How-To Guides

How to Encrypt Files on Windows

Photo of Nizam Ud Deen Nizam Ud Deen5 hours agoLast Updated: June 6, 2026
0 1 8 minutes read

This guide encrypts files on Windows so the data stays unreadable to anyone without the password or recovery key. Encryption converts files into ciphertext that only the correct key can decode, protecting data if a drive is lost, stolen, or accessed by another account. This article explains the encryption options on Windows, walks through turning on BitLocker full-drive encryption and saving the recovery key, encrypts a folder with the Encrypting File System, creates an encrypted container with VeraCrypt, password-protects a ZIP archive with 7-Zip using AES-256, and backs up the recovery keys each method depends on.

Each section names the tool and standard involved, including BitLocker, the Encrypting File System, VeraCrypt, 7-Zip, the AES-256 cipher, and the Trusted Platform Module. BitLocker requires Windows Pro or Enterprise and benefits from a TPM chip, while the other methods work on any edition.

The result is data protected at the level each situation needs, with recovery keys saved so encrypted data is never lost. Start by matching an encryption option to the goal.

Understand the Encryption Options

Windows offers three levels of file encryption: full-drive, per-file, and container-based. The options below match a method to each goal.

  • BitLocker encrypts an entire drive. The built-in tool protects every file on a disk and unlocks it at startup, which suits a whole system or removable drive.
  • The Encrypting File System encrypts per file or folder. EFS ties encryption to a Windows user account, so files stay readable only to that account on that system.
  • VeraCrypt creates an encrypted container. The container is a file that mounts as a virtual drive, holding selected files behind a password on any edition of Windows.
  • 7-Zip encrypts a single archive. A ZIP or 7z archive with AES-256 protects a small set of files or folders for sharing or storage.

AES-256 is the Advanced Encryption Standard with a 256-bit key, the cipher BitLocker, VeraCrypt, and 7-Zip all use. The right option depends on whether a whole drive, a single folder, or a portable archive needs protection.

Does BitLocker Need Pro or a TPM?

BitLocker requires Windows Pro, Enterprise, or Education, and works best with a Trusted Platform Module chip. The requirements below set expectations.

  • Windows edition matters. BitLocker is absent from Windows Home, which includes only the more limited Device Encryption on supported hardware.
  • A TPM stores the key in hardware. The Trusted Platform Module holds the encryption key and unlocks the drive automatically at a trusted startup.
  • BitLocker runs without a TPM. A Group Policy setting allows BitLocker with a startup password or USB key on systems lacking a TPM.
  • The recovery key is mandatory. BitLocker generates a 48-digit recovery key that unlocks the drive if the normal method fails.

The Trusted Platform Module, abbreviated TPM, is a chip that stores cryptographic keys separate from the main storage. Windows 11 requires TPM 2.0, so most current systems can run BitLocker with hardware key protection.

Enable BitLocker on a Drive

Turning on BitLocker encrypts an entire drive and protects every file on it behind a startup key or password. The steps below enable it and save the recovery key.

  1. Open Control Panel, then System and Security, then BitLocker Drive Encryption.
  2. Select Turn on BitLocker next to the drive to protect.
  3. Choose how to save the recovery key, such as to a Microsoft account, a file on another drive, or a printout.
  4. Select whether to encrypt the used space only or the entire drive, then continue.
  5. Choose the new encryption mode for a fixed drive, then click Start encrypting.
  6. Wait for encryption to finish, which can run in the background while the PC is used.

The recovery key is the only way back in if the password is forgotten or the TPM changes. Saving it to a separate location, not the encrypted drive itself, keeps it accessible when needed.

Related Articles

Encrypt a Folder With EFS

The Encrypting File System encrypts a folder so its contents stay readable only to the current Windows account. The steps below apply EFS.

  1. Right-click the folder, select Properties, and click Advanced on the General tab.
  2. Check Encrypt contents to secure data and click OK.
  3. Apply the change to the folder and all its files and subfolders when prompted.
  4. Back up the EFS certificate when Windows prompts, since it is the key to the encrypted files.
  5. Confirm the folder name shows in a different color, which marks it as EFS-encrypted.

