File encryption and file decryption can be a bit of work. However, using a PowerShell extension, you can slim down the process to a one-line command. To do this, we need to install Gpg4win and a Powershell module. Using scripts, we can automate the file encryption and decryption process.

Let's take a look at how to encrypt files in Windows 10 automatically with a script.

The Prerequisites: Installs, Modules, and Certs

You'll want to have the GPG4Win tools installed and configured before you begin. Head over to the project page and download the latest version. (If you need some guidance installing and configuring the tool, use this PDF guide.) You are going to use the symmetric cipher function of GPG4Win in this module.

This Powershell module handles file encryption using a passphrase rather than a keypair. The strength of your encryption depends on the strength of your passphrase. You should make sure to choose something complex. Generate it using LastPass or another password manager. Finally, complete the installation and move on to the Powershell Module.

automate file encryption windows powershell

Powershell Modules are packaged collections of functions. They use the PSM1 file format. You save these files in your profile's Modules directory. Then, add the Module to your session/script using Import-Module.

All the module's cmdlets are available. As you advance your Powershell skills, you can even create your own modules. To install the file Encryption module, download it from TechNet.

Next, you need to copy it into one of the Modules directories. If you want to install it for just yourself, copy it into the PowershellModules in your user folder. Copy this into Explorer for a shortcut:

        %UserProfile%\Documents\WindowsPowerShell\Modules
    

If you want to install the module for all users, use the Program Files\Windows PowerShell\Modules folder. Paste this into Explorer for a shortcut:

        %ProgramFiles%\Windows PowerShell\Modules
    

Create a new folder named GNUPG in the Modules directory and paste the PSM1 file into it.

automate file encryption windows powershell

You'll need to import the module each time using: Import-Module GnuPG. However, you may need to adjust your Execution policy to Unrestricted. Do this by running the cmdlet Set-ExecutionPolicy RemoteSigned.

automate file encryption windows powershell

Since you downloaded this Module, you still need to mark it as a local file. Right-click the file and select, Properties. Next, in the dialog, click Unblock. Confirm your action in the UAC dialog, and you're set to use the module.

Working With the Cmdlets

Skip the first Cmdlet, which is used to install GPG4Win. You should have already completed this step. If not, you can use this cmdlet to install and configure the program. The cmdlet downloads it to a folder you choose and runs the installer. The other two are complementary: Add-Encryption and Remove-Encryption. Both of these take three parameters.

automate file encryption windows powershell

The first is a directory, passed as -FolderPath. The module will step through every file in a directory to apply or remove file encryption. You wouldn't want to point it at your Documents folder. You would want to create a couple of subfolders for working with this script. If you look at the source code for the Module, it's using Get-ChildItem to get everything in the directory. The decryption function limits the search to files ending in .GPG.

automate file encryption windows powershell

The next parameter is the passphrase used for the file encryption: -Password. Make sure that this is complex, as it is the protection for your file. The function steps through each of the files with a ForEach loop. The file and passphrase combine as arguments in Start-Process for GPG4Win.

The final parameter, -GPGPath is not mandatory. It is set to the default install location for GPG4Win. If you have it on another drive, you can update it using this parameter. It changes the target for the Start-Process.

Writing the Script

Now it's time to automate the process. This script will encrypt the files in a directory. Move the decrypted files to a new directory. The script will delete the original file.

You start your script with some prep. First, import the module using Import-Module GnuPG. You need to set up a couple of variables. The first variable $EncryptionTarget is your target folder. (In the example, an environment variable is used to point to the current user's document folder.) Set the second variable as your passphrase. This step makes it easier to change it later.

        Import-Module GnuPG
$EncryptionTarget = "$($env:USERPROFILE)\Documents\Files-ToEncrypt"
$Passphrase = "MakeAVeryLongSecurePhrase"
Add-Encryption $EncryptionTarget -Password $Passphrase
Start-Sleep -Seconds 60
$EcnryptedFiles = Get-ChildItem $EncryptionTarget | Where-Object $_.Name -like "*.gpg"
foreach ($gpg in $EcnryptedFiles){
  Move-Item -Path $gpg.FullName -Destination "$($env:USERPROFILE)\Documents\$($gpg.Name)"
}
$UnEncryptedFiles = Get-ChildItem $EncryptionTarget | Where-Object $_.Name -notlike "*.gpg"
foreach ($nongpg in $UnEcnryptedFiles){
  Remove-Item -Path $nongpg.FullName -Confirm $false
}

Those variables go to Add-Encryption as parameters. You use a Start-Sleep to give the file encryption time to complete. The example uses three minutes. You can alter it based on the size and number of files you are working with.

You get the .GPG files by combining Get-ChildItem with Where-Object. Using a ForEach loop, each one of those files is copied to a new directory. We repeat these steps, but switching the -like for -notlike. A second ForEach loop cleans up the original files.

Setting the Recurring Task

You have the script, now you need to create a scheduled task. Open Task Scheduler and click Create Task.

automate file encryption windows powershell

Name it something like AutoEncrypt. If you only want the task to run when you are logged in, just leave the default. If you set it to run regardless, it can only access local directories. However, if your destination is on a remote machine, you need to store your password for the job to run. You may want to set up a secondary account to protect the security of your main account.

automate file encryption windows powershell

Click on the Triggers tab and setting up the conditions. Next, click on New to pull up the scheduling window. You can leave the trigger settings set to the default. Click the checkbox next to Repeat Task Every and set it to 5 Minutes. You can choose to run this less often if your need isn't urgent. In the dropdown next to for the duration of: select Indefinitely. Click OK to go back to the Create Task window.

automate file encryption windows powershell

On the Actions tab, click New. In the popup, put the path to Powershell in the Program box:

        %SystemRoot%/system32/Windows PowerShell/v1.0/powershell.exe
    

In the arguments box put ./ and the path to your script. Click OK twice and your script is set to run as a Scheduled task.

Some Security Concerns and Other Ideas

Be aware that you have the passcode to decrypt the files on the same machine where you are storing them. These types of file encryptions are more for encrypting a file before you send it, or store it on another machine. (If you want a locked down file system, use Full Disk Encryption.) You can set up a similar task to do the same with decryption.

Do you have a project that needs a quick and dirty file encryption script? Let us know in the comments.