Special Edition Using Microsoft Windows XP Professional (3rd Edition)

The Encrypting File System (EFS) provides the core file encryption technology used to store encrypted files on NTFS volumes. When a file is encrypted, the data stored on the hard disk is scrambled in a very secure way. Encryption is transparent to the user who encrypted the file; you do not have to "decrypt" an encrypted file before you can use it. You can work with an encrypted file just as you would any other file; you can open and change the file as necessary. However, any other user or an intruder who tries to access your encrypted files is prevented from doing so. Only the original owner and the computer's designated recovery agent can get into encrypted files. Anyone else receives an Access Denied message when trying to open or copy your encrypted file.

Folders can be marked as encrypted, too. What this means is that any file created in or copied to an encrypted folder is automatically encrypted. The folder itself isn't encrypted, though. Anyone with the proper file access permissions can see the names of the files in it.

To learn more details about recovery agents and how to recover and decrypt files when the username and password of the encryptor have been lost, p. 1132.

NOTE

EFS encryption only protects the files while they reside on the NTFS volume. Once they are accessed for use by an application, they are decrypted by the file system drivers. This means that files that are encrypted on the drive are not encrypted in memory while being used by an application. This also means that transferring files over the network is done without encryption. Any file action that performs a copy (which includes moves across partitions or volumes) will inherit the settings of its new container. In other words, if the new container is not encrypted, the new file will not be encrypted either, even if it was encrypted in its previous location. If you back up EFS-protected files, they are stored on the backup media in their normal form, not encrypted. EFS only protects files on the hard drive, nowhere else. Use EFS only when expressly needed. EFS will cause significant performance reduction if a significant number of commonly accessed files are encrypted, due to the CPU processing required to decrypt them for use.

You encrypt or decrypt a folder or file by setting the encryption property for the folder or file just as you set any other attribute, such as read-only, compressed, or hidden (see Figure 29.8).

Figure 29.8. Setting encryption for a specific folder.

After you set the option to encrypt a folder and click OK on a folder's Properties dialog, you are prompted to confirm the attribute change. From this dialog, you can set the option to encrypt all the subfolders and files within the folder you are encrypting.

It is recommended that you encrypt at the folder level rather than mark individual files so that new files added to the folder will also be encrypted. This point is crucial because most editing programs write a new copy of the file each time you save changes and then delete the original. If the folder containing an encrypted file isn't marked for encryption, too, editing an encrypted file would result in your saving an unencrypted version.

How File Encryption Works

As a kid, you probably played around with simple codes and ciphers in which you exchanged the letters of a message: D for A, E for B, and so on. You might look at this as the process of "adding three" to each letter in your message: Each letter gets bumped to the third next letter in the alphabet. To decode a message, you subtracted three from every letter to get the original message back. In this code, you could say that the "key" is the number three. Anyone knowing the technique and possessing the key could read and write these secret messages.

Although this example is very simplistic, it illustrates the basic idea of numeric encryption. The cryptographic system used by Windows for the Encrypted File System also uses a numeric technique, but it's extremely complex and uses a key that is 128 digits long. Such a large number means many possible choices, and that means it would take someone a very long time to guess a key and read an encrypted file.

When you mark a file for encryption, Windows randomly generates such a large number, called a unique file encryption key (FEK), which is used to scramble the contents of just that one file. This unique key is itself scrambled with your own personal file encryption key, an even longer number stored in the Windows Certificate database. The encrypted unique key is then stored along with the file.

When you're logged in and try to open an encrypted file, Windows retrieves your personal key, decodes the unique key, and uses that key to decode the contents of the file as it's read off the hard disk.

The reason for the two-step process is to let Windows use a different and unique key for each file. Using different keys provides added security. Even if an attacker managed to guess the key to one file, he or she would have to start afresh to find the key to other files. Yet your personal key can unscramble the unique key to any file you've encrypted. It's a valuable thing, this key, and I'll tell you how to back it up in a certificate file for safekeeping.

As a backup in case your personal key gets lost, Windows lets each computer or domain administrator designate recovery agents, users who are allowed to decode other people's encrypted files. Windows also encrypts the unique FEK for each of the recovery agents. It, too, is stored along with the file, and anyone possessing a recovery key can also read your encrypted files. You'll learn about the benefits and risks of this system in "Protecting and Recovering Encrypted Files" later in this chapter.

You can use EFS to keep your documents safe from intruders who might gain unauthorized physical access to your sensitive stored data (by stealing your laptop, for example).

