Encrypt/Decrypt Files with EFS

Microsoft Windows allows the Encryption File System (EFS) feature to use smart card certificates for files and folder encryption.

Depending on your smart card content and your platform configuration, you can seamlessly encrypt and decrypt files.

Configure Your Workstation for EFS and Select/Generate a Smart Card Encryption Certificate

In order to encrypt and decrypt files on your workstation, you might need to configure EFS during your first file encryption (depending on your platform configuration).

1. Start Microsoft Explorer.

2. Insert your smart card.

3. Select the file or folder to encrypt.

4. Update your file or folder properties to enable encryption (via the Advanced button and then the Encrypt contents to secure data option).

5. When prompted to choose an existing encryption certificate or create a new one on your smart card, either:

   • Select your existing smart card EFS certificate in the certificate list.

   • Choose to create either a smart card self-signed certificate or a certificate issued by your domain‘s certification authority.

6. Enter your smart card PIN and click OK.

   The selected or new certificate will be used for all file encryption and decryption operations. The selected file or folder is encrypted and appears in green in Microsoft Explorer.

Encrypt a File or Folder with EFS

1. Start Microsoft Explorer.

2. Insert your smart card.

3. Select the file or the folder to encrypt.

4. Update your file or folder properties to enable encryption (click Advanced and then select the Encrypt contents to secure data option).

5. Enter your smart card PIN and click OK.

   The file or the folder is then encrypted and appears in green in Microsoft Explorer.

Decrypt a File or Folder with EFS

1. Start Microsoft Explorer.

2. Insert your smart card.

3. Open the file or the folder to decrypt.

   A window is displayed at the lower right corner of your desktop prompting you to enter your smart card PIN.

   

4. Click on the notification (or link).

5. Enter your smart card PIN and click OK.

   The file or folder is opened in clear text.

Update EFS Certificates and Re-Encrypt Files

If you have already encrypted some files with a certificate and if you want to update the encryption certificate (for example, it expired), Windows allows you to re-encrypt encrypted files with a new or existing encryption certificate.

If your old certificate is on a different smart card than the new certificate, then both smart cards need to be available / inserted during this process.

1. In the Windows Control Panel, select User Accounts.

2. Click User Accounts and then, from the left pane, select Manage your file encryption certificates.

   The Manage your file encryption certificates wizard is displayed.

3. When prompted to select an existing encryption certificate or create a new one on your smart card, either:

   • Choose to create either a new smart card self-signed certificate or a certificate issued by your domain‘s certification authority:

     1. Insert your smart card.

     2. Click Next.

     3. Back up your key (optional) and click Next.

   • Choose to select an existing smart card EFS certificate from the certificate list.

     A tree representing your file system is displayed.

4. Select the folders to re-encrypt. Make sure all folders containing your encrypted files are selected.

5. Enter your smart card PIN when prompted and click OK.

   The wizard completes successfully.

Recover Encrypted Files

When you lose or damage your smart card, you need to recover the content of your encrypted files.

1. Import the backup EFS certificate in your new smart card using the ActivClient User Console.

2. In Microsoft Explorer, select one of the encrypted files you need to recover.

3. When prompted, insert your smart card containing the new EFS certificate.

4. Enter your smart card PIN and click OK.

   You can access your file in clear text.