Encryption File Service (EFS)

What is EFS?

Since we got the green light to do some XP Pro tips and tricks I have been trying to figure which of the many new security tips I should run first. I decided to go with the file encryption, which is in case you are unfamiliar with the term, is a way to lock down either files or folders. This option is only available in XP Pro with separate accounts set up for the different users. Also the file structure on the system has to be the NTFS, and will not work in Fat16 or Fat 32 that is used in older file operating systems such as 98/95. Using file encryption is also a good way to lose data if you’re not paying attention or disregard some of our suggested safety precautions. Well with that out of the way let’s learn how to encrypt a file.

NOTE: I suggest you read through the whole tip before attempting.

First, like I stated, this isn’t going to work if everyone that is using the PC is using the same user account. Second, you can only encrypt files if you are the administrator, with password authentication setup (the account doesn’t have to be password protected but it really should be). If you meet this criteria then press on. Let’s create a practice folder and see how this whole thing plays out. If this is not the way your user accounts are setup and you are interested then slide on over to yesterday’s newsletter (2/15/05) to learn how to make a new account…


How to Encrypt Files

Create a folder on you desktop: Right click/New/Folder. Name it “Test encryption” and press Enter. Create some files in this Test folder. It doesn’t matter what they are—it’s just for testing (though I suggest nothing important). Once this is done, right-click on the folder and on the “General” tab. Select the “Advanced” button then choose “Encrypt contents to Secure Data”. This will encrypt the folder and no other user will be able to open the data—they will however be able to see the folder and open it, but none of the data will open. Actually, the files come up with a message that states that you do not have permission to open the folder if you are not authorized to do so.

Something you may notice as you look at the folder or encrypted file in Windows Explorer is that the name of the file/folder is a different color. Windows by default does this with compressed (default blue) and encrypted folders (default green), but it can be turned off by going to Control Panel/Folder Options/View and uncheck the option that says “show encrypted or compressed NTDS files in color”. This way the files don’t draw attention to themselves on the system when viewed by other users, which is a good thing, but is in now way necessary.

Well it’s that easy. After you’ve encrypted the folder switch users and try to open the folder and you should get the “access denied” message. When logged in as the administrator that created the file/folder it should open as any other unencrypted file/folder would.

There are some pitfalls to watch out for and I suggest you read this portion carefully and heed my warnings with great care, or you could lose your important data. First, and I feel most importantly, is back up your data to a removable media—preferably a CD/DVD—and keep it in a secure area. You don’t need to unencrypt every time you want to create a CD because since you’re using XP to burn anyway the encryption does not follow the data, so anyone can open the data off of the media. This is imperative if you need this data and have some sort of PC emergency that is stopping you from accessing it from your PC. I say this mainly because if something comes up and you have to restore your system or reset the password you will loose the ability to open the encrypted data.


Backing Up Private Certificates

Now that we’ve covered the basics, let’s get into how to backup your private certificates. These allow you to be recognized as the owner of the file and thus allowed to open it. Let’s say you inadvertently change your user account, or you have a system crash, and now you can’t access your encrypted files. I know that you guys saved this file for just such an emergency, but what if it’s been a while since you’ve saved this information. What if there’s new data in the encrypted folder that you didn’t get a chance to save and now it appears unrecoverable. What do you do?

Well if you are a Worldstart reader, armed with the right answers, then you probably have your decrypting keys backed up to some sort of removable media which will allow you to recover this otherwise lost data. Backing up and recovering encrypted files is what I’m really going to focus on in the next two parts to this article.

Whenever you create an encrypted file Windows creates what it calls a “Certificate” these are special identifiers that windows binds to users. Everybody has their own unique certificate, which is created in one of several ways. Windows will create one for you if you attempt to encrypt a folder—it must for this is what it uses to identify you as having permission to open this folder. I won’t get into folder permissions in this article or we’ll be here for a week—maybe in a later article. The certificates can be used for other things as well, but today I’m concentrating on file encryption.

If you change your user account, or have to reinstall Windows, your certificate will be lost and you will not be able to recover your encrypted files. Never fear—you can easily back up this certificate by following the procedure below and go on to recover your data by reinstalling your certificate.

Backing up and Removing the recovery certificate:

1. You have to encrypt at least one file on your PC—this will prompt Windows to create a certificate for your user account.

2. Log on as the local administrator (usually the main account on the PC, and it should be password protected)

3. Start a Microsoft Management Console by going to Start/Run and in the field type “mmc” (without the quotes) and select OK.

4. Choose Add/Remove snap-in. Select Add. Next, highlight “Certificates snap-in” and click Add. Select “My User Account” and click Finish. Finally, click Close and then click OK.

5. In the left pane, expand the Certificates/Current User/personal,/Certificates.

6. In the right pane, you should see a certificate listed with its Indented Purposes as “Encrypting File System”


7. Right-click the EFS certificate entry, and select All Tasks/Export to launch the Certificate Export Wizard.

8. Click Next, then select Yes. Export the “Private Key”, and click Next. Select “Personal Information Exchange”, uncheck “Enable strong Protection”, and uncheck “Delete the Private Key if Export id successful”, click Next.

9. You’re going to have to enter a password twice to secure the key (don’t forget this password) and click Next.

10. This next step is where you enter the path to the location in which you would like to save this Private Key. If you want to put this on a floppy, CD, or another removable media then enter the path to this location. Windows XP can burn information to CDs natively, but you have to go and tell Windows that you want to write the data to the disk. Keep this in mind so that when you are finished with the Export Wizard you can finish the burn process. Here’s a link to an earlier article on procedure on how to burn CD’s with XP.

11. Right-click the certificate entry again, and Delete.

12. You are going to want to label and secure this disk.


How to Use Certificate Back-ups

If something should happen to affect the opening of encrypted files, such as changing you user account or some system instability, this is where your backed up keys are going to come into play. My philosophy is: don’t wait for a catastrophe to learn how to recover your system.

So with that said let’s take a look at how to restore your certificate, which will allow you to open these files once again.

1. You need to encrypt at least one file on your PC—this will prompt Windows to create a certificate for your user account.

2. Log on as the local administrator (usually the main account on the PC, and it should be password protected)

3. Start a Microsoft Management Console by going to Start/Run and in the field type “mmc” (without the quotes) and select OK.

4. Go to File, Add/Remove snap-in and click the Add button. Next, highlight the “Certificates” snap-in and click Add. Choose the “My User Account” radio button and click Finish. Finally, click Close and then click OK.

5. In the left pane, expand “Certificates-Current User” by clicking the + sign. Proceed to “Personal” then “Certificates”.


6. In the right pane, right-click and select “All Tasks” then “Import” to start the Certificate Import Wizard.

7. Click Next. Enter the name of the certificate file

8. Enter the Password for the certificate, and check mark the “Private key as Exportable”. Click Next twice, and then click Finish.

You should now be able to open the files that you couldn’t before.

Just a few suggestions before I wrap things up:

* From part one of this article, remember to back up any important data before you attempt to encrypt it. You wouldn’t encrypt unimportant or sensitive data if it weren’t important.

* If you choose to use or tryout the EFS I suggest testing it on dummy files until you get the hang of it,. The first time it may seem a little strange or confusing, but it will seem simple after you have done it two or three times.

All right, you should be all set. You have the tools now to encrypt, backup your encrypted folders, backup certification keys and restore them. I hope you found the articles informative, if not useful, and remember these private keys or certificates are used for other things besides encryption, but that’s for another article.

Stay safe out there,

~ Chad

Chad Stelnicki

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.