You also can encrypt or decrypt a file or folder using the command line and the following syntax (the following is not an exhaustive list of the cipher syntax; execute cipher /? at a command prompt for the complete list of parameters and syntax):

CIPHER [/E | /D] [/S:dir] [/I] [/F] [/Q] [dirname [...]]

The arguments are as follows:

/E

Encrypts the specified directories. Directories are marked so that files added afterward will be encrypted.

/D

Decrypts the folder and halts any further encryption on that folder until reactivated.

/S

Forces the CIPHER command to be recursive; that is, it encrypts all files and folders in the specified folder and all subfolders below it.

/I

By default, the CIPHER command stops when an error is encountered. This parameter forces the encryption process to continue even if errors occur.

/F

Forces the encryption operation on all specified directories, even those already encrypted. Already-encrypted directories are skipped by default.

/Q

Reports only the most essential information about a file or folder's encrypted status.

Dirname

Specifies a pattern or directory.

Used without parameters, CIPHER displays the encryption state of the current directory and any files it contains. You can use multiple directory names and wildcards, but you must place spaces between parameters.

Rules for Using Encrypted Files

When you work with encrypted files and folders, keep in mind the following points:

  • Only files and folders on NTFS volumes can be encrypted.

  • You cannot encrypt files or folders that are compressed. Compression and encryption are mutually exclusive file attributes. If you want to encrypt a compressed file or folder, you must decompress it first.

  • Only the user who encrypted the file and the designated recovery agent(s) can open it. (You'll learn more about recovery agents shortly.)

  • If you encrypt a file in a shared directory, it is inaccessible to others. Windows XP will display encrypted files in green, just like compressed files are displayed in blue.

  • Encrypted files become decrypted if you copy or move the file to a volume or partition that is not formatted with NTFS.

  • You should use Cut and Paste to move files into an encrypted folder. If you use the drag-and-drop method to move files, they are not automatically encrypted in the new folder.

  • System files cannot be encrypted.

  • Encrypting folders or files does not protect them against being deleted, moved, or renamed. Anyone with the appropriate permission level can manipulate encrypted folders or files. (These users just can't open them.)

  • Temporary files, which are created by some programs when documents are edited, are also encrypted as long as all the files are on an NTFS volume and in an encrypted folder. I recommend that you encrypt the Temp folder on your hard disk for this reason. Encrypting your original files keeps them safe from prying eyes, but programs often leave temp files behindusually in the Temp folderand these files remain vulnerable.

    NOTE

    The paging file is also a problem in this regard and unfortunately cannot be protected directly, as far as I know. However, you can configure the Local Security Policy to clear the pagefile when you shutdown the system. Just enable the "Shutdown: Clear virtual memory pagefile" policy under the Local Policies, Security Option section.

  • On a domain network, you can encrypt or decrypt files and folders located on a remote computer that has been enabled for remote encryption. Check with your system administrator to see whether your company's servers support this capability. Keep in mind, however, that opening an encrypted file over a network still exposes the contents of that file while it is being transmitted. A network administrator should implement a security protocol such as IPSec to safeguard data during transmission.

  • You should encrypt folders instead of individual files so that if a program creates temporary files and/or saves new copies during editing, they will be encrypted as well.

  • Encrypted files, like compressed folders, perform more slowly than unencrypted ones. If you want maximum performance when folders or files in the folders are being used extensively (for example, by database programs), think twice before encrypting them.

Suggested Folders to Encrypt

I recommend that you encrypt the following folders:

  • Encrypt the My Documents folder if you save most of your documents there. Encrypting this folder ensures that any personal documents saved there are automatically encrypted. However, a better alternative would be to create a subfolder under My Document for personal files and encrypt just this folder. This approach relieves you from having to track which files are encrypted and which are not.

  • Encrypt your Temp folder so that any temporary files created by programs are automatically encrypted.

CAUTION

If someone steals your laptop computer or gains physical access to your desktop computer, it's possible that even with all of Windows XP's file access security and file encryption, that person can gain access to your files. How? There is a trick that allows this to happen, and you should guard against it. Here's how it works: By reinstalling the operating system from a CD-ROM, a thief can set up himself or herself as the system administrator. If the default file recovery certificate is still on the computer at this point, the intruder can view encrypted files. To guard against this situation, you should export the file recovery certificate to a floppy disk and remove it from the computer. I'll show you how in the next section.

Protecting and Recovering Encrypted Files

Encrypted files are supposed to be very secure; only the user who creates an encrypted file can unscramble it. But this security hangs on your own personal file encryption key, which is stored in the Windows Certificate database (see the sidebar "How File Encryption Works" earlier in this chapter). Where would you be if you accidentally deleted your file encryption certificate, or if your user account was deleted from the system? Could the secret recipe for Aunt Dottie's Zucchini Fritters be lost forever this way? Probably not. The Encrypted File System has a "back door" that lets designated recovery agents open any encrypted file.

