I am looking for a solution to encrypt directories/files on a Windows 2012 server.
Several Excel files will be stored in a share, and I am looking for a solution to encrypt them independently. From what I can tell, BitLocker is not what I am looking for, but EFS might work for me.
Is there a way to use EFS using only domain credentials for access, or are certificates necessary?
BitLocker only protects data at rest.
EFS only uses public/private key encryption - certificates. The certificates may be self-signed and created automatically by Windows (sub-optimal), or you can have your AD CA auto-enroll users for EFS certificates (preferred). CA-issued certificates may be required, unless your usage scenario is very simple. Certificates may also be associated with AD accounts/published in AD. Sharing EFS encrypted data between users is a bit convoluted.
There are also separate Data Recovery Agent (DRA) account/certificates that are not required for EFS to work, but are a good idea to have/configure if you need to decrypt the data in the event you lose access to the account that encrypted the files. By default, the builtin Administrator account may be designated as the DRA.
EFS is very complicated to configure and manage correctly. If you only have few spreadsheets, you may want to evaluate if the Excel password protection is an option (should be xlsx, due to the older format password scheme was woefully insecure).
Find some usefull links on microsoft.com as follows,
