Storage Encryption and Microsoft

Three Microsoft encryption technologies can help protect data at rest on local volumes or removable storage on client computers. Most organizations will find the most secure option is deploying two or more of the technologies and may want to consider the possible future roadmap for some of them. Each of the three options, Windows Encrypting File System, Rights Management Services, and BitLocker, comes with a cost burden in terms of user education and software licenses.

Encrypting File System Protects Data

The Windows Encrypting File System (EFS) encrypts user data at the file or folder level and is ideal for encrypting documents or data for individual users on a single-user system, such as the user’s laptop. For example, it could secure a spreadsheet or database used for storing medical records or other privileged information that should be secured in the event of system loss or theft.

With EFS, users or administrative scripts can encrypt individual files or entire folders. When any new content is added to a protected folder, it is encrypted automatically, using the key of the logged-on user. On a shared computer, EFS could also prove useful, for example, when two users should not be able to see each other’s data. Conversely, this tends to be a limitation of the feature if two users need to access the same data, as it is difficult to configure EFS so that multiple users are able to decrypt a file.