The availability of this back door is both good news and bad news. The good news is that encrypted files can be recovered when necessary. The bad news is that this capability opens up a potential security risk, and you need to be sure you take measures to protect yourself against it.

Securing the Recovery Certificate

Your ability to recover encrypted files hinges on two factors:

  • Being listed by the Windows Local or Group Security Policy as a designated recovery agent

  • Possessing the file recovery certificate that holds the recovery key data

With a few dirty tricks, it's possible for someone who steals your computer to get himself or herself in as administrator and pose as the recovery agent. So, if you really want to ensure the privacy of your files with the Encrypted File System, you have to save the file recovery certificate on a floppy disk or other removable medium and remove the certificate from your computer.

To back up and remove the recovery certificate, do the following:

1.

Be sure that at least one file on your computer has been marked Encrypted by any user.

2.

Log in as the local administrator (XXXX\Administrator, where XXXX is the name of your computer).

3.

Start the Microsoft Management Console by choosing Start, Run. Then type mmc and press Enter.

4.

Choose File, Add/Remove Snap-In. Then select Add. Next, highlight the Certificates snap-in and click Add. Select My User Account and click Finish. Finally, click Close and then click OK.

5.

In the left pane, expand the Certificates node, Current User, Personal, Certificates.

6.

In the right pane, you should see a certificate listed with its Intended Purposes shown as Encrypting File System, as shown in Figure 29.9. If this certificate is not present, and you're on a domain network, your domain administrator has done this job for you, and you don't need to proceed any further.

Figure 29.9. Certificate Manager showing the Administrator's file recovery certificate.

7.

Right-click the EFS certificate entry, and select All Tasks, Export to launch the Certificate Export Wizard.

8.

Click Next, and then select Yes, Export the Private Key, and click Next. Select Personal Information Exchange, uncheck Enable Strong Protection, and uncheck Delete the Private Key if Export Is Successful. Then click Next.

9.

Enter a password twice to protect this key. (You must remember this password!) Then click Next.

10.

Specify a path and filename to be used to save the key. Insert a blank, formatted floppy disk, and type the path and filename, such as A:\RECOVERY.PFX (not case sensitive). Click Next and then Finish. A dialog box appears stating the export was successful; click OK.

11.

Right-click the certificate entry again, and select Delete.

12.

Label the floppy disk clearly "EFS Recovery Key for XXX", where XXX is the name of your computer. Store this diskette in a safe place away from your computer.

13.

Restart your computer. After it's restarted, log on as Administrator again, and confirm that you can't view the file you encrypted as another user.

CAUTION

You should back up and delete the Administrator's recovery certificate (that's the procedure you just performed), but don't delete Administrator as the recovery agent from the Local Security Policy. Leave the Local Security Policy alone. If you delete the entries there, you'll disable EFS.

Protecting Your Own File Encryption Certificate

If your user account is lost, or if you accidentally delete your own file encryption certificate some day, you might lose access to your own files. The recovery agent could still help out, but you can protect yourself by exporting your own personal EFS certificate. Basically, follow the same procedure as for the local administrator while logged in as a user. Just be sure to have at least one encrypted file before starting the process. Once complete, label the disk "EFS for UUU on XXX," where UUU is your user account name and XXX is your computer name. Store it in a safe place.

Recovering Encrypted Files on Your Own Computer

If your user accountis deleted, or you end up reinstalling Windows from scratch, you'll lose access to your encrypted files because the Encryption database will be lost. You can log on as Administrator and reinstall the encrypted file recovery certificate, or you can log on as yourself and reinstall your file encryption certificate to get the files back with the following procedure:

1.

Choose Console, Add/Remove Snap-In, and then select Add. Next, highlight the Certificates snap-in and click Add. Select My User Account and click Finish. Finally, click Close, and then click OK.

2.

In the left pane, expand the Certificates node, Current User, Personal, Certificates.

3.

In the right pane, right-click and select All Tasks, Import to start the Certificate Import Wizard.

4.

Click Next. Enter the name of the certificate filefor example, a:\recovery.pfxand click Next.

5.

Enter the password for the certificate, and check Mark the Private Key as Exportable. Click Next twice, and then click Finish.

You should now be able to access the encrypted files. I suggest that you remove the Encrypted check mark from these files. Log on again as the Normal user of these files and re-encrypt them if you want.

Категории