using "encrypting file system" to protect files and folders in "windows.."

1

USING "ENCRYPTING FILE SYSTEM" TO PROTECT FILES AND FOLDERS

IN "WINDOWS.."

http://aztcs.org/

2

Web location for this presentation:

http://aztcs.orgClick on“Meeting Notes”

3

SUMMARYMany of the "editions" of "Windows 2000", "Windows XP", "Windows Vista", "Windows 7", and "Windows 8" have the "Encrypting File System" (EFS) for securing files and/or folders inside NTFS hard drive partitions.

4

TOPICS• Basics of Encrypting File System• "EFS" versus "BitLocker"• "Encrypting File System" Service• Using the "Certificate Manager" to

Check for Existing Personal "Public Key Certificates"

• Encrypting A File or Folder with EFS• Using the "Certificate Manager" to

Export a Newly-Created Public Key and Private Key

5

TOPICS (continued)• .PFX "Personal Information Exchange"

files• Decrypting an EFS-encrypted file/folder• Deleted Certificates Stay in RAM And

Are Active Until You Reboot

6

BASICS OF EFS• The "Encrypting File System"

(EFS) is a feature of "NTFS" hard drives (and partitions) for many editions of "Windows 2000" through "Windows 8".

7

BASICS OF EFS (continued)• When view in "Windows

Explorer" ("File Explorer"), a folder that contains only "Encrypting File System"-encrypted files will have it's name in green text:

9

BASICS OF EFS (continued)• When viewed in "Windows

Explorer" ("File Explorer"), a file that is encrypted by "Encrypting File System" will have it's name in green text:

11

BASICS OF EFS (continued)• Another user on the same computer

will be unable to open/view the EFS-protected file.

• If someone takes your hard drive, and puts it into an external hard drive enclosure and attaches the enclosure to their own computer, they will be unable to open/view the EFS-protected file.

14

BASICS OF EFS (continued)• "ESF" is a feature of "NTFS"

hard drives (and partitions) for many editions of "Windows 2000" through "Windows 8".

15

BASICS OF EFS (continued)• In EFS, "public key

certificates", "private keys", and passwords to controll the various keys all work together to give you "two factor authentication".

http://serverfault.com/questions/182980/how-is-using-client-certificates-more-secure-than-tls-plus-basic-authentication

16

BASICS OF EFS (continued)• The advantages of having

certificates are detailed in ` http://www.trustico.com/material/Techpaper_10_Best_Practices_Securing_Your_Enterprise.pdf#page=6 and http://serverfault.com/questions/182980/how-is-using-client-certificates-more-secure-than-tls-plus-basic-authentication

http://www.trustico.com/material/Techpaper_10_Best_Practices_Securing_Your_Enterprise.pdf







17

BASICS OF EFS (continued)• According to

http://en.wikipedia.org/wiki/Encrypting_File_System, Ecrypting File System (EFS) is available for the following editions of "Windows..":

http://en.wikipedia.org/wiki/Encrypting_File_System

http://en.wikipedia.org/wiki/Encrypting_File_System

18

BASICS OF EFS (continued)

19

BASICS OF EFS (continued)• "Windows Vista Starter", "..Home

Basic", and "..Home Premium" allow only decryption--so you can read encrypted files but you cannot encrypt them according to http://pcworld.about.net/od/encryption1/The-Simple-Way-to-Keep-Your-Pr.htm

http://pcworld.about.net/od/encryption1/The-Simple-Way-to-Keep-Your-Pr.htm



20

BASICS OF EFS (continued)• For "Windows Vista Starter",

"..Home Basic", and "..Home Premium" you can decrypt EFS-encrypted files using the cipher command line command. See http://windows.microsoft.com/is-IS/windows-vista/What-is-Encrypting-File-System-EFS

http://windows.microsoft.com/is-IS/windows-vista/What-is-Encrypting-File-System-EFS



21

BASICS OF EFS (continued)• "Windows 7 Starter", "..Home

Basic", and "..Home Premium" allow only decryption--so you can read encrypted files but you not encrypt them

22

BASICS OF EFS (continued)• For "Windows 7 Starter", "..Home

Basic", and "..Home Premium" you can decrypt EFS-encrypted files using the cipher command line command.

