Restoring a System Image
You should restore a
system image only in drastic circumstances, such as a complete system
failure. Basically, if Windows won’t start and you’ve already tried
everything else and
you’ve made a system image, it’s time to restore it. A complete PC
restore (or system image) sets your system to its exact condition at the
time of backup. Unlike System Restore, which leaves current data files
behind although it resets the Windows Registry to the specified earlier
time, a complete PC restore formats your hard disk, wiping out any
remaining information and replacing it with whatever you backed up. It’s
not called a “bare metal” restore for nothing!
Note
After
you restore a system image, restore all the file and folder backups
available to bring your system as close to its prefailure condition as
possible. |
To
restore a system image from within Windows Backup and Restore, click
the Recover System Settings link, and then click the Open System Restore
button from the Recovery control panel applet.
This will launch the System Restore Wizard. However, if you need to
restore your system from outside the Windows GUI, use the Windows
Recovery Environment, which is accessed by booting from the Windows DVD
and selecting Repair Your Computer.
Encrypted File System (EFS)
If you need to protect files
on your system from being read by unauthorized users, you can use the
Encrypted File System (EFS) feature that works independently of the NTFS
permissions. Note that Windows 7 Home Basic, Home Premium, and Starter
Edition do not fully support EFS (search Windows Help and Support for
information on using EFS data with these versions). When a file is
encrypted, the data stored on the hard disk is scrambled in a very
secure way. Encryption is transparent to the user who encrypted the
file; you do not have to “decrypt” an encrypted file before you can use
it. You can work with an encrypted file just as you would any other
file; you can open and change the file as necessary. However, any other
user or an intruder who tries to access your encrypted files is
prevented from doing so. Only the original owner and the computer’s
designated recovery agent can get into encrypted files. Anyone else
receives an “Access Denied” message when trying to open or copy your
encrypted file.
Folders can be marked as
encrypted, too. This means that any file created in or copied to an
encrypted folder is automatically encrypted. The folder itself isn’t
encrypted, though; anyone with the proper file access permissions can
see the names of the files in it.
|
EFS encryption protects
the files only while they reside on the NTFS volume. When they are
accessed for use by an application, they are decrypted by the file
system drivers. This means that files that are encrypted on the drive
are not encrypted in memory while being used by an application. This
also means that transferring files over the network is done without
encryption. Any file action that performs a copy (which includes moves
across partitions or volumes) inherits the settings of its new
container. In other words, if the new container is not encrypted, the
new file will not be encrypted, either, even if it was encrypted in its
previous location. If you back up EFS-protected files, they are stored
on the backup media in their normal form, not as encrypted. EFS protects
files only on the hard drive, nowhere else. Use EFS only when expressly
needed. EFS causes significant performance reduction if a significant
number of commonly accessed files are encrypted, due to the CPU
processing required to decrypt them for use.
|
You encrypt or decrypt a
folder or file by setting the encryption property for the folder or file
just as you set any other attribute (such as read-only, compressed, or
hidden), through a file or folder’s Advanced Attributes dialog box (see Figure 1).
Right-click the desired file or folder, choose Properties, and from the
General tab click the Advanced button to open the Advanced Attributes
dialog box.
Note
EFS is not supported in Home versions of Windows 7, so this option will be grayed out in the Advanced Attributes dialog box. |
After
you set the option to encrypt a folder and click OK in a folder’s
Properties dialog box, you are prompted to confirm the attribute change.
From this dialog box, you can set the option to encrypt all the
subfolders and files within the folder you are encrypting. Once all
folders, subfolders, and files are encrypted an Encrypted File System
dialog box appears reminding you to back up your file encryption
certificate and key. You’re given three options: Back Up Now
(Recommended), Back Up Later, or Never Back Up. We suggest you take care
of this now so you never have to worry about it later. Back Up Now
takes you to the Certificate Export Wizard, which gives you step-by-step
instructions.
