2. Protect Your Files with Encryption
Encryption
effectively adds another layer of protection for your especially
sensitive data, ensuring that a file can only be viewed by its creator
(well, sort of). If any other user—even someone with administrator
privileges—attempts to view the file, she will see only gibberish.
When
a file is marked for encryption, the encryption and decryption of the
file are handled by Windows invisibly in the background when its creator
writes and views the file, respectively. The problem is that Windows
Vista's on-the-fly encryption can be somewhat unpredictable, and
security is one place where you don't want there to be any guesswork.
Encryption is a feature of the NTFS filesystem and is not available with any other filesystem. This
means that if you copy an encrypted file onto, say, a memory card, USB
key, or CD, the file will become unencrypted, since none of those drives
support NTFS. |
|
Here's how to encrypt a file:
Right-click one or more files in Windows Explorer and select Properties.
Under the General tab, click the Advanced button.
Turn on the Encrypt contents to secure data option, click OK, and click OK again.
If
you encrypt a folder that contains files or other folders, Windows will
ask you whether or not you want those contents to be encrypted as well.
In most cases, you'll want to answer Yes. If you decline, the folder's current contents will remain unencrypted, and only newly created files will be encrypted.
After
a file has been encrypted, you can continue to use it normally. You'll
never have to manually decrypt an encrypted file in order to view it.
Encrypting
a file may not guarantee that it remains encrypted forever. For
example, some applications, when editing and saving files, will delete
the original file and then recreate it in the same place. If the
application is unaware of encryption, the protection will be lost. The
workaround is to encrypt the folder containing the file rather than the
file itself. |
|
If you change the ownership of a file and the file is encrypted, the encryption will remain active for the original owner and creator of the file, even though that user no longer technically "owns" the file.
Since all users need to access files in certain folders, such as the \Windows and \Windows\System folders, Windows won't let you encrypt files and system folders or the root directories of any drives.
Compression,
another feature of the NTFS filesystem, reduces the amount of space
consumed by a file or folder. The rules that apply to compression are
more or less the same as those that apply to encryption. But you cannot
simultaneously use encryption and compression on any object; turn on one
option in the Properties window, and Windows will turn the other off. |
|
2.1. Highlight encrypted files in Windows Explorer
By
default, Windows Explorer visually differentiates encrypted files,
which can be a very handy way to keep track of the scope of your
encryption. In Control Panel, open Folder Options, choose View tab, and turn on the Show encrypted or compressed NTFS files in color option to use this feature, or turn it off if you want all your filenames to be printed in black text. Click OK when you're done.
By
default, the names of encrypted files appear in green, while those of
compressed files appear in blue (except for icons on the desktop). Note
that files can't be simultaneously compressed and encrypted (as
mentioned in the previous section), so you'll never see any turquoise,
teal, or aquamarine filenames.
Actually, that's
not entirely true. You can customize the color Windows uses to highlight
encrypted filenames by editing the Registry:
Open the Registry Editor .
Expand the branches to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer.
Create a new binary value by going to Edit → New → Binary Value, and type AltEncryptionColor for the name of the new value.
Double-click the new AltEncryptionColor value, and then type a code to indicate the color you'd like to use, following this pattern:
RR GG BB 00
The RGB hex code used here follows the same scheme as
RGB codes in HTML web pages (except for the two trailing zeros), which
means you can use any common color mixer to generate the hex codes for
you. For an excellent, free web-based color mixer, go to http://colormixers.com/mixers/cmr. Or, if you have Adobe Photoshop, you can match an existing color with the eyedropper tool and grab the code from the # field in the color mixer window.
For example, to get a nice aquamarine color, you'd type this:
00 B4 C5 00
Here, the first 00 indicates no red, the B4 is the hex code for 180 (out of 255; roughly 70% green), the C5 is the hex code for 197 (about 77% blue), and then the last two zeros are for good measure. Or, to get the default green color, type:
00 80 40 00
By the way, don't type the spaces; Registry Editor will do it for you.
Likewise, you can customize the color used for compressed filenames by creating a new binary value named AltColor in this same key, and filling its value data with whatever RGB code you like.
