Automate File Encryption in Windows With This Powershell Script
Whatsapp Pinterest
Advertisement

File encryption and file decryption can be a bit of work Don't Believe These 5 Myths About Encryption! Don't Believe These 5 Myths About Encryption! Encryption sounds complex, but is far more straightforward than most think. Nonetheless, you might feel a little too in-the-dark to make use of encryption, so let's bust some encryption myths! Read More . However, using a PowerShell extension, you can slim down the process to a one-line command. To do this, we need to install Gpg4win and a Powershell module. Using scripts, we can automate the file encryption and decryption process.

Let’s take a look at how to encrypt files in Windows 10 automatically with a script.

The Prerequisites: Installs, Modules, and Certs

You’ll want to have the GPG4Win tools installed and configured before you begin. Head over to the project page and download the latest version. (If you need some guidance installing and configuring the tool, use this PDF guide.) You are going to use the symmetric cipher function of GPG4Win in this module.

This Powershell module handles file encryption using a passphrase rather than a keypair How Does Encryption Work, and Is It Really Safe? How Does Encryption Work, and Is It Really Safe? Read More . The strength of your encryption depends on the strength of your passphrase. You should make sure to choose something complex. Generate it using LastPass or another password manager Master Your Passwords For Good With Lastpass' Security Challenge Master Your Passwords For Good With Lastpass' Security Challenge We spend so much time online, with so many accounts, that remembering passwords can be really tough. Concerned about the risks? Find out how to use LastPass' Security Challenge to improve your security hygiene. Read More . Finally, complete the installation and move on to the Powershell Module.

automate file encryption windows powershell

Powershell Modules are packaged collections of functions. They use the PSM1 file format. You save these files in your profile’s Modules directory. Then, add the Module to your session/script using Import-Module.

All the module’s cmdlets are available. As you advance your Powershell skills, you can even create your own modules. To install the file Encryption module, download it from TechNet.

Next, you need to copy it into one of the Modules directories. If you want to install it for just yourself, copy it into the PowershellModules in your user folder. Copy this into Explorer for a shortcut:

%UserProfile%\Documents\WindowsPowerShell\Modules

If you want to install the module for all users, use the Program Files\Windows PowerShell\Modules folder. Paste this into Explorer for a shortcut:

%ProgramFiles%\Windows PowerShell\Modules

Create a new folder named GNUPG in the Modules directory and paste the PSM1 file into it.

automate file encryption windows powershell

You’ll need to import the module each time using: Import-Module GnuPG. However, you may need to adjust your Execution policy to Unrestricted. Do this by running the cmdlet Set-ExecutionPolicy RemoteSigned.

automate file encryption windows powershell

Since you downloaded this Module, you still need to mark it as a local file. Right-click the file and select, Properties. Next, in the dialog, click Unblock. Confirm your action in the UAC dialog, and you’re set to use the module.

Working With the Cmdlets

Skip the first Cmdlet, which is used to install GPG4Win PGP Me: Pretty Good Privacy Explained PGP Me: Pretty Good Privacy Explained Pretty Good Privacy is one method for encrypting messages between two people. Here's how it works and whether it stands up to scrutiny. Read More . You should have already completed this step. If not, you can use this cmdlet to install and configure the program. The cmdlet downloads it to a folder you choose and runs the installer. The other two are complementary: Add-Encryption and Remove-Encryption. Both of these take three parameters.

automate file encryption windows powershell

The first is a directory, passed as -FolderPath. The module will step through every file in a directory to apply or remove file encryption. You wouldn’t want to point it at your Documents folder. You would want to create a couple of subfolders for working with this script. If you look at the source code for the Module, it’s using Get-ChildItem to get everything in the directory. The decryption function limits the search to files ending in .GPG.

automate file encryption windows powershell

The next parameter is the passphrase used for the file encryption: -Password. Make sure that this is complex, as it is the protection for your file. The function steps through each of the files with a ForEach loop. The file and passphrase combine as arguments in Start-Process for GPG4Win.

The final parameter, -GPGPath is not mandatory. It is set to the default install location for GPG4Win. If you have it on another drive, you can update it using this parameter. It changes the target for the Start-Process.

Writing the Script

Now it’s time to automate the process. This script will encrypt the files in a directory. Move the decrypted files to a new directory. The script will delete the original file.

