1385 Microsoft Encrypting File System FAQ

  • Updated on Feb 6, 2026
  • 5 minute(s) read
  • VN
 Prev Next

Microsoft Encrypting File System FAQ

Why don't I just use Microsoft Encrypting File System (EFS) to protect my sensitive data? EFS is included in Windows (professional versions) with no charge.

Microsoft Encrypting File System (EFS) uses file encryption to protect individual files within your NTFS file system. File Encryption is used primarily to send files over email and across the Internet. A user encrypts files he/she needs to encrypt to protect them from being examined by unauthorized users.

However, this method is slow, especially when it involves a large amount of data to process, as is the case with spreadsheets or databases. Manual File Encryption has serious limitations as a viable data security method for most organizations since it encrypts only the original file; temporary and paging files are not secured, and remain in plain text.

Therefore, EFS may be acceptable for sending a file from computer to computer as e-mail or attachments, but it cannot protect storage data efficiently or completely.

Any user of encrypted files should recognize potential weaknesses and avenues of attack. Just as it's not enough to lock the front door of a house without considering back doors and windows as avenues for a burglar, encrypting files alone isn't enough to ensure confidentiality.

  • Seek out and manage areas where plain text copies of the encrypted files or parts of the encrypted files may exist. If attackers have possession of, or access to, the computer on which encrypted files reside, they may be able to recover sensitive data from these areas, including the following:
  • Data shreds (remnants) that exist after encrypting a previously unencrypted file (see the "Special Operations" section of this paper for information about using cipher.exe to remove them)
  • The paging file (see "Increasing Security for Open Encrypted Files," an article in the Windows XP Professional Resource Kit, for instructions and additional information about how to clear the paging file on shutdown)
  • Hibernation files (see "Increasing Security for Open Encrypted Files"
  • Temporary files (to determine where applications store temporary files and encrypt these folders as well, to resolve this issue)
  • Printer spool files (see the "Special Operations" section)

Increasing Security for Open Encrypted Files

File data is decrypted before it is sent to an application. This means that the FEK is also decrypted. Although the FEK is not exposed, file data might be.

Since the EFS File System Run-Time Library (FSRTL) is located in the Windows operating system kernel, and uses the non-paged pool to store the FEK, FEKs cannot be leaked to paging files. However, because the contents of paging files are not encrypted, the plaintext contents of encrypted files might temporarily be copied to paging files when open for application use. If the plain text contents of encrypted files are copied to a paging file, the plain text remains in the paging file until the contents are replaced by new data. Plain text contents can remain in paging files for a considerable amount of time, even after applications close the encrypted files.

A paging file is a system file, so it cannot be encrypted. (By default, the name of the paging file is Pagefile.sys.) File system security for paging files prevents any user from gaining access to, and reading paging files; in addition the security settings cannot be changed. However, someone other than the authorized user might start the computer under a different operating system to read a paging file.

To prevent others from reading the contents of paging files that might contain plain text of encrypted files, you should complete the following tasks:

  • Disable hibernation mode on your computer.
  • Configure security settings to clear the paging files every time the computer shuts down.

Disabling Hibernation Mode

When a computer hibernates, the contents of system memory and any open files are written to a storage file on the hard drive, and the system is powered off. This saves energy and allows the computer to be restarted with the same applications and files that were open when the system hibernated. However, hibernation can be a security risk because files are decrypted for use in applications. If an encrypted file is opened and then the system is hibernated, the contents of the open encrypted file will be stored in the hibernation storage file as plain text. An attacker could potentially access the storage file used during hibernation. For this reason, EFS users might want to disable hibernation so that encrypted files are not placed at risk. If you choose to use hibernation mode, be sure to close any open encrypted files before letting the system hibernate.

To disable hibernation

  1. In Control Panel, double-click Performance and Maintenance, and then click Power Options.
  2. On the Hibernate tab, clear the Enable hibernate check box.
  3. Click Apply.

Clearing the Paging File at Shutdown

When a file is encrypted or decrypted, plaintext data can be paged. This can be a security problem if an attacker boots the system by using another operating system and opens the paging file. The paging file can be cleared at shutdown by means of Group Policy.

To clear the paging file at shutdown

  1. In the Group Policy snap-in, select a Group Policy object to edit.
  2. Expand Computer Configuration and Windows Settings, Security Settings, Local Policies, and then expand Security Options.
  3. Double-click Shutdown: Clear virtual memory page file.
  4. Click Enabled, and then click OK.

Without discussing other characteristics of EFS such as transparency, key recovery, etc. we will focus only on one topic: SECURITY

As discussed in the article, sensitive data can still exist in clear text in several places on disk, most notably the Paging files and temporary files.

  1. While paging files can be "cleared on shutdown", the time to erase the paging files will take its toll on a user's patience and productivity. Paging files are normally set to be a bit larger than the available memory (RAM), e.g. 256 MB, or even 1000 MB on above average machines.
  2. If the computer has not been shutdown, e.g. it is on standby, or it powered off without proper shutdown, then the paging files are still on the disk.
  3. Modern recovery techniques can recover data on magnetic media even after it has been overwritten. For highly sensitive data, overwriting the sectors a few times is not enough. In addition, even if the paging files are cleared, clear text data can still be recovered. (See our White Paper for detailed information).
  4. The recommendation ("to determine where applications store temporary files and encrypt these folders as well to resolve this issue") is most likely an impossible task for most users, enterprises or governments.

SecureDoc's first and foremost job is to protect disk data. If a product does not protect disk data properly, then it should not be used for that purpose - unless you consider it "good enough".

If your attacker does not know how to use a disk editor - or cannot hire someone to do it - then EFS is probably "good enough". If however your attacker knows how to use a disk editor, or even possess forensic facility to scan your disk, they would probably find some sensitive data.

Related articles