23

BASICS OF EFS (continued)• See

http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_programs/cipherexe-returns-error-the-request-is-not/9d5cb3fc-d092-4551-bc9f-f62dbd46f37c?msgId=5ad136ca-dedf-4013-8f1c-81627b907895








24

BASICS OF EFS (continued)

25

BASICS OF EFS (continued)• "Encrypting File System" is also

available for NTFS drives/partitions for the "..Pro" and "..Enterprise" editions of "Windows 8".

• "Encrypting File System" will not be available for the "..RT" or "Windows 8" editions of "Windows 8".

• Reference: http://en.wikipedia.org/wiki/Windows_8_editions#Comparison_chart

http://en.wikipedia.org/wiki/Windows_8_editions#Comparison_chart

http://en.wikipedia.org/wiki/Windows_8_editions#Comparison_chart

26

"EFS" VERSUS "BITLOCKER"• "Bitlocker" is used to encrypt entire

hard drives or hard drive partitions whiile "Encrypting File System" is used to encrypt individual data files and/or folders

• "EFS" causes less of a performance reduction on your Windows computer

27

"EFS" VERSUS "BITLOCKER" (continued)

• See http://www.lockergnome.com/windows/2012/04/25/bitlocker-vs-efs/

http://www.lockergnome.com/windows/2012/04/25/bitlocker-vs-efs/

http://www.lockergnome.com/windows/2012/04/25/bitlocker-vs-efs/

28

"ENCRYPTING FILE SYSTEM" SERVICE MUST BE SET TO

"MANUAL" OR "AUTOMATIC"• In order to encrypt or decrypt a

file or folder, the "Encrypting File System" services has to be set to "Manual" or "Automatic": You can run services.msc from any search box or "Run" box in "Windows.." to turn it on:

29

"ENCRYPTING FILE SYSTEM" SERVICE SET TO "MANUAL" OR "AUTOMATIC" (continued)

• Step 1: Click on the "Start" button in versions of "Windows" prior to "..8" or, for "Windows 8..", hover over the lower-left "Hot Corner" and use the RIGHT mouse" to click on "Run" in the pop-up "Power User Context Menu":

30


• Step 2: Type in services.msc

• Step 3: Press once on the Enter key.

32


• Step 4: A "Services" Microsoft Management Console window will be displayed:

34

"ENCRYPTING FILE SYSTEM" SERVICE SET TO "MANUAL" OR "AUTOMATIC" (continued)• Step 5: Use the vertical scroll bar

on the right to scroll downward until you locate the "Encrypting File System" service.

• Step 6: Use your RIGHT mouse button to click on it.

• Step 7: A pop-up context menu will be displayed:

35


• Step 8: Click on "Properties" in the pop-up context menu:

37


• Step 9: A "Properties" dialog box will be displayed.

• Step 10: Make sure that "Startup type" is set to "Manual" or "Automatic". "Manual" is preferable.

• Step 11: Click on the "Apply" button if it is not grayed out.`

38

"ENCRYPTING FILE SYSTEM" SERVICE SET TO "MANUAL" OR "AUTOMATIC" (continued)• Step 12: Close the "Properties"

dialog box. • Step 13: Close the "Services"

Microsoft Management Console window.