You start your script with some prep. First, import the module using Import-Module GnuPG. You need to set up a couple of variables. The first variable $EncryptionTarget is your target folder. (In the example, an environment variable is used to point to the current user’s document folder.) Set the second variable as your passphrase. This step makes it easier to change it later.

Import-Module GnuPG
$EncryptionTarget = "$($env:USERPROFILE)\Documents\Files-ToEncrypt"
$Passphrase = "MakeAVeryLongSecurePhrase"
Add-Encryption $EncryptionTarget -Password $Passphrase
Start-Sleep -Seconds 60
$EcnryptedFiles = Get-ChildItem $EncryptionTarget | Where-Object $_.Name -like "*.gpg"
foreach ($gpg in $EcnryptedFiles){
  Move-Item -Path $gpg.FullName -Destination "$($env:USERPROFILE)\Documents\$($gpg.Name)"
}
$UnEncryptedFiles = Get-ChildItem $EncryptionTarget | Where-Object $_.Name -notlike "*.gpg"
foreach ($nongpg in $UnEcnryptedFiles){
  Remove-Item -Path $nongpg.FullName -Confirm $false
}

Those variables go to Add-Encryption as parameters. You use a Start-Sleep to give the file encryption time to complete. The example uses three minutes. You can alter it based on the size and number of files you are working with.

You get the .GPG files by combining Get-ChildItem with Where-Object. Using a ForEach loop, each one of those files is copied to a new directory. We repeat these steps, but switching the -like for -notlike. A second ForEach loop cleans up the original files.

Setting the Recurring Task

You have the script, now you need to create a scheduled task Run Programs Automatically Using Windows Task Scheduler Run Programs Automatically Using Windows Task Scheduler Read More . Open Task Scheduler and click Create Task.

automate file encryption windows powershell

Name it something like AutoEncrypt. If you only want the task to run when you are logged in, just leave the default. If you set it to run regardless, it can only access local directories. However, if your destination is on a remote machine, you need to store your password for the job to run. You may want to set up a secondary account How to Create Restricted Guest Accounts in Windows 10 the Easy Way How to Create Restricted Guest Accounts in Windows 10 the Easy Way Windows 10 removed the Guest account, but you can make your own in just a few minutes. This is a great way to let anyone use your computer without accessing your data. Read More to protect the security of your main account.

automate file encryption windows powershell

Click on the Triggers tab and setting up the conditions. Next, click on New to pull up the scheduling window. You can leave the trigger settings set to the default. Click the checkbox next to Repeat Task Every and set it to 5 Minutes. You can choose to run this less often if your need isn’t urgent. In the dropdown next to for the duration of: select Indefinitely. Click OK to go back to the Create Task window.

automate file encryption windows powershell

On the Actions tab, click New. In the popup, put the path to Powershell in the Program box:

%SystemRoot%/system32/Windows PowerShell/v1.0/powershell.exe

In the arguments box put ./ and the path to your script. Click OK twice and your script is set to run as a Scheduled task.

Some Security Concerns and Other Ideas

Be aware that you have the passcode to decrypt the files on the same machine where you are storing them. These types of file encryptions are more for encrypting a file before you send it, or store it on another machine. (If you want a locked down file system, use Full Disk Encryption TrueCrypt Is Dead: 4 Disk Encryption Alternatives For Windows TrueCrypt Is Dead: 4 Disk Encryption Alternatives For Windows TrueCrypt is no more, but fortunately there are other useful encryption programs. While they may not be exact replacements, they should suit your needs. Read More .) You can set up a similar task to do the same with decryption.

Do you have a project that needs a quick and dirty file encryption script? Let us know in the comments.

Explore more about: Encryption, Online Security.

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Kamel
    December 5, 2018 at 4:17 pm

    Nice trick! There is a third-party program (Lock My Folders) that can also do it.

  2. Ot
    January 23, 2018 at 6:45 am

    Thanks for your detailed article
    You didnt mention. How / where my password is kept ? (If at all)

    If i do it as a service the password need to be at clear somewhere right ?

    • Michael
      January 23, 2018 at 3:19 pm

      Yeah, you will need to keep in the script. Though what you could do is have it prompt you to enter an encryption password. To make this a little easier on yourself, what you could do is set all of the script only to run if Get-ChildItem returns files. You would only be able to run it when you're logged in, but that wouldn't be bad. (If you're talking about your Windows password, that is stored as part of the Scheduled Task. AFAIK having this saved as part of the task makes your account vulnerable to Pass the Hash. Though this is a larger issue in the enterprise.