5-Minute Security Advisor - Using the Encrypting File System

Updated : May 7, 2002

When you're not near your computer, how do you know that your files are secure? One approach is to lock your computer up in a vault and post an armed guard outside., but this is prohibitively expensive unless you work for the White House. You can, and should, use the NTFS file system to protect your files against unauthorized access by other users on the same computer. However, that doesn't help you against an attacker who can gain physical access to your computer—they can always take the disk out, take ownership of the files, and read what they want. A better solution exists: if you encrypt the files, they can't be read even if someone steals the entire computer—a great comfort for laptop users. Windows 2000 Professional and Windows XP Professional include support for the Encrypting File System (EFS), which allows you to encrypt individual files or folders on an NTFS volume.

On This Page

How EFS Works
Encrypting Your Data
Sharing Encrypted Files

How EFS Works

When you use EFS, each file or folder that you encrypt is protected with a unique encryption key. That key is in turn protected with your user certificate, ensuring that no one else has access to the files—unless their certificate can unlock the file/folder's specific key, it cannot be read. The file is encrypted on disk at all times; authorized users can copy or move the file in its encrypted form. When an authorized user attempts to open the file, Windows automatically decrypts it in memory, passing each decrypted chunk of data to the requesting application. Windows never writes the unencrypted data to disk (applications may, but if you follow Microsoft's guidelines and encrypt the temporary files folder, you'll still be protected). The file stays encrypted unless you tell Windows to decrypt it, or until you move it to an unencrypted folder.

Many businesses worry about continuity and access—what happens if you hire someone who encrypts a bunch of data and then leaves? This is a legitimate concern, since EFS' encryption uses the same algorithm used by your bank to protect ATM traffic. EFS supports recovery agents who can take ownership of encrypted items and decrypt them. Once a recovery agent recovers an encrypted file, the original owner can tell, since the file's no longer encrypted. This protects your data against nosy recovery agents.

Windows XP Professional adds some nifty new features to Windows 2000's EFS. First of all, you can now allow additional users to have access to files you encrypt. This provides a nice balance between EFS' security and the convenience of being able to share data. Windows XP EFS allows you to encrypt files in web folders and offline folders as well, meaning that you can share and transport your data without giving up security.

Encrypting Your Data

The only thing you need to use EFS is a machine running Windows 2000 Professional (or higher) or Windows XP Professional and an NTFS volume. EFS works whether or not your machine is in a Windows or Active Directory domain or whether you have a certificate authority on your network. Encrypting files and folders is dead simple in Windows XP (it's just as easy in Windows 2000, but the steps are a little different):

1. Open Windows Explorer.

2. Find the folder you want to encrypt and open its properties dialog. (Note that Microsoft's best EFS practices recommend encrypting only folders, not files, to make sure you don't accidentally leave unencrypted copies of your files on the disk).

3. On the General tab, look at the Attributes group. Click the Advanced button. The Advanced Attributes dialog box will appear.

   

4. Select the "Encrypt contents to secure data" checkbox. If you're encrypting a folder, Windows will ask you whether you want to encrypt all the files and subfolders in that folder, or only the folder itself.

5. Click OK to close the Advanced Attributes dialog, then click OK again to dismiss the item's properties dialog.

That's it! You won't notice any difference once you've encrypted an item, because Windows and your applications can decrypt it using your credentials. Other users on the same computer, however, will receive an "access denied" message when they try to open your files.

Decrypting your files and folders is easy, too: open the properties dialog and turn off the "Encrypt contents to secure data" checkbox. Windows will automatically decrypt the specified item for you, and you're done.

For extra flexibility, you can use the command-line cipher tool to encrypt and decrypt files and folders and to overwrite disk space after it's been used and released. If you're interested, see these instructions.

Sharing Encrypted Files

If you're using Windows XP, you can share your encrypted files with other users. This is a great way to protect your data while still sharing it with other, authorized, users on your computer or file servers. You can add extra authorized users to files, but not folders, and you can't add groups—just individuals. The process is very simple:

1. Open the properties dialog for the file you want to add users to, then open the Advanced Attributes dialog box.

2. If it's not already encrypted, encrypt it—you cannot add users until you've successfully encrypted the file.

3. Click the Details button. You'll see an Encryption Details dialog that shows which users are currently authorized to open the file.

4. Click the Add button. Select the user you want to grant access to and click OK. IF necessary, you can use the Find User button to search the local machine or Active Directory for the user and the associated certificate.