Windows 7 : Protecting Your Data from Loss and Theft - Encrypted File System (part 2) - Securing the Recovery Certificate

9/24/2012 1:19:41 AM

Rules for Using Encrypted Files

When you work with encrypted files and folders, keep in mind the following points:

  • Only files and folders on NTFS volumes can be encrypted.

  • You cannot encrypt files or folders that are compressed. Compression and encryption are mutually exclusive file attributes. If you want to encrypt a compressed file or folder, you must decompress it first.

  • Only the user who encrypted the file and the designated recovery agent(s) can open it. (You’ll learn more about recovery agents shortly.)

  • If you encrypt a file in a shared directory, it is inaccessible to others.

  • Windows 7 displays encrypted files and folders in green (compressed files and folders are displayed in blue).

  • Encrypted files become decrypted if you copy or move the file to a volume or partition that is not formatted with NTFS.

  • You should use Cut and Paste to move files into an encrypted folder. If you use the drag-and-drop method to move files, they are not automatically encrypted in the new folder.

  • System files cannot be encrypted.

  • Encrypting folders or files does not protect them against being deleted, moved, or renamed. Anyone with the appropriate permission level can manipulate encrypted folders or files. (These users just can’t open them.)

  • Temporary files, which are created by some programs when documents are edited, are also encrypted as long as all the files are on an NTFS volume and in an encrypted folder. I recommend that you encrypt the Temp folder on your hard disk for this reason. Encrypting your original files keeps them safe from prying eyes, but programs often leave behind temp files—usually in the Temp folder—and these files remain vulnerable.

  • The page file (used for virtual memory) can be encrypted in Windows 7 through Group Policy settings. You can also configure the Local Security Policy to clear the page file when you shut down the system. Just enable the Shutdown: Clear Virtual Memory Pagefile policy under the Local Policies, Security Option section.

  • On a domain network, you can encrypt or decrypt files and folders located on a remote computer that has been enabled for remote encryption. Check with your system administrator to see whether your company’s servers support this capability. Keep in mind, however, that opening an encrypted file over a network still exposes the contents of that file while it is being transmitted. A network administrator should implement a security protocol such as IPSec to safeguard data during transmission.

  • You should encrypt folders instead of individual files so that if a program creates temporary files and/or saves new copies during editing, they will be encrypted as well.

  • Encrypted files, like compressed folders, perform more slowly than unencrypted ones. If you want maximum performance when folders or files in the folders are being used extensively (for example, by database programs), think twice before encrypting them. You might want to perform benchmark tests using encrypted and unencrypted folders with similar data to determine whether your system can handle the performance hit.

Suggested Folders to Encrypt

I recommend that you encrypt the following folders:

  • Encrypt the Documents library if you save most of your documents there. Encrypting this folder ensures that any personal documents saved there are automatically encrypted. However, a better alternative would be to create a subfolder under Documents library for personal files and encrypt just this folder. This approach relieves you from having to track which files are encrypted and which are not.

  • Encrypt your Temp folder so that any temporary files created by programs are automatically encrypted.


If someone steals your laptop computer or gains physical access to your desktop computer, it’s possible that even with all of Windows 7’s file access security and file encryption, that person can gain access to your files. How? A trick allows this to happen, and you should guard against it. Here’s how it works: By reinstalling the OS from a DVD drive, a thief can set up himself or herself as the system administrator. If the default file recovery certificate is still on the computer at this point, the intruder can view encrypted files. To guard against this situation, you should export the file recovery certificate to a floppy disk or other drive and remove it from the computer.

Protecting and Recovering Encrypted Files

Encrypted files are supposed to be very secure; only the user who creates an encrypted file can unscramble it. But this security hangs on your own personal file encryption key, which is stored in the Windows Certificate database. Where would you be if you accidentally deleted your file encryption certificate, or if your user account was deleted from the system? Could the secret recipe for Aunt Dottie’s zucchini fritters be lost forever this way? Probably not. EFS has a “back door” that lets designated recovery agents open any encrypted file.

The availability of this back door is both good news and bad news. The good news is that encrypted files can be recovered when necessary. The bad news is that this capability opens a potential security risk, and you need to be sure you take measures to protect yourself against it.

Securing the Recovery Certificate

Your capability to recover encrypted files hinges on two factors:

  • Being listed by the Windows Local or Group Security Policy as a designated recovery agent

  • Possessing the file recovery certificate that holds the recovery key data

With a few dirty tricks, it’s possible for someone who steals your computer to get himself or herself in as an administrator and pose as the recovery agent. If you really want to ensure the privacy of your files with EFS, you have to save the file recovery certificate on a floppy disk or other removable medium and remove the certificate from your computer.

To back up and remove the recovery certificate, do the following:

Click the Start button and type mmc in the Search box.


Unless User Account Control (UAC) has been disabled, you must be an Administrator or provide Administrator-level credentials to back up the recovery certificate.

When the Console appears, select File, Add/Remove Snap-In.

When the Add or Remove Snap-Ins dialog box appears, double-click Certificates, select My User Account, then click Finish.

Click OK.

In the left pane, expand the Certificates – Current User, Personal, Certificates.

In the middle pane, you should see a certificate listed with its Intended Purposes shown as Encrypting File System, as shown in Figure 3. If this certificate is not present and you’re on a domain network, your domain administrator has done this job for you and you don’t need to proceed any further.

Figure 3. The EFS certificate manager stores keys and certificates to an external location for safekeeping.

Right-click the EFS certificate entry and select All Tasks, Export to launch the Certificate Export Wizard.

Click Next and then select Yes, Export the Private Key, and click Next.

