Background Information (MS Knowledge Base Article 223316) : The Microsoft Windows operating systems (2000/2003 and XP) include the ability to encrypt data directly on volumes that use the NTFS file system so that no other user can access your data. You can encrypt your files and folders if you set an attribute in the object’s Properties dialog box .
**Warning** The use of Encrypting File System (EFS) will prevent a person who does not have administrative rights from gaining access to your data. Theft of encrypted files is still possible but the files/folders will be formatted in such a way that they can’t be viewed by any casual user. These files CAN be deleted and erased from your system so backups are necessary. If you don’t back up the certificate keys to the EFS then the data will be useless to you if you ever have to recover your system from scratch.
How to enable Encrypting File System file sharing
In Microsoft Windows XP, EFS supports file sharing of encrypted files among multiple users. With this support, you can give individual users permission to access an encrypted file. The ability to add additional users is restricted to individual files. Support for multiple users on folders is not provided in either Microsoft Windows 2000 or Windows XP. Also, support for the use of groups on encrypted files is not provided by EFS.
After a file has been encrypted, file sharing is enabled through a new button in the user interface. A file must be encrypted first and then saved before additional users can be added. Users can be added either from the local computer or from the Active Directory service if the user has a valid certificate for EFS. The ability to add additional users is restricted to individual files. Support for multiple users on EFS encrypted folders is not provided. Also, only individual users can be added to files. Support for the use of groups on encrypted files is not provided by EFS.
How to encrypt and decrypt using the Encrypting File System
The following steps encrypt and decrypt a file or folder using the Encrypting File System.
Note These guidelines apply to Windows 2000 and Windows XP.
Encrypting a folder
Although you can encrypt files individually, we strongly recommend that you designate a specific folder for storing encrypted data.
Encrypt a folder and its contents
Although you can encrypt files individually, generally it is a good idea to designate a specific folder where you will store your encrypted files, and to encrypt that folder. If you do this, all files that are created in or moved to this folder will automatically obtain the encrypted attribute.
To encrypt a folder and its current contents, follow these steps:
• Right-click the folder that you want to encrypt, and then click Properties .
• In the Properties dialog box, click Advanced .
• The Advanced Attributes dialog box displays attribute options for compression and encryption. This dialog box also includes archive and indexing attributes.
Note Although the NTFS file system supports both compression and encryption, it does not support both at the same time. This means that you can only select one or the other. A file or folder cannot be both encrypted and compressed at the same time.
To encrypt the folder, click to select the Encrypt contents to secure data check box, and then click OK .
• Click OK to close the Advanced Attributes dialog box.
• If the folder you chose to encrypt in steps 1 to 3 already contains files, a Confirm Attribute Changes dialog box will appear.
You can choose to encrypt only the folder so that all files subsequently moved to the folder or created in this folder will be encrypted. If you want to also encrypt all the contents of this folder, click Apply changes to this folder, subfolders, and files , and then click OK .
Decrypting a folder
To decrypt a folder, use basically the same process but in reverse order:
• Right-click the folder that you want to decrypt, and then click Properties .
• Click Advanced .
• Click to clear the Encrypt contents to secure data check box to decrypt the data.
• Click OK to close the Advanced Attributes dialog box.
• Click OK to close the Properties dialog box.
• If the folder has files in it, the Confirm Attribute Changes dialog box appears. You can choose to decrypt only the folder. However, this will not decrypt any files currently contained in the folder.
If you want to decrypt all the contents of this folder, click Apply changes to this folder, subfolders, and files , and then click OK .
Additional information
How files are encrypted
Files are encrypted through the use of algorithms that essentially rearrange, scramble, and encode the data. A key pair is randomly generated when you encrypt your first file. This key pair is made up of a private and a public key. The key pair is used to encode and decode the encrypted files.
If the key pair is lost or damaged and you have not designated a recovery agent, and then there is no way to recover the data.
Why you must back up your certificates
Because there is no way to recover data that has been encrypted with a corrupted or missing certificate, it is critical that you back up the certificates and store them in a secure location. You can also specify a recovery agent. This agent can restore the data. The recovery agent’s certificate serves a different purpose than the user’s certificate.
How to back up your certificate
To back up your certificates, follow these steps:
• Start Microsoft Internet Explorer.
• On the Tools menu, click Internet Options .
• On the Content tab, in the Certificates section, click Certificates .
• Click the Personal tab.
Note There may be several certificates present, depending on whether you have installed certificates for other purpose.
• Select one certificate at a time until the Certificate Intended Purposes field shows Encrypting File System . This is the certificate that was generated when you encrypted your first folder.
• Click Export to start the Certificate Export Wizard , and then click Next .
• Click Yes, export the private key to export the private key, and then click Next .
• Click Enable Strong protection , and then click Next .
• Type your password. (You must have a password to protect the private key.)
• Specify the path where you want to save the key. You can save the key to a floppy disk, another location on the hard disk, or a CD. If the hard disk fails or is reformatted, the key and the backup will be lost. (If you back up the key to a floppy disk or CD, you must store that disk or CD in a secure location.)
• Specify the destination, and then click Next .
For additional information about the Encrypting File System (EFS), visit the following Microsoft Web sites:
Encrypting File System in Windows 2000
http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp
Tags: 2003, Compression, design, encrypt, encryption, microsoft, microsoft windows server, operating system, process, security, server, system, windows, xpEncrypting File System in Windows XP and Microsoft Windows Server 2003
http://www.microsoft.com/WINDOWSXP/pro/techinfo/administration/recovery/default.asp