Close the Registry Editor when you're done. The change will take effect the next time you log in.
2.2. Allow others to access your encrypted files
By
default, only you can read your own encrypted files. But what if you
want someone else to have access to a file, yet keep your password to
yourself and maintain the file's encrypted state?
Right-click a file or folder you've already encrypted, select Properties, and under the General tab, click the Advanced button. Click the Details button to open the User Access window shown in Figure 5.
If the Details
button is grayed out (disabled) in the Advanced Attributes window, it
means that encryption isn't yet active for the selected file or folder.
If you just turned on the Encrypt contents to secure data option, you need to click OK here and in the main Properties window, then come back here before you can click Details. |
|
To permit another user to access your files, click Add to show the Encrypting File System window.
Now,
you won't necessarily see all the user accounts on your PC here, only
those that already have security certificates. If you don't see the
account you want to include here, you'll need to log in to that account
and encrypt at least one file or folder.
If the
user doesn't have an account on your PC, you can either create one, or
you can install the user's own certificate on your PC by hand. To do
this, ask the user to send you the certificate from her PC. Then, open
the Start menu on your PC, type certmgr.msc, and press Enter to fire up the Certificate Manager. Expand the Personal branch and then select the Certificates folder. From the Action menu, select All Tasks → Import, and then complete the Certificate Import Wizard by following the prompts.
Note that the Expiration Date
shown here represents the date the user's security certificate expires,
and has nothing to do with the permissions you're setting up. No hurry,
though; you've got at least 100 years.
2.3. View someone else's encrypted files
So, how do you access someone else's encrypted files without
that person's permission? (This is an important question to ask if you
care about the security of your own data.) If you try to view someone's
encrypted files, you'll get an "Access is Denied" error message, as
shown in Figure 6.
Not
even administrators can view files encrypted by other users. However,
any administrator can change any other user's password, and then
subsequently log in to that user's account and view (or unencrypt) any
of his protected files. This means that your files won't be totally
secure unless you're the only administrator on the machine.
There
is a little-known side effect to this fact: if the owner of encrypted
files deletes his or her encryption keys, neither the user nor any
administrator will be able to read the encrypted files until the key is
reinstalled.
2.4. The ins and outs of folder encryption
You
can also encrypt a folder and all of its contents using the procedure
for files shown earlier. It gets a little more complicated, though, when
you mix and match encrypted and unencrypted files and folders, and it
can be difficult to predict what happens to the folders' contents.
Now, if a file in an encrypted folder is moved into an unencrypted
folder, the file becomes unencrypted. The exception is when you've
specifically encrypted the file itself; in this case, the file remains
encrypted, no matter where you put it. Whenever you try to encrypt a
file located in an unencrypted folder, Windows warns you and gives you
the option to encrypt the folder as well (shown in Figure 7).
Be
especially careful here, as the default is to encrypt the containing
(parent) folder in addition to the selected file, which can be
counterintuitive if you're accustomed to warnings that only deal with
child objects. Check the Always encrypt only the file option if you never want to see this warning again. If
you ever inadvertently encrypt your desktop (by encrypting an item on
your desktop, and then accepting the default in this box), the only way
to unencrypt it is to open Windows Explorer, and unencrypt the source
desktop folder (usually \Users\{your username}\Desktop). |
|
If
an unencrypted file is placed in an encrypted folder, the file will
become encrypted, too. The catch is when one user encrypts a folder and another user places a file in that folder; in this case, the file is encrypted for the creator of the file,
which means that the owner of the folder, the one who originally
implemented the encryption, will not be able to read the file.
On
the other hand, if the user places a file in a folder, and a different
user comes along and encrypts the folder thereafter, only the user who
implemented the encryption will be able to read the file, even though
the file is officially "owned" by that first user.
2.5. Add Encrypt/Decrypt commands to context menus
If
you find yourself frequently encrypting and decrypting files, having to
repeatedly open the Properties window can be a pain. Instead, follow
these steps to add Encrypt and Decrypt commands to the context menus for every file and folder:
Open the Registry Editor .
Expand the branches to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
Create a new DWORD value by going to Edit → New → DWORD (32-bit) Value, and type EncryptionContextMenu for the name of the new value.
