using encrypting file system to protect files … · 4 topics • basics of encrypting file system...

USING "ENCRYPTING FILE

SYSTEM" TO PROTECT

FILES AND FOLDERS

IN "WINDOWS.."

Web location for this

presentation:

http://aztcs.orgClick on

“Meeting Notes”

SUMMARYMany of the "editions" of

"Windows 2000", "Windows

XP", "Windows Vista",

"Windows 7", and "Windows 8"

have the "Encrypting File

System" (EFS) for securing files

and/or folders inside NTFS hard

drive partitions.

TOPICS• Basics of Encrypting File System

• "EFS" versus "BitLocker"

• "Encrypting File System" Service

• Using the "Certificate Manager" to

Check for Existing Personal "Public

Key Certificates"

• Encrypting A File or Folder with EFS

• Using the "Certificate Manager" to

Export a Newly-Created Public Key and

Private Key

TOPICS (continued)• .PFX "Personal Information Exchange"

• Decrypting an EFS-encrypted file/folder

• Deleted Certificates Stay in RAM And

Are Active Until You Reboot

BASICS OF EFS

• The "Encrypting File System"

(EFS) is a feature of "NTFS"

hard drives (and partitions)

for many editions of

"Windows 2000" through

"Windows 8".

BASICS OF EFS (continued)

• When view in "Windows

Explorer" ("File Explorer"), a

folder that contains only

"Encrypting File System"-

encrypted files will have it's

name in green text:

• When viewed in "Windows

Explorer" ("File Explorer"),

a file that is encrypted by

"Encrypting File System"

will have it's name in

green text:

• Another user on the same computer

will be unable to open/view the EFS-

protected file.

• If someone takes your hard drive,

and puts it into an external hard drive

enclosure and attaches the

enclosure to their own computer,

they will be unable to open/view the

EFS-protected file.

• "ESF" is a feature of "NTFS"

hard drives (and partitions)

for many editions of

"Windows 2000" through

"Windows 8".

• In EFS, "public key

certificates", "private keys",

and passwords to controll the

various keys all work together

to give you "two factor

authentication".

BASICS OF EFS (continued)• The advantages of having

certificates are detailed in `

http://www.trustico.com/material/Te

chpaper_10_Best_Practices_Securi

ng_Your_Enterprise.pdf#page=6

http://serverfault.com/questions/182

980/how-is-using-client-certificates-

more-secure-than-tls-plus-basic-

authentication

• According to

http://en.wikipedia.org/wiki/Encr

ypting_File_System, Ecrypting

File System (EFS) is available

for the following editions of

"Windows..":

BASICS OF EFS (continued)• "Windows Vista Starter", "..Home

Basic", and "..Home Premium"

allow only decryption--so you can

read encrypted files but you

cannot encrypt them according to

http://pcworld.about.net/od/encry

ption1/The-Simple-Way-to-Keep-

Your-Pr.htm

• For "Windows Vista Starter",

"..Home Basic", and "..Home

Premium" you can decrypt EFS-

encrypted files using the cipher

command line command. See

http://windows.microsoft.com/is-

IS/windows-vista/What-is-

Encrypting-File-System-EFS

• "Windows 7 Starter", "..Home

allow only decryption--so you can

read encrypted files but you not

encrypt them

BASICS OF EFS (continued)• For "Windows 7 Starter", "..Home

you can decrypt EFS-encrypted

files using the cipher command

line command.

BASICS OF EFS (continued)• See

http://answers.microsoft.com/en-

us/windows/forum/windows_7-

windows_programs/cipherexe-

returns-error-the-request-is-

not/9d5cb3fc-d092-4551-bc9f-

f62dbd46f37c?msgId=5ad136ca-

dedf-4013-8f1c-81627b907895

BASICS OF EFS (continued)• "Encrypting File System" is also

available for NTFS drives/partitions

for the "..Pro" and "..Enterprise"

editions of "Windows 8".

• "Encrypting File System" will not be

available for the "..RT" or "Windows

8" editions of "Windows 8".

• Reference:

http://en.wikipedia.org/wiki/Windows_8_edition

s#Comparison_chart

"EFS" VERSUS "BITLOCKER"

• "Bitlocker" is used to encrypt entire

hard drives or hard drive partitions

whiile "Encrypting File System" is

used to encrypt individual data files

and/or folders

• "EFS" causes less of a

performance reduction on your

Windows computer

"EFS" VERSUS "BITLOCKER" (continued)

• See

http://www.lockergnome.com/windo

ws/2012/04/25/bitlocker-vs-efs/

"ENCRYPTING FILE SYSTEM"

SERVICE MUST BE SET TO

"MANUAL" OR "AUTOMATIC"• In order to encrypt or decrypt a

file or folder, the "Encrypting

File System" services has to be

set to "Manual" or "Automatic":

