How to Enable or Disable NTFS File Encryption in Windows

The built-in Encrypting File System (EFS) is one of Windows’ best and most accessible NTFS file encryption tools. As the administrator, you can turn the program on or off using the Local Group Policy Editor (GPO), Command Prompt, PowerShell, or Services. If it’s your first time looking to run EFS, check out our guide below to see how and when you should use the NTFS file encryption system.

Understanding NTFS file encryption (EFS)

The NTFS, or New Technology File System, is the file system used on hard drives and solid-state drives (SSDs). On the other hand, EFS is an integrated utility that can encrypt files and folders in NTFS drives. When enabled, EFS restricts users or applications from accessing the encrypted files without a key.

Unlike BitLocker, which can lock access to an entire drive or volume, EFS provides file-level encryption. As such, EFS often adds a layer of security in computers shared by multiple users. To further solidify your understanding of EFS operations, you may view this short visual walkthrough: ‘IT Guide: What Is Encrypting File System (EFS)?’.

How to enable NTFS file encryption in Windows

We have several ways to enable or disable EFS. Let’s go through the steps below.

Enable NTFS encryption using the Group Policy Editor (GPO)

1. Open the Local Group Policy Editor. (See how)
2. Navigate to Computer Configuration\Administrative Templates\System\Filesystem\NTFS.
3. In the right pane, double-click the Do not allow encryption on all NTFS volumes policy to modify it.
4. Toggle Disable or leave it as Not Configured (default) to allow NTFS File Encryption.
5. Click Apply, then OK.

Enable NTFS encryption using Command Prompt or PowerShell

1. Open Command Prompt or PowerShell with Administrator privileges.
2. Type fsutil behavior set disableencryption 0. Press Enter.
3. Restart the computer to apply changes.

Enable NTFS encryption using Services

1. Press Windows+R and type services.msc. Press Enter.
2. Find and double-click on Encrypting File System (EFS) to open Properties.
3. Click the Startup type drop-down menu to select Automatic.
4. Click Apply and then click OK to save these changes.

How to disable NTFS file encryption in Windows

We can also disable EFS using the GPO, Command Prompt, PowerShell, or Services.

Disable NTFS encryption using the Group Policy Editor (GPO)

1. Open the Local Group Policy Editor.
2. Navigate to Computer Configuration\Administrative Templates\System\Filesystem\NTFS.
3. In the right pane, double-click on the Do not allow encryption on all NTFS volumes policy to modify it.
4. Toggle Enable to prevent NTFS File Encryption.
5. Click Apply, then OK.

Disable NTFS encryption using Command Prompt or PowerShell

1. Open Command Prompt or PowerShell with Administrator privileges.
2. Type fsutil behavior set disableencryption 1. Press Enter.
3. Restart the computer to apply changes.

Disable NTFS encryption using Services

1. Press Windows+R and type “services.msc”. Press Enter.
2. Find and double-click on Encrypting File System (EFS) to open Properties.
3. Click the Startup type drop-down menu to select Disabled.
4. Click Apply and then click OK to save these changes.

How to encrypt individual files or folders in Windows

Once you enable NTFS file encryption, you can now manually encrypt a file or folder using these methods:

Using File Explorer to encrypt a file or folder

1. Right-click on the file or folder you’d like to modify.
2. Select Properties.
3. Under Attributes, select Advanced.
4. Tick the box beside Encrypt contents to secure data and click OK to confirm.
5. Select Apply.

The system will also prompt you to decide whether to extend the encryption to related files and folders. Follow the prompts to proceed. The encrypted files or folders will now have a lock icon. To unlock them, follow the same steps.

Using Command Prompt or PowerShell to encrypt a file or folder

1. Use Windows Search and type cmd or PowerShell. Run as an Administrator.
2. Use the cipher command to encrypt a file or folder cipher /e <full path of file or folder>. Include the extension name of the file.

If used without parameters, the cipher command will show the encryption state of the current directory. Here’s the complete list of cipher parameters.

Managing encrypted files

Windows EFS encryption is a powerful tool for IT administrators and content managers. However, data protection at this level is incomplete without an excellent backup system. Here’s how you can backup and export security certificates for recovery:

1. Press Windows + R, type certmgr.msc, and press Enter.
2. Expand Personal > Certificates.
3. Right-click the EFS certificate and select All Tasks > Export.
4. In the Certificate Export Wizard, select Yes, export the private key.
5. Choose Personal Information Exchange (.PFX) and include all certificates in the certification path.

To access encrypted files on another NTFS-formatted computer, you need to import the EFS certificate and private key. Go to the Certificate Manager to import the certificate.

Security implications and best practices

EFS provides reliable encryption, especially on the most recent versions of Windows. However, it’s still crucial for admins to enforce a strong group policy and maintain a reliable backup system. On that note, here are some security considerations and recommended practices in managing NTFS File Encryption.

Control access to private keys

Unauthorized users can use the key to decrypt data. Hence, it’s imperative to store the private key in a secure location. It might also help to limit its access to IT admins or security personnel. It’s also common practice for organizations to regularly replace their keys. This is to keep the integrity of the overall data security policy.

Maintain backups of recovery certificates

It’s essential to maintain a secure backup of private keys and recovery certificates. Preferably, assign at least two security agents to prevent complete data loss. Especially when one of the keys or certificates is lost. If you are part of a managed environment, these actions can be automated and monitored remotely.

Be careful when transferring files

EFS-encrypted files lose encryption when moved into non-NTFS storage since EFS isn’t designed to protect data when it’s transferred. When transferring files, consider cloud storage or another NTFS-formatted storage. Additionally, ensure the receiving device observes a strong password and data security policy.

In addition to Windows BitLocker and EFS, you can use third-party encryption key management software. This can strengthen your backups, improve monitoring, and raise organizational compliance.

Secure sensitive files or remove encryption when needed. Watch How to Enable or Disable NTFS File Encryption in Windows.

Manage NTFS file encryption status in real-time

NTFS file encryption can help organizations control sensitive data on an individual level. However, without a centralized solution and monitoring system, this can take significant resources to maintain. To manage devices with ease, consider adopting a cross-platform IT solution. Alternatively,. an endpoint management software can help monitor encryption status in real-time and automate the management of recovery keys.