Double-click the new EncryptionContextMenu value, enter 1 for the Value data, and click OK.
Close the Registry Editor when you're done. The change will take effect immediately.
To use this new trick, right-click any unencrypted file in Explorer or on your desktop, and select Encrypt. Or, right-click an already encrypted file, and select Decrypt.
If
at least one of the selected items is a folder, you'll have the option
of encrypting only the folder or all the folders contained therein. If
encrypting any individual files, you'll also be asked if you wish to
encrypt only the file or the parent folder as well.
2.6. Back up your encryption certificates
Think
of your encryption certificate as the combination to a safe. Forget the
combination, and you can't open the safe. Likewise, lose your
certificate, and you won't be able to open your encrypted files.
Windows
Vista's encryption system employs symmetric key cryptography, which
uses the same key to encrypt and decrypt data. Windows generates a
unique key for each user, so that no user can decrypt another user's
data.
The
first time you use encryption on your PC, Vista creates a new
encryption certificate for you (if you don't already have one) and
prompts you to back up your certificate with the window shown in Figure 8.
Whether
or not you take Windows up on its offer, you can use one of the two
included tools to manage your encryption certificates:
Certificate Manager
Open your Start menu, type certmgr.msc, and press Enter to fire up the Certificate Manager. Expand the Personal branch and select the Certificates folder to view the certificates installed on your PC. The one used for NTFS encryption is labeled Encrypting File System in the Intended Purposes column. View any certificate by double-clicking it.
You can back up a certificate by highlighting it and then selecting All Tasks → Export from the Action
menu. Just save the file to a USB memory key or CD so it's safe in the
event that your hard disk crashes and you need to install a second copy
of Windows to access your data.
- NTFS Encryption Utility
The NTFS Encryption Utility (cipher.exe)
lets you encrypt or decrypt files and manage certificates from the
Command Prompt, but it's not included with all editions of Windows. It
does have the added benefit of being able to perform some tricks that
the Certificate Manager, just discussed, cannot.
Open a Command Prompt window (cmd.exe) and type cipher without any arguments to display the encryption status for all the files in the current folder. Encrypted files will be marked with an E; all others will marked with a U.
To encrypt a file, type cipher /e
filename, where filename is the name of the file or folder (include the full path if it's in a different folder). Likewise, type cipher /d
filename to turn off encryption for the item.
To back up your certificate, type cipher /r:filename at the prompt, where filename
is the prefix of the output filename (without an extension). Cipher
asks for a password, and then generates two separate files based on the
specified filename. For example, if you type cipher /r:julius, you'll end up with two files: julius.pfx, which contains the Encrypting File System (EFS) recovery agent key and certificate, and julius.cer,
which contains the EFS recovery agent certificate only (without the
key). Double-click either file in Windows Explorer to import the
certificate or key, or use the Certificate Manager.
Worried that your key got in the wrong hands? You can generate a new key at any time by typing cipher /k (without any other options). Then, type cipher /u to update the encrypted files on your system with the new key. |
|
2.7. Secure your drive's free space
Normally,
when you delete a file, only the file's entry in the filesystem table
is deleted; the actual data contained in the file remains in the folder
until it is overwritten with another file.
Cipher, discussed in the previous section, allows you to wipe
a folder, which only means that it goes black and cleans out any
recently deleted files, overwriting the leftover data with random bits.
This effectively makes it impossible to subsequently recover deleted
data with an "undelete" utility. Think of the wipe feature as a virtual
paper shredder.
To wipe a folder, open a Command Prompt window and type cipher /w:foldername, where foldername
is the full path of any folder on the drive to wipe. Although Cipher
requires the path of a folder, it actually wipes all the free space on
the drive. This means that the commands cipher /w:c:\Romulus and cipher /w:c:\Remus have exactly the same result.
Set
up Cipher to wipe folders containing sensitive data at regular
intervals (or when Windows starts) to automatically protect deleted
data. |
|
Note that Cipher's /w
option does not harm existing data, nor does it affect any files
currently stored in the Recycle Bin. It also works on unencrypted
folders and encrypted folders alike.
