Windows 7 : Protecting Your Data from Loss and Theft - Encrypted File System (part 1) - Encrypting Offline Files, Using CIPHER

9/24/2012 1:18:27 AM

Restoring a System Image

You should restore a system image only in drastic circumstances, such as a complete system failure. Basically, if Windows won’t start and you’ve already tried everything else and you’ve made a system image, it’s time to restore it. A complete PC restore (or system image) sets your system to its exact condition at the time of backup. Unlike System Restore, which leaves current data files behind although it resets the Windows Registry to the specified earlier time, a complete PC restore formats your hard disk, wiping out any remaining information and replacing it with whatever you backed up. It’s not called a “bare metal” restore for nothing!


After you restore a system image, restore all the file and folder backups available to bring your system as close to its prefailure condition as possible.

To restore a system image from within Windows Backup and Restore, click the Recover System Settings link, and then click the Open System Restore button from the Recovery control panel applet. This will launch the System Restore Wizard. However, if you need to restore your system from outside the Windows GUI, use the Windows Recovery Environment, which is accessed by booting from the Windows DVD and selecting Repair Your Computer.

Encrypted File System (EFS)

If you need to protect files on your system from being read by unauthorized users, you can use the Encrypted File System (EFS) feature that works independently of the NTFS permissions. Note that Windows 7 Home Basic, Home Premium, and Starter Edition do not fully support EFS (search Windows Help and Support for information on using EFS data with these versions). When a file is encrypted, the data stored on the hard disk is scrambled in a very secure way. Encryption is transparent to the user who encrypted the file; you do not have to “decrypt” an encrypted file before you can use it. You can work with an encrypted file just as you would any other file; you can open and change the file as necessary. However, any other user or an intruder who tries to access your encrypted files is prevented from doing so. Only the original owner and the computer’s designated recovery agent can get into encrypted files. Anyone else receives an “Access Denied” message when trying to open or copy your encrypted file.

Folders can be marked as encrypted, too. This means that any file created in or copied to an encrypted folder is automatically encrypted. The folder itself isn’t encrypted, though; anyone with the proper file access permissions can see the names of the files in it.

EFS Encryption for NTFS Volumes Only

EFS encryption protects the files only while they reside on the NTFS volume. When they are accessed for use by an application, they are decrypted by the file system drivers. This means that files that are encrypted on the drive are not encrypted in memory while being used by an application. This also means that transferring files over the network is done without encryption. Any file action that performs a copy (which includes moves across partitions or volumes) inherits the settings of its new container. In other words, if the new container is not encrypted, the new file will not be encrypted, either, even if it was encrypted in its previous location. If you back up EFS-protected files, they are stored on the backup media in their normal form, not as encrypted. EFS protects files only on the hard drive, nowhere else. Use EFS only when expressly needed. EFS causes significant performance reduction if a significant number of commonly accessed files are encrypted, due to the CPU processing required to decrypt them for use.

You encrypt or decrypt a folder or file by setting the encryption property for the folder or file just as you set any other attribute (such as read-only, compressed, or hidden), through a file or folder’s Advanced Attributes dialog box (see Figure 1). Right-click the desired file or folder, choose Properties, and from the General tab click the Advanced button to open the Advanced Attributes dialog box.

Figure 1. Setting encryption for a specific folder.


EFS is not supported in Home versions of Windows 7, so this option will be grayed out in the Advanced Attributes dialog box.

After you set the option to encrypt a folder and click OK in a folder’s Properties dialog box, you are prompted to confirm the attribute change. From this dialog box, you can set the option to encrypt all the subfolders and files within the folder you are encrypting. Once all folders, subfolders, and files are encrypted an Encrypted File System dialog box appears reminding you to back up your file encryption certificate and key. You’re given three options: Back Up Now (Recommended), Back Up Later, or Never Back Up. We suggest you take care of this now so you never have to worry about it later. Back Up Now takes you to the Certificate Export Wizard, which gives you step-by-step instructions.

Unable to Encrypt Files or Folders

If you are unable to use EFS on a particular drive, make sure that it is not compressed and that the drive uses the NTFS file system. Compressed files and folders are displayed in blue; encrypted (EFS) files and folders are displayed in green in Windows Explorer. A file on an NTFS drive can be encrypted or compressed (or neither), but not both. To check the file system used by a drive, right-click the drive in Computer, select Properties, and view the General tab. A FAT or FAT32 drive must be converted to NTFS to support encryption or compression. Keep in mind that Home editions (and Starter) of Windows 7 do not support EFS, although they do use NTFS as their native file system.

It is recommended that you encrypt at the folder level rather than mark individual files, so that new files added to the folder will also be encrypted. This point is crucial because most editing programs write a new copy of the file each time you save changes and then delete the original. If the folder containing an encrypted file isn’t marked for encryption, too, editing an encrypted file results in your saving an unencrypted version.

