Advanced File Management : Encrypting Information (part 1) - Using the Encrypting File System

• Encrypting File System (EFS) encodes your files so that even if someone is able to obtain the files, he or she won't be able to read them. The files are readable only when you log on to the computer using your user account (which, presumably, you have protected with a strong password). In fact, even someone else logging on to your computer won't have access to your encrypted files, a feature that provides protection on systems that are shared by more than one user.

• BitLocker Drive Encryption, introduced with Windows Vista, provides another layer of protection by encrypting entire hard-disk volumes. By linking this encryption to a key stored in a Trusted Platform Module (TPM) or USB flash drive, BitLocker reduces the risk of data being lost when a computer is stolen, or when a hard drive is stolen and placed in another computer. A thief's standard approach in these situations is to boot into an alternate operating system and then try to retrieve data from the stolen computer or drive. With BitLocker Drive Encryption, that type of offline attack is effectively neutered.

• BitLocker To Go, new in Windows 7, extends BitLocker encryption to removable media, such as USB flash drives.

EFS is available on systems running Windows 7 Professional or Ultimate/Enterprise. Encrypting a drive using BitLocker or BitLocker To Go requires Ultimate/Enterprise edition. You can use a flash drive encrypted with BitLocker To Go in any edition of Windows 7.

1. Using the Encrypting File System

The Encrypting File System (EFS) provides a secure way to store your sensitive data. Windows creates a randomly generated file encryption key (FEK) and then transparently encrypts the data, using this FEK, as it is being written to disk. Windows then encrypts the FEK using your public key. (Windows creates a personal encryption certificate with a public/private key pair for you the first time you use EFS.) The FEK, and therefore the data it encrypts, can be decrypted only with your certificate and its associated private key, which are available only when you log on with your user name and password. (Designated data recovery agents can also decrypt your data.) Other users who attempt to use your encrypted files receive an "access denied" message. Even administrators and others who have permission to take ownership of files are unable to open your encrypted files. EFS, which uses Advanced Encryption Standard (AES) with a 256-bit key as its default encryption algorithm, provides extremely strong protection against attackers.

You can encrypt individual files, folders, or entire drives. (You cannot encrypt the boot volume—the one with the Windows operating system files—using EFS, however. For that, you must use BitLocker Drive Encryption.) We recommend that you encrypt folders or drives instead of individual files. When you encrypt a folder or drive, the existing files it contains are encrypted, and new files that you create in that folder or drive are also encrypted automatically. This includes temporary files that your applications create in the folder or drive. (For example, Microsoft Office Word creates a copy of a document when you open it for editing. If the document's folder isn't encrypted, the temporary copy isn't encrypted—giving prying eyes a potential opportunity to view your data.) For this reason, you should consider encrypting your %Temp% and %Tmp% folders, which many applications use to store temporary copies of documents that are open for editing, in addition to encrypting the folders where your sensitive documents are stored.

To encrypt a folder, follow these steps:

Note:

If you select Apply Changes To This Folder Only, Windows doesn't encrypt any of the files currently in the folder. Any new files that you create in the folder, however, including files that you copy or move to the folder, will be encrypted.

After a file or folder has been encrypted, Windows Explorer displays its name in green. This minor cosmetic detail is the only change you are likely to notice. Windows will decrypt your files on the fly as you use them and re-encrypt them when you save.

Warning:

Before you encrypt anything important, you should back up your file recovery certificate and your personal encryption certificate (with their associated private keys), as well as the data recovery agent certificate, to a USB flash drive (UFD). Store the UFD in a secure location. If you ever lose the certificate stored on your hard drive (because of a disk failure, for example), you can restore the backup copy and regain access to your files. If you lose all copies of your certificate (and no data recovery agent certificates exist), you won't be able to use your encrypted files. No back door exists, nor is there any practical way to hack these files. (If there were, it wouldn't be very good encryption.)

To encrypt one or more files, follow the same procedure as for folders. You'll see a different confirmation message to remind you that the file's folder is not encrypted and to give you an opportunity to encrypt it. You generally don't want to encrypt individual files, because the information you intend to protect can too easily become decrypted without your knowledge. For example, with some applications, when you open a document for editing, the application creates a copy of the original document. When you save the document after editing, the application saves the copy—which is not encrypted—and deletes the original, encrypted document. Static files that you use for reference only—but never for editing—can safely be encrypted without encrypting the parent folder. Even in that situation, however, you'll probably find it simpler to encrypt the whole folder.