Rules for Using Encrypted Files
When you work with encrypted files and folders, keep in mind the following points:
Only files and folders on NTFS volumes can be encrypted. You
cannot encrypt files or folders that are compressed. Compression and
encryption are mutually exclusive file attributes. If you want to
encrypt a compressed file or folder, you must decompress it first. Only
the user who encrypted the file and the designated recovery agent(s)
can open it. (You’ll learn more about recovery agents shortly.) If you encrypt a file in a shared directory, it is inaccessible to others. Windows 7 displays encrypted files and folders in green (compressed files and folders are displayed in blue). Encrypted files become decrypted if you copy or move the file to a volume or partition that is not formatted with NTFS. You
should use Cut and Paste to move files into an encrypted folder. If you
use the drag-and-drop method to move files, they are not automatically
encrypted in the new folder. System files cannot be encrypted. Encrypting
folders or files does not protect them against being deleted, moved, or
renamed. Anyone with the appropriate permission level can manipulate
encrypted folders or files. (These users just can’t open them.) Temporary
files, which are created by some programs when documents are edited,
are also encrypted as long as all the files are on an NTFS volume and in
an encrypted folder. I recommend that you encrypt the Temp
folder on your hard disk for this reason. Encrypting your original
files keeps them safe from prying eyes, but programs often leave behind
temp files—usually in the Temp folder—and these files remain vulnerable. The
page file (used for virtual memory) can be encrypted in Windows 7
through Group Policy settings. You can also configure the Local Security
Policy to clear the page file when you shut down the system. Just
enable the Shutdown: Clear Virtual Memory Pagefile policy under the
Local Policies, Security Option section. On
a domain network, you can encrypt or decrypt files and folders located
on a remote computer that has been enabled for remote encryption. Check
with your system administrator to see whether your company’s servers
support this capability. Keep in mind, however, that opening an
encrypted file over a network still exposes the contents of that file
while it is being transmitted. A network administrator should implement a
security protocol such as IPSec to safeguard data during transmission. You
should encrypt folders instead of individual files so that if a program
creates temporary files and/or saves new copies during editing, they
will be encrypted as well. Encrypted
files, like compressed folders, perform more slowly than unencrypted
ones. If you want maximum performance when folders or files in the
folders are being used extensively (for example, by database programs),
think twice before encrypting them. You might want to perform benchmark
tests using encrypted and unencrypted folders with similar data to
determine whether your system can handle the performance hit.
Suggested Folders to Encrypt
I recommend that you encrypt the following folders:
Encrypt the
Documents library if you save most of your documents there. Encrypting
this folder ensures that any personal documents saved there are
automatically encrypted. However, a better alternative would be to
create a subfolder under Documents library for personal files and
encrypt just this folder. This approach relieves you from having to
track which files are encrypted and which are not. Encrypt your Temp folder so that any temporary files created by programs are automatically encrypted.
Caution If
someone steals your laptop computer or gains physical access to your
desktop computer, it’s possible that even with all of Windows 7’s file
access security and file encryption, that person can gain access to your
files. How? A trick allows this to happen, and you should guard against
it. Here’s how it works: By reinstalling the OS from a DVD drive, a
thief can set up himself or herself as the system administrator. If the
default file recovery certificate is still on the computer at this
point, the intruder can view encrypted files. To guard against this
situation, you should export the file recovery certificate to a floppy
disk or other drive and remove it from the computer.
|
Protecting and Recovering Encrypted Files
Encrypted files are
supposed to be very secure; only the user who creates an encrypted file
can unscramble it. But this security hangs on your own personal file
encryption key, which is stored in the Windows Certificate database. Where would you be if you accidentally
deleted your file encryption certificate, or if your user account was
deleted from the system? Could the secret recipe for Aunt Dottie’s
zucchini fritters be lost forever this way? Probably not. EFS has a
“back door” that lets designated recovery agents open any encrypted
file.
The availability of this
back door is both good news and bad news. The good news is that
encrypted files can be recovered when necessary. The bad news is that
this capability opens a potential security risk, and you need to be sure
you take measures to protect yourself against it.
