Encrypting File System

EFS (Encrypting File System) uses public-key encryption to encrypt and protect files.
A user encrypts a file, EFS automatically generates a bulk symmetric encryption key and then encrypts the file by using the key. EFS then utilizes the user’s public key to encrypt the bulk encryption key. (The user’s key is called a File Encryption Key, or FEK.) EFS stores the FEK for an encrypted file within an attribute called the Data Decryption Field (DDF) in the file itself. Additionally, EFS also encrypts the bulk encryption key by using the recovery agent’s public key.

This FEK is stored in the Data Recovery Field (DRF) of the file. The DRF can include data for multiple recovery agents. Each time EFS saves the file, it generates a new DRF by using the current recovery-agent list, which is based on the recovery policy.

Here is the document how to encrypt.

Encrypting File System