/ˌiː ɛf ˈɛs/
noun — "encrypted file storage system."
EFS, short for Encrypting File System, is a filesystem-level encryption technology that allows individual files or directories to be transparently encrypted on storage volumes. It integrates directly with the operating system’s file management layer, providing confidentiality for sensitive data while maintaining standard access semantics for authorized users.
Technically, EFS operates by encrypting file contents using symmetric encryption keys and associating each file with an encrypted File Encryption Key (FEK). The FEK itself is secured using the user’s public key, ensuring that only authorized accounts with the corresponding private key can decrypt and access the file. Metadata, such as filenames and timestamps, may remain unencrypted to support standard file operations. Encryption and decryption are performed automatically by the operating system kernel, so applications access files normally without requiring explicit cryptographic operations.
File storage under EFS includes a reserved portion for encryption metadata, including key information, recovery certificates, and algorithm identifiers. Multiple users can be authorized for a single encrypted file by encrypting the FEK with each user’s public key. Recovery agents can decrypt files without the original user’s private key, providing administrative control over encrypted data.
Operationally, when a user writes to an EFS-protected file, the system generates a random FEK, encrypts the file contents, and stores the FEK encrypted under the user’s public key. Reading the file requires the operating system to retrieve the encrypted FEK, decrypt it using the user’s private key, and then decrypt the file data. This process is transparent to applications and ensures that unauthorized users cannot access the contents even if they have raw disk access.
Example workflow in code for encrypting a file (conceptual):
Initialize EFS context
Generate symmetric FEK
Encrypt file data using FEK
Encrypt FEK using user public key
Store encrypted file + encrypted FEK on disk
EFS is particularly useful in enterprise environments, removable storage, and laptops, where physical theft or unauthorized access could compromise sensitive information. It complements other security mechanisms such as access control lists, disk-level encryption, and backup policies.
Conceptually, EFS acts like a secure envelope for individual files: each envelope contains both the protected content and a lock that only authorized users can open, while the operating system manages the envelope seamlessly in everyday use.
See FileSystem, Encryption, FEK, Access Control.