Select Personal Information Exchange and click Next.

Enter a password twice to protect this key. (You must remember this password!)

Specify a path and filename to be used to save the key. If your system has a floppy drive, insert a blank, formatted floppy disk and type the path and filename, such as a:\recovery.pfx (not case sensitive). Otherwise, you can insert a writeable CD or DVD (recommended) or a USB flash memory drive (not recommended for permanent storage) and type the path and filename. If you use CD or DVD media, click Next and then Finish. A dialog box appears stating that the export was successful; click OK.


You should back up and delete the Administrator’s recovery certificate (that’s the procedure you just performed), but don’t delete Administrator as the recovery agent from the Local Security Policy. Leave the Local Security Policy alone. If you delete the entries there, you’ll disable EFS.

Click Finish.

Protecting Your Own File Encryption Certificate

If your user account is lost or you accidentally delete your own file encryption certificate some day, you might lose access to your own files. The recovery agent could still help, but you can protect yourself by exporting your own personal EFS certificate. Basically, follow the same procedure as for the local administrator while logged in as a user. Just be sure to have at least one encrypted file before starting the process. Once complete, label the disk EFS for UUU on XXX, where UUU is your user account name and XXX is your computer name. Store it in a safe place.

Recovering Encrypted Files on Your Own Computer

If your user account is deleted or you end up reinstalling Windows from scratch, you’ll lose access to your encrypted files because the Encryption database will be lost. You can log on as Administrator and reinstall the encrypted file recovery certificate, or you can log on as yourself and reinstall your file encryption certificate to get the files back with the following procedure:

Open the Microsoft Management Console (MMC), select File, and select Add/Remove Snap-In. Next, highlight the Certificates snap-in and click Add. Select My User Account and click Finish. Finally, click Close and then click OK.

In the left pane, expand Certificates – Current User, Personal, Certificates.

In the Actions pane, click More Actions and select All Tasks, Import to start the Certificate Import Wizard.

Click Next.

Enter the name of the certificate file—for example, a:\recovery.pfx. Otherwise, you can click Browse and navigate to the drive and folder containing the certificate. To see it, select Personal Information Exchange (*.pfx, *.p12) as the certificate type. Select it and click Open. Click Next.


If you use a migration utility to move EFS-encrypted files and folders from a Windows XP system to a Windows 7 system, be sure to export your EFS certificate from the Windows XP system and import it to the Windows 7 system as described here. Otherwise, you will not be able to access your files.

Enter the password for the certificate, and check Mark the Private Key as Exportable. Click Next twice, and then click Finish.

Click OK on the status box.

You should now be able to access the encrypted files. I suggest that you remove the Encrypted check mark from these files. Log on again as the Normal user of these files, and re-encrypt them if you want.

  •  Migrating to Active Directory in Windows Server 2003 (part 2) - Moving from Windows 2000 Server
  •  Migrating to Active Directory in Windows Server 2003 (part 1) - Moving from Windows NT Domains
  •  Smali Form Factor Cases (Part 3) - Silverstone TJ08-E
  •  Smali Form Factor Cases (Part 2) - Cubitek Mini Ice, In-Win BL641
  •  SmallForm Factor Cases (Part 1) - Akasa Crypto Vesa, Cooler Master Elite 120
  •  Portable Drive: WD My Passport Studio 2TB
  •  Linux Mint 13 - One Of The Best Linux Distros Around
  •  File and Disk Recover And Restore (Part 2) - PC Tools File Recover, Piriform Recuva, Ubuntu Rescue Remix
  •  File and Disk Recover And Restore (Part 1) - Binarybiz VirtualLab, Brian Kato Restoration, CGsecurity TestDisk and PhotoRec, Genie9 Timeline Pro 2012, O&O DiskRecovery 7
  •  Windows 7 : How to Use Built-In Diagnostics
    Most View
    Join The 3D Revolution (Part 1)
    SQL Server 2005 : Advanced OLAP - Perspectives
    How To Unsend A Direct Message On Twitter
    Gigabyte G1.Sniper M5 2013
    Samsung ES8000 – The Most Powerful Smart TV
    Programming WCF Services : Security - Transfer Security
    Adobe Creative Suite 6 Software Reviews
    Buying From Itunes (Part 2) - Importing into iTunes, Copy protection
    Dali Mentor Minuet – Hitting The Big Time (Part 2)
    Doubling Up On Drivers KEF M200
    Top 10
    Sharepoint 2013 : Building a BCS-enabled Business Solution : Building an Integrated BCS Solution with an App for SharePoint Containing an App for Office
    Business Connectivity Services in Apps for SharePoint 2013 : Building an App-level BCS Solution for Office 365 SharePoint Online
    Business Connectivity Services in SharePoint 2013 : Adding a Business Data Connectivity Model to Office 365 SharePoint Online
    Remote Event Receivers in Sharepoint 2013 : Introducing Remote Event Receivers
    Windows Server 2008 and Windows Vista : Common GPO Troubleshooting Tools (part 3) - GPResult, GPOTool
    Windows Server 2008 and Windows Vista : Common GPO Troubleshooting Tools (part 2) - GPMC
    Windows Server 2008 and Windows Vista : Common GPO Troubleshooting Tools (part 1) - GPLogView
    Windows Server 2008 and Windows Vista : Using Event Logging for Troubleshooting (part 4) - Summary of Group Policy Event IDs
    Windows Server 2008 and Windows Vista : Using Event Logging for Troubleshooting (part 3) - Divide the Custom View of the Log into Three Phases
    Windows Server 2008 and Windows Vista : Using Event Logging for Troubleshooting (part 2)