How to encrypt files and folders in Windows 10

By Praharsha Anand
last updated

Here’s how to make your sensitive data unreadable to prying eyes

A padlock on a motherboard
(Image credit: Shutterstock)

No machine is 100% secure. That's partly because the human element of cyber security will always be somewhat fallible, but also because hackers are innovative.

It's therefore safe to assume that you will, at some point, be hacked. However, that doesn't mean you can't protect your data and render it useless to anyone that does get hold of it. By using encryption, users can convert their sensitive data into a code of jumbled numbers, which can lower the risk of infiltration, theft and subsequent fraud.

Intel joins forces with DARPA to help build encryption ‘holy grail’ Invoice ZLoader campaign hides within encrypted Excel docs EU inches closer to ban on end-to-end encryption Five Eyes nations demand encryption 'backdoors' by-design

Some hackers may try using decryption keys to translate stolen information back into its original form, but because the data will appear scrambled to unauthorized users, it will largely remain undeterred.

Microsoft offers a built-in tool for file and folder encryption in Windows. These files will show a padlock sign when you've encrypted them and they will also be password-protected. There are a few points to remember here; an encrypted file can lose its encryption when transmitted via a network or email. You need to extract the contents of a compressed file or folder before you encrypt it. It doesn't necessarily protect files from being deleted and you should always backup encrypted data and store it offline.

With those warnings heeded, we explain how you can encrypt your data on Windows.

How to encrypt files and folders in Windows 10

There are two simple ways to encrypt files and folders on Windows 10, via Microsoft’s encrypted file system (EFS) or BitLocker.

Encrypting files and folders using Windows encrypted file system

Microsoft’s EFS service offers support for encrypting individual files, folders, and directories in Windows 10 or any other Windows version since XP. To enable EFS encryption, follow these steps:

The "properties" box on Windows where folder encryption can be found

  1. Right-click on the file or folder you want to encrypt and select “Properties”
  2. In the “General” tab of “Properties,” click on the “Advanced” button
  3. In the “Advanced Attributes” dialogue box, under “Compress or Encrypt Attributes” section, checkmark on “Encrypt contents to secure data”
  4. Click “OK”
  5. Click “Apply”
  6. If encrypting a folder, a window will pop up asking you to choose between “Apply change to this folder only” and “Apply changes to this folder, subfolders and files.” Select your preference and click “OK” to save the change(s)

The encryption process is now complete, and Windows will automatically create an encryption key and save it locally to your PC. Files and folders you've encrypted with EFS will feature a small padlock icon in the top-right corner of the thumbnail. Only you can access the encrypted files or folders. But there’s more to it.

To avoid file loss if the key gets corrupted, Windows will prompt you to backup the encryption key immediately after encryption. Backup your EFS encryption key with the following steps:

  1. In the “Backup your file encryption certificate and key” prompt, choose “Backup now”
  2. Ensure you have a USB flash drive plugged into your PC
  3. Click “Next” to create your encryption certificate
  4. Check on “.PFX” file format to export your certificate file and click “Next”
  5. Check the “Password” box to enter a new password
  6. Navigate to your USB drive
  7. Name to your encryption backup file and click “Save”
  8. Click “Next”
  9. Click “Finish”

Decrypting the encrypted file/folder is just as easy with the following steps:

  1. Right-click on the file or folder you want to decrypt and select “Properties”
  2. In the “General” tab of “Properties,” click on the “Advanced” button
  3. In the “Advanced Attributes” dialogue box, under “Compress or Encrypt Attributes” section, uncheck “Encrypt contents to secure data” option
  4. Click “OK”
  5. Click “Apply”

Your file is readable again.

Note: The PC owner can access an EFS-encrypted file locally, but the files will remain inaccessible for all other user accounts. You may also use a DVD or portable hard disk to backup your encryption key.

Encrypting files and folders using BitLocker

BitLocker is a full-disk encryption solution that enables you to encrypt an entire hard drive at once. When combined with a PC’s trusted platform module (TPM), BitLocker can provide advanced security features, including hardware-level encryption.

To check if your computer has a TPM chip, use Windows key + X combination to open the Power User menu and select “Device Manager.” Now, click on “Security Devices.” If your PC has a TPM chip, one of the subfolders will read “Trusted Platform Module” with a version number.

Your computer must have a TPM chip version 1.2 or later to support BitLocker.

Set up BitLocker on your Windows 10 PC, using the following steps:

  1. Press Windows key + X keyboard shortcut to open the “Power User” menu
  2. Go to “Control Panel” > “System and Security” > “BitLocker Drive Encryption”
  3. Under the “BitLocker Drive Encryption” section, click on “Turn on BitLocker”
  4. Set a password and click “Next”

The encryption process is now complete. Like EFS-based encryption, you’ll have options to save a recovery key to regain access to your files if you lose or forget your password.

Here’s is a list of options available:

  • Save to your Microsoft account
  • Save to a USB flash drive
  • Save to a file
  • Print the recovery

Select one of the four options and click “Next.” Next, choose how much of the drive you want to encrypt – the entire drive or only the used disk space. It’ll also prompt you to choose between two encryption modes: new encryption mode (best for fixed drives on your device) and compatible mode (best for detached drives you can remove from your device). Select one of the two options and click “Next.” In the next pop-up, check the “Run BitLocker system check” option and click “Continue.”

Finally, restart your computer. Upon reboot, BitLocker will prompt you to enter your encryption password to unlock the drive. Type the password and press “Enter.” You can verify BitLocker is turned on by looking for a padlock icon on your encrypted drive’s thumbnail.

To disable BitLocker, open File Explorer, right-click the encrypted drive and select “Manage BitLocker.” You can suspend or altogether disable BitLocker for each drive or partition encrypted.

Note: BitLocker doesn’t support dynamic disc encryption. Decryption may take a while, depending on the size of your encrypted drive. However, you can continue using your computer during the encryption.

Wrapping up

A security system is only as strong as its weakest point, which is why it helps to take small but decisive steps toward data encryption.

BitLocker can protect PCs’ operating systems against offline attacks, and EFS offers additional file-level encryption for security separation between multiple users of the same computer. You can also combine protections by choosing to use EFS to encrypt files on a BitLocker-protected drive.

Praharsha Anand