How File Encryption Works

As a kid, you probably played around with simple codes and ciphers in which you exchanged the letters of a message: D for A, E for B, and so on. You might look at this as the process of “adding three” to each letter in your message: Each letter gets bumped to the third-next letter in the alphabet. To decode a message, you subtracted three from every letter to get the original message. In this code, you could say that the “key” is the number 3. Anyone who knew the technique and possessed the key could read and write these secret messages.

Although this example is very simplistic, it illustrates the basic idea of numeric encryption. The cryptographic system used by Windows for EFS also uses a numeric technique, but it’s extremely complex and uses a key that is 128 digits long. Such a large number means many possible choices, and that means it would take someone a very long time to guess a key and read an encrypted file.

When you mark a file for encryption, Windows randomly generates such a large number, called a unique file encryption key (FEK), which is used to scramble the contents of just that one file. This unique key is itself scrambled with your own personal file encryption key, an even longer number stored in the Windows Certificate database. The encrypted unique key is then stored along with the file.

When you’re logged in and try to open an encrypted file, Windows retrieves your personal key, decodes the unique key, and uses that key to decode the contents of the file as it’s read off the hard disk.

The reason for the two-step process is to let Windows use a different and unique key for each file. Using different keys provides added security. Even if an attacker managed to guess the key to one file, he or she would have to start fresh to find the key to other files. Yet your personal key can unscramble the unique key to any file you’ve encrypted. It’s a valuable thing, this key, and I’ll tell you how to back it up in a certificate file for safekeeping.

As a backup in case your personal key gets lost, Windows lets each computer or domain administrator designate recovery agents, users who are allowed to decode other people’s encrypted files. Windows also encrypts the unique FEK for each of the recovery agents. It, too, is stored along with the file, and anyone who possesses a recovery key can also read your encrypted files. 

You can use EFS to keep your documents safe from intruders who might gain unauthorized physical access to your sensitive stored data (by stealing your laptop, for example).

Encrypting Offline Files

Offline files are stored local copies of network files provided so that you may work with certain types of information when you’re offline or disconnected from the network. These files are not encrypted by default, but you can enable a new feature in Windows 7 that provides this added safety measure.

File encryption provides another level of access protection that—like EFS—operates independently of NTFS permissions. This safeguards your files in the event your drive is removed or the entire system is stolen. You should especially encrypt offline files if you suspect they will contain confidential, private, or sensitive information.

You can enable encryption of offline files by clicking the Encrypt button on the Encryption tab of the Offline Files dialog box, shown in Figure 1. To encrypt offline files, you must first enable offline files on the General tab of a given folder or launch Manage Offline Files from the Start menu using the Search box.

Figure 1. Setting encryption for offline files and data.

When encryption is enabled, the Encrypt button will be grayed out and only the Unencrypt button will be active.


You also can encrypt or decrypt a file or folder using the command-line program CIPHER and the following syntax. If you’ve previously used CIPHER on a Windows XP system, keep in mind that the syntax that CIPHER uses in both Windows Vista and Windows 7 is almost entirely new. Several existing parameters have been removed (/F, /I, and /Q), many new parameters have been added (/B, /C, /W, /X, /Y, /ADDUSER, /REKEY, and /REMOVEUSER), and, by default, CIPHER runs even if an error is encountered, unless you use the new /B parameter. In Windows XP, CIPHER stopped on error.

The following is not an exhaustive list of the CIPHER syntax; execute CIPHER /? at a command prompt for the complete list of parameters and syntax.

CIPHER [/E | /D | /C]
         [/S:directory] [/B] [/H] [pathname [...]]
CIPHER /W:directory
CIPHER /X[:efsfile] [filename]
         [/S:directory] [/B] [/H] [pathname [...]]
         [/S:directory] [/B] [/H] [pathname [...]]
CIPHER /REKEY [pathname [...]]

The arguments (parameters) are as follows:

  • /B Abort if an error is encountered. By default, CIPHER continues executing even if errors are encountered (new option).

  • /C Displays information on the encrypted file (new option).

  • /D—Decrypts the folder and halts any further encryption on that folder until reactivated.

  • /E—Encrypts the specified directories. Directories are marked so that files added afterward will be encrypted.

  • /H—Displays files with the hidden or system attributes. These files are omitted by default (new option).

  • /K—Creates a new certificate and key for use with EFS. If this option is chosen, all other options are ignored (new option).

  • /N—Works only with /U. Prevents keys from being updated. This is used to find all the encrypted files on the local drives (new option).

  • /R—Generates an EFS recovery agent key and certificate, and then writes them to a PFX file (containing the certificate and private key) and a CER file (containing only the certificate). An administrator can add the contents of the CER file to the EFS recovery policy to create the recovery agent for users and can import the PFX file to recover individual files. If SMARTCARD is specified, it writes the recovery key and certificate to a smart card. A CER file is generated (containing only the certificate). No PFX file is generated.