If
you are unable to use EFS on a particular drive, make sure that it is
not compressed and that the drive uses the NTFS file system. Compressed
files and folders are displayed in blue; encrypted (EFS) files and
folders are displayed in green in Windows Explorer. A file on an NTFS
drive can be encrypted or compressed (or neither), but not both. To
check the file system used by a drive, right-click the drive in
Computer, select Properties, and view the General tab. A FAT or FAT32
drive must be converted to NTFS to support encryption or compression.
Keep in mind that Home editions (and Starter) of Windows 7 do not
support EFS, although they do use NTFS as their native file system. |
|
It is recommended that you
encrypt at the folder level rather than mark individual files, so that
new files added to the folder will also be encrypted. This point is
crucial because most editing programs write a new copy of the file each
time you save changes and then delete the original. If the folder
containing an encrypted file isn’t marked for encryption, too, editing
an encrypted file results in your saving an unencrypted version.
|
As a kid, you probably played around with simple codes and ciphers in which you exchanged the letters of a message: D for A, E for B,
and so on. You might look at this as the process of “adding three” to
each letter in your message: Each letter gets bumped to the third-next
letter in the alphabet. To decode a message, you subtracted three from
every letter to get the original message. In this code, you could say
that the “key” is the number 3. Anyone who knew the technique and
possessed the key could read and write these secret messages.
Although this
example is very simplistic, it illustrates the basic idea of numeric
encryption. The cryptographic system used by Windows for EFS also uses a
numeric technique, but it’s extremely complex and uses a key that is
128 digits long. Such a large number means many possible choices, and
that means it would take someone a very long time to guess a key and
read an encrypted file.
When you mark a file for
encryption, Windows randomly generates such a large number, called a
unique file encryption key (FEK), which is used to scramble the contents
of just that one file. This unique key is itself scrambled with your
own personal file encryption key, an even longer number stored in the
Windows Certificate database. The encrypted unique key is then stored
along with the file.
When you’re logged
in and try to open an encrypted file, Windows retrieves your personal
key, decodes the unique key, and uses that key to decode the contents of
the file as it’s read off the hard disk.
The reason for the two-step
process is to let Windows use a different and unique key for each file.
Using different keys provides added security. Even if an attacker
managed to guess the key to one file, he or she would have to start
fresh to find the key to other files. Yet your personal key can
unscramble the unique key to any file you’ve encrypted. It’s a valuable
thing, this key, and I’ll tell you how to back it up in a certificate
file for safekeeping.
As a backup in case your
personal key gets lost, Windows lets each computer or domain
administrator designate recovery agents, users who are allowed to decode
other people’s encrypted files. Windows also encrypts the unique FEK
for each of the recovery agents. It, too, is stored along with the file,
and anyone who possesses a recovery key can also read your encrypted
files.
|
You can use EFS to keep
your documents safe from intruders who might gain unauthorized physical
access to your sensitive stored data (by stealing your laptop, for
example).
Encrypting Offline Files
Offline files are
stored local copies of network files provided so that you may work with
certain types of information when you’re offline or disconnected from
the network. These files are not encrypted by default, but you can
enable a new feature in Windows 7 that provides this added safety
measure.
File
encryption provides another level of access protection that—like
EFS—operates independently of NTFS permissions. This safeguards your
files in the event your drive is removed or the entire system is stolen.
You should especially encrypt offline files if you suspect they will
contain confidential, private, or sensitive information.
You can enable
encryption of offline files by clicking the Encrypt button on the
Encryption tab of the Offline Files dialog box, shown in Figure 1.
To encrypt offline files, you must first enable offline files on the
General tab of a given folder or launch Manage Offline Files from the
Start menu using the Search box.
When encryption is enabled, the Encrypt button will be grayed out and only the Unencrypt button will be active.