EFS encryption is tied to the user account and its certificate. A backup of the EFS certificate and key is required, because losing it makes the encrypted files unreadable even to the same account after a reinstall. EFS is available on Windows Pro and higher.

Create an Encrypted Container With VeraCrypt

VeraCrypt creates an encrypted container file that mounts as a virtual drive, holding selected files behind a password on any Windows edition. The steps below create one.

  1. Download and install VeraCrypt from the official site.
  2. Open VeraCrypt, click Create Volume, and select Create an encrypted file container.
  3. Choose a standard volume, set a file name and location, and select AES as the encryption algorithm.
  4. Set the container size and a strong volume password.
  5. Move the mouse randomly to generate entropy, then click Format to build the container.
  6. Mount the container in VeraCrypt with its password to use it as a drive letter, then copy files into it.

A VeraCrypt container appears as a normal file until it is mounted with the password. Dismounting the volume locks the files again, so the container protects data on any edition of Windows, including Home.

Password-Protect a ZIP With 7-Zip

7-Zip password-protects an archive with AES-256, encrypting a small set of files for storage or sharing. The steps below create an encrypted archive.

Password-Protect a ZIP With 7-Zip - How to Encrypt Files on Windows
  1. Download and install 7-Zip from the official site.
  2. Select the files or folder, right-click, and choose 7-Zip, then Add to archive.
  3. Set the archive format to zip or 7z.
  4. Enter and confirm a strong password in the Encryption section.
  5. Set the encryption method to AES-256.
  6. Check Encrypt file names for the 7z format, then click OK to build the archive.

AES-256 in 7-Zip protects both the file contents and, for the 7z format, the file names. The archive password is required to extract the files, so a forgotten password makes the contents unrecoverable. A strong password follows the method in the guide to creating a strong password.

Back Up Recovery Keys

Backing up recovery keys ensures encrypted data stays accessible if a password is forgotten or hardware changes. The items below need a backup.

Back Up Recovery Keys - How to Encrypt Files on Windows
  • The BitLocker recovery key. Save the 48-digit key to a Microsoft account, a printout, or a file on separate storage, never on the encrypted drive.
  • The EFS certificate. Export the EFS certificate and private key to a password-protected file and store it offline.
  • The VeraCrypt password. Record the volume password in a password manager secure note, since VeraCrypt has no recovery key.
  • The 7-Zip archive password. Store the archive password in a manager, because the archive cannot be opened without it.

Encryption keeps data unreadable without the key, which means a lost key makes the data unrecoverable. A password manager secure note, described in the guide to using a password manager, holds these keys in an encrypted vault.

Use Device Encryption on Windows Home

Device Encryption protects the system drive on Windows Home when the hardware supports it, providing full-drive encryption without the full BitLocker controls. The steps below check and enable it.

  1. Open Settings, then Privacy and security, and look for Device encryption.
  2. Confirm the device meets the requirement of TPM 2.0 and Modern Standby, which Device Encryption needs to appear.
  3. Sign in with a Microsoft account, since Device Encryption saves the recovery key to that account automatically.
  4. Turn the Device encryption switch on if it is off.
  5. Confirm the recovery key is saved by checking the Microsoft account device page.

Device Encryption uses AES-256, the same cipher as BitLocker, but exposes fewer options and requires a Microsoft account for recovery key storage. A system that lacks TPM 2.0 or Modern Standby does not show the Device Encryption option, in which case VeraCrypt or a 7-Zip archive protects selected files instead.

Verify Encryption Status

Verifying encryption status confirms a drive or file is actually protected before sensitive data is trusted to it. The checks below confirm each method.

  • Check BitLocker in Control Panel. The BitLocker Drive Encryption page lists each drive as BitLocker on or off.
  • Run manage-bde from the command line. The command manage-bde -status reports the protection status and encryption percentage of each drive.
  • Confirm EFS by file color. An EFS-encrypted file or folder name shows in a different color, and the Advanced properties show the encryption checkbox.
  • Confirm a VeraCrypt or 7-Zip item by its prompt. A mounted container and an encrypted archive both request the password before opening.

The manage-bde -status command, run in an elevated Command Prompt, reports whether encryption is fully applied or still in progress. A drive that reads Protection On with 100 percent encrypted is fully protected, while a lower percentage means encryption is still running in the background.