Securing the Recovery Certificate
Your capability to recover encrypted files hinges on two factors:
With a few dirty
tricks, it’s possible for someone who steals your computer to get
himself or herself in as an administrator and pose as the recovery
agent. If you really want to ensure the privacy of your files with EFS,
you have to save the file recovery certificate on a floppy disk or other
removable medium and remove the certificate from your computer.
To back up and remove the recovery certificate, do the following:
1. | Click the Start button and type mmc in the Search box.
Note Unless
User Account Control (UAC) has been disabled, you must be an
Administrator or provide Administrator-level credentials to back up the
recovery certificate. |
| 2. | When the Console appears, select File, Add/Remove Snap-In.
| 3. | When the Add or Remove Snap-Ins dialog box appears, double-click Certificates, select My User Account, then click Finish.
| 4. | Click OK.
| 5. | In the left pane, expand the Certificates – Current User, Personal, Certificates.
| 6. | In the middle pane, you should see a certificate listed with its Intended Purposes shown as Encrypting File System, as shown in Figure 3.
If this certificate is not present and you’re on a domain network, your
domain administrator has done this job for you and you don’t need to
proceed any further.
| 7. | Right-click the EFS certificate entry and select All Tasks, Export to launch the Certificate Export Wizard.
| 8. | Click Next and then select Yes, Export the Private Key, and click Next.
| 9. | Select Personal Information Exchange and click Next.
| 10. | Enter a password twice to protect this key. (You must remember this password!)
| 11. | Specify
a path and filename to be used to save the key. If your system has a
floppy drive, insert a blank, formatted floppy disk and type the path
and filename, such as a:\recovery.pfx (not case sensitive).
Otherwise, you can insert a writeable CD or DVD (recommended) or a USB
flash memory drive (not recommended for permanent storage) and type the
path and filename. If you use CD or DVD media, click Next and then
Finish. A dialog box appears stating that the export was successful;
click OK.
Caution You
should back up and delete the Administrator’s recovery certificate
(that’s the procedure you just performed), but don’t delete
Administrator as the recovery agent from the Local Security Policy.
Leave the Local Security Policy alone. If you delete the entries there,
you’ll disable EFS. |
| 12. | Click Finish.
|
Protecting Your Own File Encryption Certificate
If
your user account is lost or you accidentally delete your own file
encryption certificate some day, you might lose access to your own
files. The recovery agent could still help, but you can protect yourself
by exporting your own personal EFS certificate. Basically, follow the
same procedure as for the local administrator while logged in as a user.
Just be sure to have at least one encrypted file before starting the
process. Once complete, label the disk EFS for
UUU
on
XXX, where UUU is your user account name and XXX is your computer name. Store it in a safe place.
Recovering Encrypted Files on Your Own Computer
If your user account is
deleted or you end up reinstalling Windows from scratch, you’ll lose
access to your encrypted files because the Encryption database will be
lost. You can log on as Administrator and reinstall the encrypted file
recovery certificate, or you can log on as yourself and reinstall your
file encryption certificate to get the files back with the following
procedure:
1. | Open
the Microsoft Management Console (MMC), select File, and select
Add/Remove Snap-In. Next, highlight the Certificates snap-in and click
Add. Select My User Account and click Finish. Finally, click Close and
then click OK.
| 2. | In the left pane, expand Certificates – Current User, Personal, Certificates.
| 3. | In the Actions pane, click More Actions and select All Tasks, Import to start the Certificate Import Wizard.
| 4. | Click Next.
| 5. | Enter the name of the certificate file—for example, a:\recovery.pfx.
Otherwise, you can click Browse and navigate to the drive and folder
containing the certificate. To see it, select Personal Information
Exchange (*.pfx, *.p12) as the certificate type. Select it and click Open. Click Next.
Note If
you use a migration utility to move EFS-encrypted files and folders
from a Windows XP system to a Windows 7 system, be sure to export your
EFS certificate from the Windows XP system and import it to the Windows 7
system as described here. Otherwise, you will not be able to access
your files. |
| 6. | Enter the password for the certificate, and check Mark the Private Key as Exportable. Click Next twice, and then click Finish.
| 7. | Click OK on the status box.
|
You
should now be able to access the encrypted files. I suggest that you
remove the Encrypted check mark from these files. Log on again as the
Normal user of these files, and re-encrypt them if you want.
|