Using CIPHER
You also can encrypt or decrypt a file or folder using the command-line program CIPHER and the following syntax. If you’ve previously used CIPHER on a Windows XP system, keep in mind that the syntax that CIPHER uses in both Windows Vista and Windows 7 is almost entirely new. Several existing parameters have been removed (/F, /I, and /Q), many new parameters have been added (/B, /C, /W, /X, /Y, /ADDUSER, /REKEY, and /REMOVEUSER), and, by default, CIPHER runs even if an error is encountered, unless you use the new /B parameter. In Windows XP, CIPHER stopped on error.
The following is not an exhaustive list of the CIPHER syntax; execute CIPHER /? at a command prompt for the complete list of parameters and syntax.
CIPHER [/E | /D | /C]
[/S:directory] [/B] [/H] [pathname [...]]
CIPHER /K
CIPHER /R:filename [/SMARTCARD]
CIPHER /U [/N]
CIPHER /W:directory
CIPHER /X[:efsfile] [filename]
CIPHER /Y
CIPHER /ADDUSER [/CERTHASH:hash | /CERTFILE:filename]
[/S:directory] [/B] [/H] [pathname [...]]
CIPHER /REMOVEUSER /CERTHASH:hash
[/S:directory] [/B] [/H] [pathname [...]]
CIPHER /REKEY [pathname [...]]
The arguments (parameters) are as follows:
/B Abort if an error is encountered. By default, CIPHER continues executing even if errors are encountered (new option).
/C Displays information on the encrypted file (new option).
/D—Decrypts the folder and halts any further encryption on that folder until reactivated.
/E—Encrypts the specified directories. Directories are marked so that files added afterward will be encrypted.
/H—Displays files with the hidden or system attributes. These files are omitted by default (new option).
/K—Creates a new certificate and key for use with EFS. If this option is chosen, all other options are ignored (new option).
/N—Works only with /U. Prevents keys from being updated. This is used to find all the encrypted files on the local drives (new option).
/R—Generates
an EFS recovery agent key and certificate, and then writes them to a
PFX file (containing the certificate and private key) and a CER file
(containing only the certificate). An administrator can add the contents
of the CER file to the EFS recovery policy to create the recovery agent
for users and can import the PFX file to recover individual files. If SMARTCARD
is specified, it writes the recovery key and certificate to a smart
card. A CER file is generated (containing only the certificate). No PFX
file is generated.
/S—Performs the specified operation on directories in the given directory and all subdirectories.
/U—Tries
to touch all the encrypted files on local drives. This updates the
user’s file encryption key or recovery agent’s key to the current ones
if they are changed. This option does not work with other options except
/N.
/W—Removes
data from available unused disk space on the entire volume. If this
option is chosen, all other options are ignored. The directory specified
can be anywhere in a local volume. If it is a mount point or points to a
directory in another volume, the data on that volume will be removed
(new option).
/X—Backs up the EFS certificate and keys into file filename. If efsfile
is provided, the current user’s certificate(s) used to encrypt the file
will be backed up. Otherwise, the user’s current EFS certificate and
keys will be backed up (new option).
/Y—Displays your current EFS certificate thumbnail on the local PC (new option).
/ADDUSER—Adds a user to the specified encrypted file(s). If CERTHASH is provided, CIPHER will search for a certificate with this SHA1 hash. If CERTFILE is provided, CIPHER will extract the certificate from the file (new option).
/REKEY—Updates the specified encrypted file(s) to use the configured EFS current key (new option).
/REMOVEUSER—Removes a user from the specified file(s). CERTHASH must be the SHA1 hash of the certificate to remove (new option).
directory—A directory path.
filename—A filename without extensions.
pathname—Specifies a pattern, file, or directory.
efsfile—An encrypted file path.
Used without parameters, CIPHER
displays the encryption state of the current directory and any files it
contains. You can use multiple directory names and wildcards. You must
put spaces between multiple parameters.
Although
using encryption (EFS) via the right-click menu works the same way as
in previous NT-based versions of Windows, changes in the CIPHER command-line encryption tool can cause problems, particularly for users who are accustomed to how CIPHER worked in Windows XP. As with wbadmin, some practice time with noncritical files is a good idea. |
