Wednesday, 29 October 2008

Windows Encryption on USB drives

If you are lucky enough to have a version of Windows XP or Vista that supports Encrypting File System (EFS), you might reasonably expect it to provide protection to files you copy to a USB drive. It won't, though. Probably. If you want to know the details, read on...

The encryption built into some versions of Windows is a handy way to add extra protection to your sensitive files. It is incredibly easy to use and all you need to do is right-click a file, choose Properties, click the Advanced button and tick the 'Encrypt contents to secure data' option.

You can also encrypt folders, which will save you from repeating the above instructions every time you want to encrypt a file. Move a file into an encrypted folder and it will become encrypted automatically.

Using this system will protect your files from unwanted attention should your computer be stolen. You might assume that copying these files to a USB flash drive will result in a secure archive of portable files. However, when you copy an encrypted file from your PC's hard disk to an external drive the encryption might be removed. The (slightly) good news is that Windows will warn you that the encryption is being stripped (see below).


EFS relies on the NTFS file system. If you move or copy encrypted files to a hard disk, floppy drive or USB flash drive that is formatted using a different file system then the encryption will be removed. If you format your USB flash drive with NTFS, instead of using the usual default of FAT or FAT32, then Windows encryption will work.

If you lose your drive and it is found and accessed by someone else, they will see an 'Access is denied' message when trying to open encrypted documents (see below). If the drive was formatted with a FAT file system they would be able to read the files without any problems.



If you want to store encrypted data on a USB flash drive that uses FAT or FAT32, you might consider using encryption software such as Pretty Good Privacy, which can encrypt individual files or create an encrypted virtual drive. Once mounted using a passphrase and/or key, it behaves like another local hard disk. When you unmount it, the data contained inside is secure. PGP is commercial software.

GnuPG is a compatible free alternative, although it does have a similar encrypted hard disk feature. For that you could use TrueCrypt, which will let you create encrypted virtual disks or even encrypt an entire drive.

The following versions of Windows support EFS:

  • Windows XP Professional

  • Windows Vista Business

  • Windows Vista Ultimate

  • Windows Vista Enterprise

Alternative encryption software includes: