Windows 7 : Using Compression and Encryption (part 3) - Encrypting Files and Folders

3. Encrypting Files and Folders

You can use encryption to protect your files and folders so that only you can access them regardless of the NTFS permissions assigned to those files or folders. The first time you encrypt a file or folder, Windows 7 creates a personal certificate containing your encryption key. A personal certificate is similar to other types of certificates used by computers in that it contains both private key and public key encryption data. The certificate is extremely important. If it is damaged or removed from your computer, you won’t be able to access your encrypted data.

Unlike NTFS compression, you can’t encrypt entire drives. You can’t encrypt compressed files, system files, or read-only files, either. If you try to encrypt compressed files, they are automatically uncompressed and then encrypted. If you try to encrypt system files, you’ll get an error message.

The Windows 7 component that handles encryption is called the Encrypting File System (EFS). EFS encrypts files and folders using an encryption key that is automatically generated and unique for each person that uses encryption on your computer. When you encrypt a file or folder, the associated data is converted to an encrypted format so that only you can access the file or folder.

By default, you are the only person who can access your encrypted files and folders. However, as you might expect there are some caveats. If your computer has any assigned recovery agents, those recovery agents have the authority to decrypt any encrypted files and folders on your computer. You can think of a recovery agent as having a master key. Additionally, you can grant another user the right to access your encrypted files and folders. When you do this, this person’s encryption key is added to the file or folder’s encryption data, allowing the person to access the file or folder just like you can.

3.1. Encrypting a file or folder

You can encrypt a file or folder by completing these steps:

1. In Windows Explorer, right-click the file or folder that you want to encrypt and then select Properties.

2. On the General tab of the related property dialog box, click Advanced.

3. In the Advanced Attributes dialog box, select the “Encrypt contents to secure data” checkbox and then click OK.

4. For an individual file, Windows 7 marks the file as encrypted and then encrypts it. If the file is in a folder that is not encrypted, Windows 7 displays the Confirm Attribute Changes dialog box:

   • To encrypt the file and its parent folder, select “Encrypt the file and its parent folder” and then click OK.

   • To encrypt the file only, select “Encrypt the file only” and then click OK.

5. For a folder, Windows 7 marks the folder as encrypted. If the folder contains subfolders or files, Windows 7 displays the Confirm Attribute Changes dialog box:

   • To encrypt only the folder, select “Apply changes to this folder only” and then click OK. Newly created files in this folder will be encrypted.

   • To encrypt the folder, subfolders, and all related files, select “Apply changes to this folder, subfolders and files” and then click OK. Newly created files in this folder will be encrypted, along with existing folders and files.

Before other people can access your encrypted data, you must decrypt the file or you must grant special access permission. Once you encrypt a file or folder, you can work with it just like any other file or folder. You can copy, move, and rename an encrypted file or folder just like any other files or folders. However, if you move an encrypted file to a disk or device formatted using FAT, the file is decrypted automatically.

3.2. Removing encryption from files and folders

If you later decide that you no longer want to encrypt a folder or file, you can remove encryption by completing the following steps:

1. In Windows Explorer, right-click the file or folder you want to decrypt and then select Properties.

2. On the General tab of the related property dialog box, click Advanced.

3. In the Advanced Attributes dialog box, clear the “Encrypt contents to secure data” checkbox and then click OK twice.

4. For a file, Windows 7 decrypts the file and restores it to its original format. For a folder, Windows 7 turns off encryption for that folder. If the folder contains subfolders or files, Windows 7 displays the Confirm Attribute Changes dialog box:

   • To decrypt only the folder, select “Apply changes to this folder only” and then click OK. Newly created files in this folder will not be encrypted.

   • To decrypt the folder, subfolders, and all related files, select “Apply changes to this folder, subfolders and files” and then click OK. All existing files and newly created files in this folder will be unencrypted, and newly created files will not be encrypted.

3.3. Sharing encrypted files

If you want other people to be able to access an encrypted file, you must either remove encryption or grant the person special access to the file. When you grant a person special access to the file, this person’s encryption key is added to the file encryption data, allowing the person to access the file just like you can.

The person to whom you are granting access must have an encryption key on your computer. The easiest way to get an encryption key is to have the person log on and then encrypt a file. Because Windows 7 generates an encryption key automatically the first time a person encrypts a file, this person will then have an encryption key.

You can grant access to an encrypted file by completing the following procedure:

1. In Windows Explorer, right-click the file for which you are granting access and then select Properties.

2. On the General tab of the file’s property dialog box, click Advanced. The Advanced Attributes dialog box appears.

3. Click Details. In the User Access dialog box, shown in Figure 6, users who have access to the encrypted file are listed by name.

4. To allow another user access to the file, click Add.

5. In the Encrypting File System dialog box, shown in Figure 7, you’ll see a list of every user who has an encryption key on your computer.

6. Select the user’s name in the list provided and then click OK three times.

Figure 6. Viewing users who can access the encrypted file

3.4. Backing up your encryption keys

As discussed previously, the first time you encrypt a file or folder, Windows 7 creates an encryption key for you. This key is critically important because if it becomes damaged or is removed, you won’t be able to access your encrypted files or folders ever again. Several safeguards are put in place to prevent catastrophic data loss. The first is a feature called the recovery agent. A recovery agent is a person who is issued a master key for all encrypted data on a computer. Although recovery agents cannot use their master keys to open and read files and folders, they can use their master keys to decrypt files and folders. Once decrypted, the files and folders can be accessed according to their NTFS permissions. If you are using encryption at work, your IT administrators will create and manage recovery agents for you. At home (and at the office as a supplement to recovery agents), you can back up your encryption key to a USB flash drive or memory card.

Figure 7. Sharing file access with another person

The first time you create an encryption key, Windows 7 will display a notification icon in the System Tray telling you to back up your encryption key. If you click this icon and then click “Back up now,” you’ll start the Certificate Export Wizard. You can use this wizard to back up your encryption key by completing the following steps:

1. In the Certificate Export Wizard, shown in Figure 8, read the introductory message and then click Next twice.

2. To help safeguard your encryption key, you must protect it with a password. This password should not be the same one you use to log on to your computer, but it should be one you can easily remember. On the Password page, type a password and then confirm it by typing it again. Click Next.

3. As necessary, connect a USB flash device or memory card to your computer.

4. On the File to Export page, click Browse.

5. Use the Save As dialog box to select the USB flash device or memory card as the save location.

6. Type a name for the encryption key file and then click Save.

7. Click Next and then click Finish. If the export was successful, you’ll see a dialog box confirming this. Click OK.

Figure 8. Backing up your encryption key by exporting it

If your encryption key is damaged or you need to recover encrypted files moved to a new computer, you can do so by completing the following steps:

1. Connect the USB flash device or memory card containing the encryption key file.

2. Click Start. On the Start menu, type MMC in the search box and then press Enter.

3. In the Console window, click Add/Remove Snap-in on the File menu. In Add or Remove Snap-ins, select Certificates under Available Snap-ins and then click Add. When prompted, click OK to accept the default value of “My user account” and add the Certificates snap-in to the console.

4. In the left pane, double-click Certificates→Current User, right-click Personal, point to All Tasks, and then select Import. This starts the Certificate Import Wizard. Click Next.

5. On the File to Import page, shown in Figure 9, click Browse. Use the Open dialog box to select the location where you previously saved the key file.

Figure 9. Selecting the encryption file to import

1. Your key file is saved as a Personal Information Exchange file. You won’t see this file type until you use the “File type” list to the right of the “File name” text box to select Personal Information Exchange as the file type.

2. Click your key file and then click Open.

3. Click Next. Type the password you assigned to the key file.

4. Click Next twice and then click Finish.

You can now decrypt any files that were encrypted using this encryption key.