Saturday, September 21, 2013

Encrypted File System on Windows 7 Home Premium

While Windows 7 Home Premium edition doesn't support EFS, you can get it working in a roundabout way - given you have temporary access to a copy of Windows that does have support for EFS. I found this out while using an external hard drive when passing files between my desktop (Windows Vista Ultimate) and my laptop (Windows 7 Home Premium).

  1. On the machine which does support EFS, go ahead and set up an encryption certificate.
  2. Export the encryption certificate, copy it over to the Windows 7 machine and install it.
  3. Create a folder and mark it as encrypted on the first machine.
  4. Copy the folder onto a USB drive formatted with NTFS.
  5. Finally, copy the folder from the USB drive onto the Windows 7 machine.
Any files created under (or copied to) the encrypted folder will be encrypted, themselves. In addition, this folder can be used as a template for creating additional encrypted folders. So, keeping an empty copy of the folder lying around can be useful.

There are a couple caveats to deal with, though.

  • The hard drives on both machines and the USB drive must be formatted with NTFS.
  • New folders on the Windows 7 machine cannot be marked as encrypted, unless they are children of folders already encrypted.
  • Once a folder or file has been encrypted, it cannot be marked as decrypted on the Home Premium machine.
  • Folders shared on the network cannot be decrypted - regardless of whether the certificate & key are installed on the client machine. This is why a USB drive is required.
I realize this seems a long way to go just to get EFS onto a weaker copy of Windows 7. To be honest, I don't use EFS on my laptop extensively; but the files I keep encrypted, I want them to stay encrypted, regardless of which machine they are stored.