Windows XP Pro: Using File Encryption - part 1
The Encrypting File System is one of the best features of Windows XP professional. But enabling the service is just the beginning, as Dave Cook explains
Windows XP Professional contains numerous benefits over Windows XP Home Edition. One of the best is the Encrypting File System (EFS).
EFS allows you to encrypt individual files or folders on a computer using the NTFS file system. When you use EFS, each file or folder encrypted by you is protected with a unique encryption certificate or key. This key is created automatically once EFS is enabled.
Unlike EFS under Windows 2000, Windows XP Professional allows you to share your encrypted files with other users. Web folders and offline folders can also be encrypted, enabling you to share and transport your data while maintaining a high level of security.
With EFS enabled, it's extremely difficult for unauthorised users to read your encrypted files - even if your computer is stolen. Files stay encrypted unless you decrypt them, or move them to an unencrypted folder.
To keep your encrypted files and folders secure, you need to apply several strict conditions. For example:
- Your computer must use the NTFS file system.
- You need a strong user password.
- Always set the BIOS to require a password and then disable the floppy disk boot option. This prevents someone using a utility like NTFSDOS to read files without having to provide a username and password.
- Rather than encrypt individual files, you should encrypt folders like the My Documents folder.
- To ensure temporary files are encrypted, also encrypt the %TEMP% and %TMP% folders.
- Never copy encrypted files to a FAT volume (including floppy disk) or to an NTFS volume running Windows NT; otherwise the files will be decrypted.
- You should backup your personal encryption certificate (and recovery agent certificate) to floppy and store in a secure location.
The process of enabling EFS is quick and simple, but the consequences of losing your private key can be catastrophic. When this happens, you would need to start the dreaded data recovery process. If your user account is damaged or deleted then you will almost certainly lose the decryption key and your data will be effectively lost. To avoid this you should backup your personal encryption certificate immediately after the service has been enabled.
For obvious reasons most users prefer to encrypt the My Documents folder. However, it's important not to encrypt critical data before learning the basics. So if this is your first experience of encryption it's a good idea to create a new folder and encrypt that first. You should then add a few unimportant files, just to get the hang of things.
Your next priority is to create a recovery agent. Assigning a recovery agent to a different user account means you can still recover encrypted files should something happen to your own account. We'll show you how to create a recovery agent in part two.
Okay, here's how to enable the Encrypting File System on a computer using NTFS. Log on to your user account and open Windows Explorer. Right click the folder you would like to encrypt and select Properties. On the General tab, click Advanced and the Advanced Attributes dialog box will appear.
Select the Encrypt Contents To Secure Data checkbox. If you're encrypting a folder, Windows XP will enquire whether you want to encrypt all the files and subfolders in that folder, or only the folder itself. Make your choice and click OK to close the Advanced Attributes dialog box. Click OK again to close the Properties dialog box.
From now on all files inside the folder will be automatically encrypted and filenames will appear green in Windows Explorer. Any unauthorised users trying to access your encrypted files will receive a User Does Not Have Access Privileges message. Note that if you wish to share encrypted files, other users may be granted access by returning to the Advanced Attributes dialog box.
Road To Recovery
That's it for now. Next time we'll show you how to generate the all-important recovery agent.