  • /S—Performs the specified operation on directories in the given directory and all subdirectories.

  • /U—Tries to touch all the encrypted files on local drives. This updates the user’s file encryption key or recovery agent’s key to the current ones if they are changed. This option does not work with other options except /N.

  • /W—Removes data from available unused disk space on the entire volume. If this option is chosen, all other options are ignored. The directory specified can be anywhere in a local volume. If it is a mount point or points to a directory in another volume, the data on that volume will be removed (new option).

  • /X—Backs up the EFS certificate and keys into file filename. If efsfile is provided, the current user’s certificate(s) used to encrypt the file will be backed up. Otherwise, the user’s current EFS certificate and keys will be backed up (new option).

  • /Y—Displays your current EFS certificate thumbnail on the local PC (new option).

  • /ADDUSER—Adds a user to the specified encrypted file(s). If CERTHASH is provided, CIPHER will search for a certificate with this SHA1 hash. If CERTFILE is provided, CIPHER will extract the certificate from the file (new option).

  • /REKEY—Updates the specified encrypted file(s) to use the configured EFS current key (new option).

  • /REMOVEUSER—Removes a user from the specified file(s). CERTHASH must be the SHA1 hash of the certificate to remove (new option).

  • directory—A directory path.

  • filename—A filename without extensions.

  • pathname—Specifies a pattern, file, or directory.

  • efsfile—An encrypted file path.

Used without parameters, CIPHER displays the encryption state of the current directory and any files it contains. You can use multiple directory names and wildcards. You must put spaces between multiple parameters.

CIPHER Produces Unexpected Results

Although using encryption (EFS) via the right-click menu works the same way as in previous NT-based versions of Windows, changes in the CIPHER command-line encryption tool can cause problems, particularly for users who are accustomed to how CIPHER worked in Windows XP. As with wbadmin, some practice time with noncritical files is a good idea.

  •  Migrating to Active Directory in Windows Server 2003 (part 2) - Moving from Windows 2000 Server
  •  Migrating to Active Directory in Windows Server 2003 (part 1) - Moving from Windows NT Domains
  •  Smali Form Factor Cases (Part 3) - Silverstone TJ08-E
  •  Smali Form Factor Cases (Part 2) - Cubitek Mini Ice, In-Win BL641
  •  SmallForm Factor Cases (Part 1) - Akasa Crypto Vesa, Cooler Master Elite 120
  •  Portable Drive: WD My Passport Studio 2TB
  •  Linux Mint 13 - One Of The Best Linux Distros Around
  •  File and Disk Recover And Restore (Part 2) - PC Tools File Recover, Piriform Recuva, Ubuntu Rescue Remix
  •  File and Disk Recover And Restore (Part 1) - Binarybiz VirtualLab, Brian Kato Restoration, CGsecurity TestDisk and PhotoRec, Genie9 Timeline Pro 2012, O&O DiskRecovery 7
  •  Windows 7 : How to Use Built-In Diagnostics
    Most View
    Sharepoint 2010 : Making Business Processes Work - Using the Provided Workflows (part 2) - Starting the Workflow from the Item Workflow Page, Starting the Workflow from Office 2010 Client
    How To – December 2012 (Part 1) : Install Windows 8 from a USB Drive
    Adobe Photoshop CS5 : Managing Color from Monitor to Print - Setting Up Soft-Proof Colors
    Plantronic Marque 2 - A Sure Keeper
    Lenovo ThinkCentre E93z All-in-one PC
    Sony Cybershot DSC-HX50 - The Smallest Optical Zoom Camera (Part 2)
    Microsoft Dynamic AX 2009 : Reflection System Functions
    Sql Server 2012 : Hierarchical Data and the Relational Database - Populating the Hierarchy (part 1)
    Keep Selective Colour In Mono Conversions (Part 1)
    Windows Server 2008 and Windows Vista : Advanced Group Policy Management - Workflow (part 2) - Deploying GPOs, Rolling Back and Rolling Forward
    Top 10
    2014 Honda City Compact Sedan Review
    2014 Porsche Cayman S Quick Review
    Boxster & ‘S’ Porsche Boxster 2.5 986 Review
    Crystal Baller Mercedes-Benz S-Class Coupe Review
    2014 Superzoom Lenses Group Test (Part 4)
    2014 Superzoom Lenses Group Test (Part 3)
    2014 Superzoom Lenses Group Test (Part 2)
    2014 Superzoom Lenses Group Test (Part 1)
    R&D Spending Hike Points To New Products At Apple (Part 2)
    R&D Spending Hike Points To New Products At Apple (Part 1)