Windows Tip: Read encrypted files after hard disk upgrade
Recently a friend called & I could sense from his voice the panic. A few days ago, he got his laptop running Windows 10 back from service. The PC was slow, so he had purchased a hardware upgrade, from a (magnetic) hard drive to an SSD (Solid State Drive) at the official service centre. To go for a new SSD is a cost-effective and effective way to improve the performance of old Windows or Mac computers. Last year, I gave new life to a decade-old Core i3 Laptop by putting in a new 128GB SSD & 8GB RAM on the PC, at a nominal cost of INR 3000 (USD 38) – after upgrading the Core i3 machine was so fast I was able to use as my primary machine for a week when my PC was on a repair.
The service centre had fixed a brand new SSD, installed a fresh copy of Windows 10 and the default apps (Microsoft Office Student and Home that came with the machine) on it and told him to manually copy data from the old hard drive. My friend was handed the old hard drive fixed inside a USB enclosure, coming home and on connecting the drive he was unable to open many of the files of the old drives. Windows displayed (paraphrasing) that the files were encrypted and the original EFS certificates were needed to decrypt the files. A web search had sent my friend into a rabbit hole of EFS certificates, private keys and so on. That’s when he called me. I told him the system is working as advertised and a simple fix is available that should (hopefully) get him out of the pickle. What I told him is what I am sharing here as a tip.
Windows Encrypting File System (EFS)
EFS is a feature in Windows from the days of 2000. Every drive formatted as NTFS supports this feature even in modern Windows versions including Windows 11. Using this feature users can encrypt files or folders in their drive easily. Only the same user in the same machine (corporate setup or Active Directory is out of scope in this discussion) will be able to open the file, with the decrypt process being transparent to the user. Any other user on the same machine, or someone removing the drive and using it on a different machine (the scenario of my friend now) will not able to open the file as they won’t have access to the key to decrypt the file. As you see in the screenshot above, the steps to encrypt a file are to right-click on a file (or folder) in File Explorer select Advanced, and then select “Encrypt content to secure data”, that’s all. The first time you do this, you will see a notification like the one below, reminding you to take a backup of the private key (EFS certificate) required later to decrypt, in the case of you moving the drive to a different machine or deleting the user who encrypted the file. The reason the decryption works transparently for the same user is because Windows associates the private key securely for that user.
EFS is an older technology and Wikipedia says it is not that secure. Today, there are better alternatives to secure your files – I hope to cover the options in a future article. To secure a drive against physical attacks or theft, it is better to use Bitlocker.
Tip to recover the encrypted files
The solution, which luckily worked was so simple. I asked my friend to restore the machine to the last known good state – when he was able to access the files without any issues. In his case, this was to go back to the old hard drive. He did that, that is, had the service centre remove the new SSD and put back the old hard drive. The PC booted fine, and my friend was able to log in with the username and password he had used earlier and access all the files transparently. Now, he copied all the files from the old drive to cloud storage (it can be OneDrive, Google Drive or Dropbox) – Windows automatically decrypts whenever you copy the files outside to a drive which is not NTFS (like a USB Pendrive formatted as FAT32 or ExFat) or to cloud storage. The EFS encryption works only in the context of NTFS formatted drives and in Windows – no other operating system like Linux or Mac supports EFS. I asked my friend, once he copied the files (that were previously encrypted) to the cloud, to access a few from a web browser (Google Chrome) to check they open fine. After all the data were copied from the old drive, it can be removed and the new SSD was fixed. Now, the files could be restored from the cloud storage to SSD.
It is always a good idea to have backups of your data in the cloud and in external storage, which you need to periodically restore and test on a different machine.