Disk and folder encryption under Windows

To encrypt a drive, or to make an encrypted image of a folder, using strong encryption, Mac users have Disk Utility. What do we have under Windows?

  • BitLocker. Like Disk Utility, BitLocker uses strong encryption to encrypt internal or external drives, including thumb drives and so on. Unlike Disk Utility, it can’t encrypt individual folders. Also, BitLocker is available for Windows Pro or higher only, not for Windows Home users.
  • Windows EFS will take care of folder encryption. It’s easy to use, but it’s not the most secure. See the other solution I suggest at the end.

Encrypting a drive with BitLocker

Right-click on the drive or thumb drive you want to encrypt and choose Turn on BitLocker and follow the instructions.

Define a password and decide where to save the recovery key. This recovery key is the only safeguard if you ever should forget your password, store it somewhere safe.

Depending on its type (SSD are much faster than hard drives or flash drives), its size, and the volume of data it contains the encryption can take a long time. You can still use your drive while BitLocker is encrypting it, but until it has finished its job always remember to hit the Pause button before unplugging the drive, to avoid damaging your data:

Unlocking a drive

In the File Explorer, encrypted drives are displayed with a yellow lock icon. Right-click the drive and choose Unlock Drive…:

You’ll need to type the password to unlock it.

Locking a drive

Oops. It looks like Microsoft forgot this part of the job, as there is no easy way to lock back an unlocked drive, no contextual menu, no nothing. I have no idea why.

The only way I’ve found, besides rebooting the PC, is to use the command line. It’s no that bad, but it’s surprising.

  1. Hit the Windows key and type “CMD”, when Command Prompt appears, click Run as an administrator:

  1. Type manage-bde -lock e: -forcedismount (where “e:” is the encrypted drive’s letter), and press Enter.Wait a second or two, and you should see a confirmation that the drive is now locked.

Encrypting a folder, with Windows EFS

EFS is a simple way to protect files inside a folder from prying eyes. But only as long as those persons don’t know your user login and password, and as long as you don’t let them use your own session, as EFS ties all encrypted folders to your Windows login.

Not knowing my user password, and not being logged into my session, here is what someone would see trying to access my encrypted folder:

We can see there is a file, but we can’t open it, and the file has no preview. Instead of what I’d see:

Encrypt a folder

Right-click on the folder and chose Properties. In the General tab, click Advanced. There, check the option Encrypt contents to secure data, and validate:

Done. Every single file you’ll add in this folder will be encrypted.

That’s great, but…

… Not only does EFS let anyone see the name of all your files, even when they’re encrypted—which can be a problem if you’re seeking privacy. But you can’t define a different password for your encrypted folders: EFS uses your user/Microsoft account credentials, making it a great solution because of its simplicity—as soon as you login, all your folders are unlocked—but making it a poor solution too: anybody knowing your login, or using your own session, has full access to all your EFS encrypted folders.

And even if you don’t share your password, EFS remains pretty weak, imo, not letting you chose a securer password for each folder. My encrypted folders all have a different, and much more complex, password than the one I use to login into Windows.

So, what’s the solution?

7-Zip

7-Zip is a free and open source archive utility that comes with full support for encryption for its own (and excellent) 7z format, and for the traditional ZIP. It can read and write many other archive formats too, btw.

Right-click on a folder and choose 7-Zip-> Add to archive… 7-Zip doesn’t sport the most user-friendly interface, but we only need to focus our attention on the Archive format drop-down list, and on the right bottom corner of the window, judiciously labeled Encryption:

By default, Encrypt file names is unchecked, which means that people won’t be able to open the files in our encrypted archive but they’ll still be able to see their names. For a better privacy, check this option (only available when using 7zip, not with zip).

Using a 7-Zip encrypted archive is not as well integrated in the File Explorer as using an encrypted DMG is on macOS, but it gets the job done: restricting access to whatever we want to protect.

Using DMG on Windows?

By default, support for DMG is nonexistent under Windows, like the support for BitLocker is nonexistent under macOS.

That said, 7-Zip can open DMG archives (unencrypted only) to extract their content, it won’t be able to add or remove files from an archive. It can’t create new DMG, either. And it doesn’t support sparsebundle image disks at all, as far as I can tell.

An unencrypted DMG opened in 7-Zip. Theoretically it contains a single file, the png, all the rest, hidden under macOS, is the cruft macOS needs to work properly and the DMG own’s stuff.

Leave a Reply

Your email address will not be published. Required fields are marked *