How to Encrypt Files on Windows 11 – Built-In + Free Tools 2026

In my 10 years supporting Toronto users at a downtown MSP, “How do I encrypt this folder?” is the question I get most often after a laptop walks out of a coffee shop on King Street. Encryption isn’t optional for anyone carrying client data, tax records, or passwords – and Windows 11 24H2 finally makes it accessible without third-party software, even on Home edition.

I tested every method below on a fresh Windows 11 24H2 install (build 26100.2605) on a Lenovo ThinkPad X1 Carbon in January 2026. Here’s what actually works, what’s free, and what to skip.

What’s the difference between BitLocker, EFS, and VeraCrypt?

Quick decoder before we dive in. BitLocker encrypts an entire drive at the volume level – think of it as a vault door on the whole hard drive. EFS (Encrypting File System) encrypts individual files or folders inside NTFS, tied to your Windows user account. VeraCrypt creates encrypted container files (or full drives) that work across Windows, macOS, and Linux. 7-Zip bundles files into a password-protected .7z archive using AES-256.

If you only remember one rule: BitLocker for the drive, VeraCrypt for portable encrypted vaults, 7-Zip for a single archive you’re about to email.

How do I enable BitLocker on Windows 11 Pro?

BitLocker is the gold standard, but it’s officially Pro, Enterprise, and Education only. If you’re on Home, jump to the Device Encryption section below.

1. Open Settings. Press Win + I, go to Privacy & security, then Device encryption (or search “Manage BitLocker” in Start).
2. Pick your drive. Click “Turn on BitLocker” next to C: (or any data drive).
3. Choose how to unlock. On a TPM 2.0 machine (any PC built after 2018), pick TPM + PIN for the strongest setup. A 6-20 digit PIN at boot stops casual thieves cold.
4. Back up the recovery key. Save to your Microsoft account, a USB drive, AND print a paper copy. I have lost count of how many techs have bricked drives because they skipped this step.
5. Choose encryption scope. “Encrypt used disk space only” is fast on a new drive. “Encrypt entire drive” is mandatory on a used one.
6. Start encrypting. A 512GB SSD takes about 20-40 minutes on my ThinkPad. You can keep working.

What about Windows 11 Home – is there free encryption?

Yes. Microsoft quietly enables Device Encryption on Home edition if your hardware meets the modern standby + TPM 2.0 requirements (almost all 2020+ laptops do). Open Settings, Privacy & security, Device encryption. If the toggle is there, flip it on. The recovery key auto-syncs to your Microsoft account at account.microsoft.com/devices/recoverykey.

Honest caveat: Device Encryption only protects the system drive, and it activates only when you sign in with a Microsoft account (not local accounts). It also lacks the PIN-at-boot option Pro users get. If you need stronger control on Home, use VeraCrypt instead.

How do I use EFS to encrypt individual folders?

EFS is the forgotten Windows feature. Works on Pro and above, NTFS drives only. Right-click any folder, Properties, Advanced, check “Encrypt contents to secure data.” Done – the folder turns green in Explorer.

The catch: EFS is tied to your Windows user account. If you reinstall Windows or your profile corrupts and you didn’t export your EFS certificate (certmgr.msc), those files are gone. Back up the certificate the moment you turn EFS on.

Is VeraCrypt still safe to use in 2026?

Yes – VeraCrypt 1.26.20 (released October 2025) remains the gold-standard free option. It’s the open-source successor to TrueCrypt, audited multiple times, and supports AES, Serpent, Twofish, and cascaded combinations.

To create a 5GB encrypted vault:

1. Install VeraCrypt from the official site (verify the GPG signature if you’re paranoid).
2. Click Create Volume, pick “Create an encrypted file container.”
3. Standard volume, save it as C:\Vault\my-vault.hc.
4. Encryption: AES, Hash: SHA-512. AES is hardware-accelerated on every modern CPU.
5. Size: 5 GB. Pick a passphrase 20+ characters – a Diceware sentence works great.
6. Mount it as drive V: whenever you need it. Dismount when done.

VeraCrypt containers work cross-platform, which is why I keep client tax files in one on my OneDrive. Even Microsoft can’t read them.

When should I just use 7-Zip AES-256 instead?

For a single folder you’re about to email, attach to Slack, or upload to a sharing site, 7-Zip is faster than spinning up VeraCrypt. Install 7-Zip 24.09 (the current 2025 release), right-click your folder, 7-Zip, Add to archive. Pick .7z format, AES-256 encryption, check “Encrypt file names,” set a strong password.

The receiver needs 7-Zip too (or Keka on Mac), but that’s a one-minute install. I send sensitive PDFs this way constantly – far safer than emailing a plain attachment.

What encryption mistakes have I seen burn people?

Three from real Toronto support tickets:

• No recovery key backup. A client’s TPM chip failed; without the key, the 1TB drive was scrap.
• EFS without certificate export. User reinstalled Windows “to clean things up.” 8 years of photos: encrypted, unrecoverable.
• Weak VeraCrypt passwords. “Summer2024!” is not a passphrase. Use 20+ characters minimum.

For password storage, I cover Bitwarden and 1Password in my free password manager comparison. For full-system backups before you encrypt, see my backup software roundup. And if you’re new to Windows 11, my bloatware removal guide is the first thing to run on a fresh PC.

Frequently Asked Questions

Does BitLocker slow down my SSD?

On any CPU from the last decade with AES-NI instructions, the performance hit is under 2-3%. You won’t feel it. The exception is cheap budget SSDs without hardware encryption support – those can lose 10-15% on heavy writes.

Can the FBI break BitLocker?

Not the encryption itself – AES-256 with a strong password is mathematically infeasible to brute-force in 2026. They’d attack the recovery key (often stored in your Microsoft account, which is subpoena-able) or wait for you to unlock the drive.

Is Windows 11 Home encryption good enough?

Device Encryption is solid against laptop theft. It’s weaker than full BitLocker (no boot PIN, ties to MS account) but better than nothing – which is what most Home users have today.

What happens if I forget my VeraCrypt password?

There is no recovery. None. That’s the whole point. Write the passphrase down and store it in a physical safe, or use a password manager backed up separately.

Should I encrypt my external USB drives?

Absolutely. BitLocker To Go (Pro) or VeraCrypt for cross-platform drives. I lost a 2TB external in a taxi in 2022 – unencrypted – and spent six months sweating over client data. Never again.