Windows EFS encryption but (somehow) with password?
I imported the EFS certificate into my default user account to regain access.
It's not enough to import just the certificate, you have to import the corresponding private key as well. Make sure that you've selected "Export private key" and received a .pfx (or .p12) file, not just a .cer or .crt file.
Your certmgr.msc
should show "You have a private key" after importing.
Note that EFS supports encrypting the same file with multiple users' certificates at once. The "guardian" user can add your certificate to some files either through the Properties dialog, or through cipher /adduser
, and then you'll become able to read the files using your own keypair.
When trying to export/import the certificate I saw an option like "Very secure — promt for password when opening", just it didn't work
These options will not work for EFS, because the certificates are accessed by the filesystem driver, which is unable to prompt for confirmation. Only regular apps which use certificates for authentication or encryption (e.g. browsers) can make use of these security prompts.
And possibly in an easier way than I described, e.g. like transferring access to another (administrator?) user of mine which subsequently requires other users to enter a password to open if that's possible way to go?
You could do this by launching the specific application – text editor or file manager – as the guardian user, while still being logged in to your main account. This can be done using runas
(or the "Run as different user" option that appears after Shift+rightclick).
For example, if you use runas /user:guardian notepad
and input the password, then that Notepad instance will be able to access the protected files but the rest of your desktop will not.
This method works with EFS, but it doesn't strictly require EFS – as long as your main account is not an Administrator, you can just rely on the file permissions denying you access.
Downside: Some programs cannot be started with runas
, e.g. the Windows Explorer file manager (use a third-party one instead, such as Total Commander) or modern UWP applications.
Or anything else, please? If not Windows-native, then at least available from the File Explorer context menu?
Most file archivers, such as WinRAR or 7-zip, support archiving files through the context menu and encrypting them using AES.
is there a way to prevent unauthorized users from deleting files? I mean I know related permissions can be set in the Windows file properties, but afterwards it only took me (using my default user without read access) to "take ownership" of the file again
Don't make your main account an administrator. Only administrators are allowed to take ownership of objects. (Removing yourself from the admin group should be mostly painless thanks to UAC.)
If you start with the assumption that an unauthorized user has system administrator rights, you will not go far at all. Administrator rights allow destroying data in many different ways.