You can run services.msc from

any search box or "Run" box in

"Windows.." to turn it on:

"ENCRYPTING FILE SYSTEM" SERVICE SET

TO "MANUAL" OR "AUTOMATIC" (continued)

• Step 1: Click on the "Start"

button in versions of "Windows"

prior to "..8" or, for "Windows

8..", hover over the lower-left

"Hot Corner" and use the

RIGHT mouse" to click on "Run"

in the pop-up "Power User

Context Menu":

• Step 2: Type in

services.msc

• Step 3: Press once on the Enter

• Step 4: A "Services" Microsoft

Management Console window

will be displayed:

• Step 5: Use the vertical scroll bar

on the right to scroll downward until

you locate the "Encrypting File

System" service.

• Step 6: Use your RIGHT mouse

button to click on it.

• Step 7: A pop-up context menu will

be displayed:

• Step 8: Click on "Properties" in the

pop-up context menu:

• Step 9: A "Properties" dialog box will

be displayed.

• Step 10: Make sure that "Startup

type" is set to "Manual" or

"Automatic". "Manual" is preferable.

• Step 11: Click on the "Apply" button

if it is not grayed out.`

• Step 12: Close the "Properties"

dialog box.

• Step 13: Close the "Services"

Microsoft Management Console

window.

USING THE "CERTIFICATE MANAGER"

TO CHECK FOR EXISTING PERSONAL

"PUBLIC KEY CERTIFICATES"

• Step 1: Click on the "Start" button in

versions of "Windows" prior to "..8"

or, for "Windows 8..", hover over the

lower-left "Hot Corner" and use the

RIGHT mouse" to click on "Run" in

the pop-up "Power User Context

Menu":

"PUBLIC KEY CERTIFICATES" (continued)

• Step 2: Use the right mouse button

to click on "cmd.exe" in versions of

"Windows" prior to "..8" or, for

"Windows 8..", use the left mouse

button to click on "Command

Prompt (Admin) in the pop-up

Power User Tasks menu:

• Step 3: Use the left mouse button to

click on "Run as administrator" in

or, for "Windows 8..", use the left

mouse button to click on the "Yes"

button of the "User Account Control"

dialog box:

• Step 4: A command prompt window,

will be displayed:

• Step 5: Inside the command prompt

window, type in

certmgr.msc

• Step 7: A "certmgr" Microsoft

Management Console window will

be displayed:

• Step 8: Double-click on the

Personal group in the right-most

• Step 9: Double-click on

"Certificates" subgroup in the right-

most pane:

• Step 10: Note that you presently

have no "Public Key Certificates" or

subgroups in the "Personal" group:

ENCRYPTING A FILE OR FOLDER

WITH "ENCRYPTING FILE SYSTEM"

• Step 1: Start "Windows

Explorer" ("File Explorer").

• Step 2: Locate or create the

folder or file that you want to

encrypt.

ENCRYPTING A FILE OR FOLDER WITH

"ENCRYPTING FILE SYSTEM" (continued)

• Step 3: Use the RIGHT mouse

to click on it.

• Step 4: A pop-up context menu

will be displayed.

• Step 5: Click on "Properties".

• Step 6: A "..Properties" dialog

box will be displayed.

• Step 7: Click on the "Advanced"

button.

• Step 8: An "Advanced

Attributes" box will be displayed:

• Step 9: Put in a checkmark for

"Encrypt contents to secure

data".

• Step 10: Click on the "OK"

button:

• Step 11: The "Advanced

Attributes" box will disappear.

• Step 12: Click on the "Apply"

button of the "..Properties"

dialog box, if the "Apply" button

is not grayed out. Step 11: The

"Advanced Attributes" box will

disappear.

• Step 13: Select the desired

"option button":

• Step 14: Click on the "Continue"

button of the "Access Denied"

dialog box:

• Step 15: The "Access Denied"

box will disappear.

• Step 16: The file name(s) of the

newly-encrypted file(s) will now

be displayed in a green font to

indicate that the file(s) is/are

encrypted by "Encrypting File

System".

TO EXPORT A NEWLY-CREATED

"PUBLIC KEY" AND "PRIVATE KEY"

• Step 1: Click on the "Start" button in

or, for "Windows 8..", hover over the

lower-left "Hot Corner" and use the

RIGHT mouse" to click on "Run" in

the pop-up "Power User Context

Menu":

USING THE "CERTIFICATE MANAGER" TO

EXPORT A NEWLY-CREATED "PUBLIC KEY"

AND "PRIVATE KEY" (continued)

• Step 2: Use the right mouse button

to click on "cmd.exe" in versions of

"Windows" prior to "..8" or, for

"Windows 8..", use the left mouse

button to click on "Command

Prompt (Admin) in the pop-up

Power User Tasks menu:

• Step 3: Use the left mouse button to

click on "Run as administrator" in

or, for "Windows 8..", use the left

mouse button to click on the "Yes"

button of the "User Account Control"

dialog box:

• Step 4: A command prompt window,

will be displayed:

• Step 5: Inside the command prompt

window, type in

certmgr.msc

• Step 7: A "certmgr" Microsoft

Management Console window will

be displayed:

• Step 8: Double-click on the

Personal group in the right-most

• Step 9: Double-click on

"Certificates" subgroup in the right-

most pane:

• Step 10: Note that you now have a

newly-created "Public Key

Certificate" in the "Certificates"

subgroup of the "Personal" group:

• Step 11: Note that you now have a

newly-created "Public Key

Certificate" in the "Certificates"

subgroup of the "Personal" group:

• Step 12: Use the RIGHT mouse

button to click on the newly-created

"Public Key Certificate":

• Step 13: Click on "All Tasks" in the

pop-up context menu:

• Step 14: Click on "Advanced

Operations" in the secondary

context menu:

• Step 15: A "Certificate Export

Wizard" dialog box will be

displayed.

• Step 16: Click on the "Next" button:

• Step 17: Select the "Yes, export the

private key" option.

• Step 21: Type in a password and

record it somewhere in a secure

manner (such as with "Roboform" or

"LastPass"):

AND "PRIVATE KEY"(continued)

• Step 22: Type in the same

password again.

• Step 24: Click on the "Browse"

button:

• Step 25: Use the "Save As" box to

work your way to the hard drive or

flash drive location where you wish

to place the .PFX file:

• Step 26: When you arrive at the

desired location for the .PFX file,

type in a name for the .PFX file.

• Step 27: Click on the "Save" button:

• Step 29: Click on the "Finish"

button:

• Step 30: Click on "OK" button:

• Step 31: Click on "x" button to close

the "certmgr" window:

• Step 32: Click on "x" button to close

the Command Prompt window:

• .PFX file(s)

= "Personal Information Exchange"

• .PFX file(s) an be moved, copied,

renamed, and e-mailed without

restrictions.

.PFX FILE(S) (continued)

• Double-click on it to "Import"

the certificate and the private

key into any computer or

Windows user account. Then

you can open/view the

associated the EFS-encrypted

data file

.PFX FILE(S) (continued)

If your Windows user account or your

Windows computer cannot open an

EFS-encrypted file, do the following:

• Step 1: Obtain the .PFX file (from

the creator/owner of the EFS-

encrypted file) and double-click on

the .PFX file:

DECRYPTING AN EFS-

ENCRYPTED FILE/FOLDER

• Step 2: Click on the "Next" button of

the "Certificate Import Wizard":

DECRYPTING AN EFS-ENCRYPTED

FILE/FOLDER (continued)

• Step 4: Type in the password for the

.PFX file (which you should have

obtained from the creator/owner of

the EFS-encrypted data file):

• Step 5: Select the "Mark this key as

exportable" option.

• Step 8: Click on the "Finish" button:

• Step 9: Click on the "OK" button:

• Step 10: If you EFS-encrypted files

are inside an EFS-encrypted folder,

double-click on the folder to open it:

• Step 11: Double-click on the EFS-

encrypted data file to open it:

• Step 12: The EFS-encrypted data

file will open with its default

associated software application

program ("app"):

DELETED CERTIFICATES STAY IN

RAM UNTIL YOU RE-BOOT

• If you run certmgr.msc to delete

a certificate from your

computer's hard drive, the

certificate will stay active in

RAM, so you have to re-boot to

flush out the active certificate.

OPTIONS IN "ACRONIS TRUE IMAGE.."

FOR BACKING UP HARD DRIVES THAT

CONTAIN EFS-ENCRYPTED FILES

• According to

http://www.acronis.com/support/

documentation/ATIH2012/index.

html#267.html:

using encrypting file system to protect files … · 4 topics • basics of encrypting file system...

Documents

using "encrypting file system" to protect files and...

microsoft sql server - townsend security · self-encrypting...

encrypting data - pete finnigan · surrounding encrypting...

[ms-gpef]: group policy: encrypting file system extension

amazing personal self-encrypting self-protecting … ·...

encrypting emails using kleopatra pgp

encrypting stored data

certifyme - gratis exam...recover all encrypting file system...

encrypting data - steve jones

encrypting sensitive data for puppet

best practices for the encrypting file system

guide to securing microsoft windows xp systems for it...

abcs of data encryption for storage - snia | advancing...

encrypting e-mail messages

encrypting sensitive data in oracle ebs - integrigy...

windows encrypting file system - pestudio · 01 march 2010...

introduction to axcrypt and keepass. overview axcrypt what...

encrypting data at rest - d1.awsstatic.com · several...

encrypting with entanglement matthias christandl

identifying and encrypting personal information