKey. (Or call the file whatever you prefer).
Click Save.
Click Next.
Click Finish.
Click OK.

Remember

Once the backup key has been exported, keep the USB drive safe. If you ever find yourself locked out of your Windows user account, you can use the key to recover the encrypted files on your PC.

Encrypting files in Windows using BitLocker

BitLocker is a proprietary full volume encryption tool for Windows that lets users encrypt their entire hard drive securely. BitLocker is different to EFS because it does not allow users to encrypt single files and folders when their operating system is running. For this kind of encryption, users will require either EFS or a third party encryption tool.

Windows Home Edition Users

As with EFS, BitLocker is not available for Windows Home Edition. It is only available for Windows Pro and Enterprise users.

BitLocker is suitable for anybody who wants to ensure that their entire hard drive is encrypted every time they log out of Windows and close their computer down.

But, typically, people require Full Disk Encryption (FDE) because:

Some users require FDE to comply with regulations that could lead to fines if consumer data stored on their system could be breached if a machine is stolen.
To protect valuable and sensitive company data from being accessed if a laptop is stolen or lost.
Using BitLocker minimizes the potential for useful data to be recovered from old or lost hard drives.

BitLocker uses Advanced Encryption Standard (AES) as its cipher with user configurable key lengths of 128 or 256 bits. This is a secure encryption standard, meaning that hard drives protected with BitLocker are safe against hackers for the foreseeable future.

How to encrypt a hard drive using BitLocker - Step by Step

If you have Windows 10 Pro or Enterprise edition, you can use BitLocker to encrypt your hard drive. Once set up, BitLocker lets you unlock your hard drive either by using a USB dongle or by entering a password. You can opt for either method, but if you prefer a physical key, you will need to get a USB thumb drive before setting BitLocker up.

Check for a Trusted Platform Module chip

Before setting up BitLocker, check that your PC has a Trusted Platform Module (TPM) chip. This is a special microchip that enables your device to support advanced security features. You can use BitLocker if your computer doesn't have TPM by using software-based encryption instead, but it requires a longer setup and it isn’t as secure. To check if you have one simply:

Press the Windows key + x (at the same time) and click on Device Manager.
Expand Security Devices and check to see if you have a TPM chip like in the image below. Your PC must have TPM chip version 1.2 or later to support BitLocker.

Set up BitLocker

Now that you have checked for a TPM chip, you can set up BitLocker:

Navigate to your Control Panel.
Select System and Security.
Find BitLocker Drive Encryption and click Manage BitLocker.
Select Turn on BitLocker.
Choose either Enter a password or Insert a USB flash drive.
If you use a USB dongle, you will still need to enter a password. Enter it and click Next.
You will be given options to save a recovery key. This key lets you regain access to your encrypted hard drive if you forget your password. Options include:
- Save to your Microsoft account
- Save to a USB flash drive
- Save to a file
- Print the recovery key
Choose your preferred option and click Next.
Select an encryption option. Click Next.

You can opt to encrypt either the entire disk or the used portion.
Choose between New encryption mode (better for internal, fixed hard drives) or Compatible mode (best for removable devices), and click Next.
Check the run BitLocker system check box and click Continue.
Now, restart your computer to complete the setup.
When the computer launches, BitLocker will ask you to either enter your USB flash drive and enter a password, or enter the password you set up to unlock your hard drive.

Useful Guides

How does AES encryption work?

10 best VPNs for Windows PCs in 2024

How private/secure is Windows? Windows 7, 8 & 10

Use an encryption app to encrypt files or folders in Windows

If you are a Windows 10 Home Edition user, you cannot use EFS or BitLocker. This is because they are only available on Windows 10 Pro, Enterprise or Education.

The good news is that you can still encrypt files and folders using a third party tool, and you don’t have to pay a fortune to get the job done. In fact, using open source third party tools with strong encryption is an effective way of ensuring you secure your personal data.

If you need to encrypt files and folders on your machine, we recommend using one of the following apps:

Veracrypt. This is a free open source encryption tool that uses a strong AES-256 cipher and robust SHA-512 for the handshake algorithm. It is available for Windows, Linux, and Mac OS X. Veracrypt will let you encrypt single files inside an encrypted container secured with a passphrase. It will also let you encrypt partitions, and on Windows it supports full disk encryption.
AxCrypt. This is an open source encryption tool that is available either for free or via its paid premium plan.
Folder Lock. This is a popular program that lets you encrypt files and folders on the fly. You can use it to encrypt drives, as well as shred and permanently delete files.
GNU Privacy Guard. This program helps you encrypt files or folders into an archive using secure OpenPGP standard. It is both free and open source.
7-Zip. This is another free open source program that lets you use password protection, alongside encrypting files and folders into compressed archives. This allows you to store data securely and make better use of space on a hard drive.

The programs we have listed above all function slightly differently. However, they all have walkthroughs and guides on their websites to help you encrypt your data. Thus, you will need to do a little research into each program to use that specific encryption system to secure your data.

On the whole, however, once installed you should be able to locate the files and folders that you want to secure in Windows file manager, and then right click on those files to select the program you wish to encrypt the files with.

Is encryption fool proof?

Encrypted files and folders are much more secure because a password is needed to access their contents. However, they are not 100% secure for several reasons:

If you store your cryptographic key or encryption password in an unencrypted file on your computer, a hacker could potentially steal it.
If a hacker installs a keylogger on your device, they could steal your password when you enter it to decrypt a file.
When you use EFS to encrypt a file, your computer may still store an unencrypted version of that file in its temporary memory. The solution is to delete your temporary files to ensure that the unencrypted version is not still lying around.
Depending on where you live, legislation may exist that forces you to hand over your encryption key to the government. If you are served a warrant, it may compel you to hand over access to your encrypted documents in order to comply with an investigation.

How to encrypt an external hard drive

If you have an external hard drive then you should know that there is a way to encrypt the files on this device. Check out our how to encrypt an external hard drive page information about how to do this.

Do I need a VPN to encrypt my internet data?

Encrypt you data with these VPNs

The software we have recommended in this article lets you encrypt the data on your local hard drive. However, you may also want to encrypt your internet traffic to gain digital privacy online. When you use the internet, all your traffic must pass through your ISP’s servers. This allows your ISP to keep records of all the websites you visit. It also allows your ISP to gather your metadata.

Local network administrators can also analyze and track your internet traffic when you use public WiFi hotspots, and both ISPs and WiFi providers may collect data about you and share it with the government. A VPN encrypts your data before it leaves your devices, which stops your ISP or WiFi providers from being able to snoop on your traffic.

FAQs

Are there any disadvantages to file encryption on a PC?

Encrypting important files is always a good idea, however, it has some disadvantages, or better to say difficulties. The three biggest problems with file encryption on a PC are:

The risk of lost/stolen key – once you have your files encrypted, the next most important thing is to protect your key from getting lost or stolen because such misfortune would make all your data inaccessible.
Expensive and complicated – proper encryption takes a lot of time and resources, and it's often expensive. Non-tech-savvy users will have to hire a third party to encrypt files on their PC, which involves further privacy risks.
Although necessary, encryption processes and system requirements can sometimes impact other routine processes inside your PC.