There’s a new, more secure way to encrypt files in Windows 11, but it’s only an option for building secure applications, not a replacement for BitLocker.
Windows 10 already has two flavours of encryption — BitLocker and Windows Device Encryption — and as of the 22H2 release, Windows 11 Enterprise and Education adds Personal Data Encryption.
BitLocker and Device Encryption are effectively the same full disk encryption technology, but there are management tools for BitLocker (which is only available in Windows Pro, Enterprise and Education) that let admins control whether one or more drives on a system are encrypted, as well as backing up and recovering the keys. Device Encryption is included in Windows Home and encrypts all the drives on the PC, with no option to exclude secondary drives. The name is different because calling it BitLocker would make people think they were getting the same management tools and options.
Personal Data Encryption doesn’t replace either of them because it doesn’t encrypt a whole drive; instead, it protects individual files and folders using 256-bit AES-CBC encryption keys that are protected by Windows Hello for Business, but only through applications that are built to use it.
File encryption in Windows
You could already encrypt a selection of files in Windows by:
- Selecting them in File Explorer.
- Right-clicking and choosing Properties.
- Clicking the Advanced button in the Attributes section of the General tab.
- Checking the ‘Encrypt contents to secure data’ checkbox.
That uses the Encrypting File System built into Windows, but it has several drawbacks.
Complications from encrypting via EFS
EFS dates back to Windows 2000, long before TPMs were common in PCs, so it doesn’t use hardware security to protect the encryption keys. They’re stored in Windows, and an attacker could potentially extract them — or they could just try to hack into your Windows account.
Files encrypted with EFS can also be accessed only by the user account that encrypted them. That’s seamless: As soon as you log in with that user account you can access encrypted files without doing anything extra, but if you log in with a different account, you can’t open them at all.
PDE uses Windows Hello for more secure keys
BitLocker unlocks the encrypted drive as soon as you boot Windows: PDE only unlocks encrypted files when the user logs in — and logs in using Windows Hello.
By using Windows Hello for Business, Personal Data Encryption puts the encryption keys into secure hardware where they’re only released when you authenticate either biometrically or with a PIN, which is also protected by hardware security and unlike a password, doesn’t roam to other devices you use that account with.
That’s more secure, but also more transparent for users — although you do have to get used to not seeing Personal Data Encryption-protected files if you decide to sign in to your account using your password instead.
Turning on Personal Data Encryption
There are some limitations for using Personal Data Encryption. The PC has to be joined to Azure AD and not be a hybrid device (i.e., one that’s joined to your organization’s Active Directory but also registered with Azure AD). Remote Desktop connections aren’t supported, you can’t see Personal Data Encryption-protected files through a network share, and you can’t use a FIDO key instead of Windows Hello for Business or automatic restart sign-on to Windows.
To make sure the Personal Data Encryption keys aren’t accidentally exposed, you will want to disable hibernation, crash dumps and Windows Error Reporting: You can do that through the same MDM solution you use to enable Personal Data Encryption (whether that’s Intune or through Group Policy with a CSP).
You can also decide whether you want encrypted files to be available when Windows is locked or not. If you choose level two protection, encrypted files will be accessible for one minute after the Windows lock screen appears but then the decryption keys will be discarded. You don’t have to use OneDrive for it, but you will want to make sure that you have backups in case the Personal Data Encryption keys are lost.
Unlike EFS, once you’ve enabled Personal Data Encryption, you don’t encrypt files through File Explorer: In fact, there’s no user interface for Personal Data Encryption at all. That’s because it’s controlled through APIs that developers use in applications; the first to enable PDA is the built-in Mail app, which can encrypt both email messages and attachments.
PDE is a partner to BitLocker
Again, Personal Data Encryption doesn’t replace BitLocker: It’s designed to be used alongside it for files that organizations decide need the extra protection.
If you have a line of business application that handles particularly sensitive information, you can use the PDE APIs to make sure the files can only be accessed by employees who are supposed to have access and only on managed devices that are Azure AD joined. You want that to be set by your compliance policies, rather than to give individual employees a tool for encrypting files — which could be used by malicious insiders to hide data they shouldn’t have on their devices and might be trying to take outside the organization.
Unlike files that are protected by tools like Azure Information Protection or Purview Information Protection where sensitivity labels and encryption are enforced on files permanently, users can decrypt files protected with Personal Data Encryption manually in File Explorer. Here’s how:
- Right-click on the file.
- Choose Properties.
- Click the Advanced button on the General tab — the same place you apply EFS encryption.
- Uncheck the option Encrypt contents to secure data.
Remember, you can’t encrypt the file again the same way; that can only be done by an application.
If you have a lot of encrypted files, you can use the CIPHER command to decrypt one or more files in a folder. You can only do that when you’ve logged in with Windows Hello for Business and already have access. This is not a security flaw, because if you had access, you could just copy and paste the contents of the file elsewhere anyway.
The Personal Data Encryption name is rather confusing: It’s personal because it’s tied to the way a person logs in with Windows Hello for Business, but it’s not something an individual can choose to use and it’s not for protecting personal files. Instead, it’s another building block for making Windows a more secure way to handle information — but only once there are more applications that make use of it.