Windows Encryption Method Comparison

MethodScopeEdition RequirementCipher
BitLockerEntire drivePro, Enterprise, EducationAES-128 or AES-256
Device EncryptionEntire driveHome on supported hardwareAES-256
EFSPer file or folderPro and higherAES-256
VeraCryptContainer or driveAny editionAES-256 and others
7-ZipSingle archiveAny editionAES-256

Common Mistakes to Avoid

Several errors lead to lost data or weak protection. The mistakes below recur when encrypting files on Windows.

  • Saving the recovery key on the encrypted drive. A locked drive hides its own recovery key, leaving no way back in.
  • Skipping the EFS certificate backup. Losing the certificate makes EFS files unreadable even to the same account after a reinstall.
  • Using a weak container or archive password. Encryption only holds when the password resists guessing.
  • Confusing EFS with a portable method. EFS ties files to one account, so EFS files do not open on another PC.
  • Assuming Home edition has BitLocker. Windows Home offers only Device Encryption, not full BitLocker controls.

Key Takeaways

  • Match the method to the goal. BitLocker covers a whole drive, EFS covers a folder, and VeraCrypt or 7-Zip cover portable files.
  • BitLocker needs Pro and benefits from a TPM. Windows Home offers only the limited Device Encryption.
  • Save the BitLocker recovery key elsewhere. The 48-digit key unlocks the drive when the normal method fails.
  • Use AES-256 for archives. 7-Zip with AES-256 protects a small set of files for sharing.
  • Back up every key. A lost key makes encrypted data unrecoverable.

How do I encrypt files on Windows?

Encrypt an entire drive with BitLocker, a folder with the Encrypting File System, a set of files in a VeraCrypt container, or an archive with 7-Zip using AES-256. Save the recovery key for each method.

Does BitLocker require Windows Pro?

Yes. BitLocker requires Windows Pro, Enterprise, or Education. Windows Home includes only the more limited Device Encryption on supported hardware. BitLocker works best with a Trusted Platform Module chip storing the key.

What is the difference between BitLocker and EFS?

BitLocker encrypts an entire drive and unlocks at startup. The Encrypting File System encrypts individual files or folders and ties them to one Windows account, so the files stay readable only to that account.

Can I encrypt files on Windows Home?

Yes. Windows Home lacks full BitLocker but offers Device Encryption on supported hardware. VeraCrypt and 7-Zip also run on any edition, so a container or AES-256 archive protects files on Home.

What happens if I lose my BitLocker recovery key?

Without the recovery key and the normal password or TPM, the drive stays locked and its data is unrecoverable. Save the 48-digit key to a Microsoft account, a printout, or separate storage before encrypting.

Is 7-Zip encryption secure?

Yes. 7-Zip uses AES-256, a strong cipher, to encrypt archive contents and, in the 7z format, file names. Security depends on a strong password, since the archive cannot be opened without it.

Last Thoughts on Encrypting Files on Windows

Encrypting files on Windows matches a method to the goal: BitLocker protects a whole drive, the Encrypting File System protects a folder tied to one account, VeraCrypt builds a portable encrypted container, and 7-Zip secures an archive with AES-256. Every method depends on its key or password, so backing up the BitLocker recovery key, the EFS certificate, and each password keeps encrypted data recoverable. Because encryption is one layer of wider data protection, the overview of computer security basics connects it to passwords and account defenses, and a password manager secure note stores the recovery keys these methods rely on.

Photo of Nizam Ud Deen Nizam Ud Deen5 hours agoLast Updated: June 6, 2026
0 1 8 minutes read
Photo of Nizam Ud Deen

Nizam Ud Deen

Nizam Ud Deen is the founder of theCoreiTech, a tech-focused platform dedicated to simplifying the world of computers, hardware, and digital innovation. With nearly a decade of experience in digital marketing and IT, Nizam combines strategic marketing insight with deep technical understanding. As a passionate entrepreneur, he has built multiple successful digital products and online ventures, helping bridge the gap between technology and everyday users. His mission through theCoreiTech is to empower readers to make informed decisions about computers, hardware, and emerging tech trends through clear, data-driven, and actionable content.
Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button