Windows Encrypted temp directory for files at rest in Windows?

Question

It would be nice if there was an area on my computer where I could work with temp files that may contain sensitive information that could be encrypted with bitlocker or something similar when the files are at rest.

It would be even nicer if these encrypted directories could remain with their projects, and maybe be decrypted as needed at the OS level, but then locked out of again.

Is there a way to accomplish such a thing?

@ThoriumBR I dunno if I’m allowed to do that or not. I work on a team. — leeand00, Sep 24 '19 at 15:24
Check with your workplace IT services. If it's employer owned data, it's up to employer, not employee to provide adequate levels of protection. — vidarlo, Sep 24 '19 at 16:07
@vidarlo Okay, but I just asked if such a thing was possible. — leeand00, Sep 24 '19 at 17:51
Would something like this: https://ssh-vault.com/about/ do the trick? — leeand00, Sep 30 '19 at 16:18

score 3 · Answer 1 · answered Sep 24 '19 at 19:20

All NT-based versions of Windows since 2000 have a feature called Encrypting File System (EFS), although "Home" and similarly low-end editions can't use it. You can look up more information about this feature from Microsoft as well, but here are some relevant ones:

Encryption and decryption is transparent; keys are managed by the OS and used automatically when reading or writing. There's no "locking" or "unlocking" the files; any process running in an authenticated session for any allowed user will be able to decrypt the files.
You cannot actually encrypt directories, but if you set the Encrypt flag on a directory it will encrypt all files placed in the directory.
All file data is encrypted, though file metadata (name, size, permissions, etc.) is not.
Encryption uses user-specific keys. If you want multiple users to have access to the file, you have to have given each user access before encrypting the file.
The encryption keys are protected by the user's password. If a user forgets their password and needs to have an Administrator reset it, the user loses access to EFS-encrypted files unless the user had previously backed up their EFS key. Changing passwords (where the old password is used) doesn't cause any problems, though.
By default, even local or domain administrators cannot decrypt EFS-encrypted files. However, there's a setting in Windows to automatically grant administrators access.
EFS requires NTFS. Moving a file or directory within an NTFS volume, or across NTFS volumes, will not decrypt it. However, moving it to a volume using any other file system (such as FAT32/exFAT as typically used on flashdrives and SD cards) will decrypt the file if possible, or fail the move if not; these file systems do not support the metadata used by EFS.

BitLocker or some other full-volume encryption (FVE) is usually preferred over EFS these days, although they are suitable in slightly different scenarios. FVE will encrypt the file system metadata, such that an attacker wouldn't be able to read file names. FVE uses newer, more-secure ciphers than EFS. FVE is sometimes easier to use offline (if, say, the computer dies and you connect its drive to another machine) so long as you have the recovery key. FVE is machine-wide instead of user-specific. You can combine FVE and EFS if you want to, although it's mostly redundant.

Windows Encrypted temp directory for files at rest in Windows?

1 Answers1