40

USING THE "CERTIFICATE MANAGER" TO CHECK FOR EXISTING PERSONAL

"PUBLIC KEY CERTIFICATES"• Step 1: Click on the "Start" button in

versions of "Windows" prior to "..8" or, for "Windows 8..", hover over the lower-left "Hot Corner" and use the RIGHT mouse" to click on "Run" in the pop-up "Power User Context Menu":

42


"PUBLIC KEY CERTIFICATES" (continued)• Step 2: Use the right mouse button

to click on "cmd.exe" in versions of "Windows" prior to "..8" or, for "Windows 8..", use the left mouse button to click on "Command Prompt (Admin) in the pop-up Power User Tasks menu:

44


"PUBLIC KEY CERTIFICATES" (continued)• Step 3: Use the left mouse button to

click on "Run as administrator" in versions of "Windows" prior to "..8" or, for "Windows 8..", use the left mouse button to click on the "Yes" button of the "User Account Control" dialog box:

46


"PUBLIC KEY CERTIFICATES" (continued)• Step 4: A command prompt window,

will be displayed:

48


"PUBLIC KEY CERTIFICATES" (continued)• Step 5: Inside the command prompt

window, type in certmgr.msc


50


"PUBLIC KEY CERTIFICATES" (continued)• Step 7: A "certmgr" Microsoft

Management Console window will be displayed:

52


"PUBLIC KEY CERTIFICATES" (continued)• Step 8: Double-click on the

Personal group in the right-most pane:

55


"PUBLIC KEY CERTIFICATES" (continued)• Step 9: Double-click on

"Certificates" subgroup in the right-most pane:

57


"PUBLIC KEY CERTIFICATES" (continued)• Step 10: Note that you presently

have no "Public Key Certificates" or subgroups in the "Personal" group:

59

ENCRYPTING A FILE OR FOLDER WITH "ENCRYPTING FILE SYSTEM"• Step 1: Start "Windows

Explorer" ("File Explorer").• Step 2: Locate or create the

folder or file that you want to encrypt.

61

ENCRYPTING A FILE OR FOLDER WITH "ENCRYPTING FILE SYSTEM" (continued)• Step 3: Use the RIGHT mouse

to click on it.• Step 4: A pop-up context menu

will be displayed.• Step 5: Click on "Properties".

63

ENCRYPTING A FILE OR FOLDER WITH "ENCRYPTING FILE SYSTEM" (continued)• Step 6: A "..Properties" dialog

box will be displayed.• Step 7: Click on the "Advanced"

button.

65

ENCRYPTING A FILE OR FOLDER WITH "ENCRYPTING FILE SYSTEM" (continued)• Step 8: An "Advanced

Attributes" box will be displayed:

67

ENCRYPTING A FILE OR FOLDER WITH "ENCRYPTING FILE SYSTEM" (continued)• Step 9: Put in a checkmark for

"Encrypt contents to secure data".

• Step 10: Click on the "OK" button:

• Step 11: The "Advanced Attributes" box will disappear.

69

ENCRYPTING A FILE OR FOLDER WITH "ENCRYPTING FILE SYSTEM" (continued)• Step 12: Click on the "Apply"

button of the "..Properties" dialog box, if the "Apply" button is not grayed out. Step 11: The "Advanced Attributes" box will disappear.

71

ENCRYPTING A FILE OR FOLDER WITH "ENCRYPTING FILE SYSTEM" (continued)• Step 13: Select the desired

"option button":

73

ENCRYPTING A FILE OR FOLDER WITH "ENCRYPTING FILE SYSTEM" (continued)• Step 14: Click on the "Continue"

button of the "Access Denied" dialog box:

75

ENCRYPTING A FILE OR FOLDER WITH "ENCRYPTING FILE SYSTEM" (continued)• Step 15: The "Access Denied"

box will disappear.• Step 16: The file name(s) of the

newly-encrypted file(s) will now be displayed in a green font to indicate that the file(s) is/are encrypted by "Encrypting File System".

77

USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED

"PUBLIC KEY" AND "PRIVATE KEY"• Step 1: Click on the "Start" button in

versions of "Windows" prior to "..8" or, for "Windows 8..", hover over the lower-left "Hot Corner" and use the RIGHT mouse" to click on "Run" in the pop-up "Power User Context Menu":

79

USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY"

AND "PRIVATE KEY" (continued)

• Step 2: Use the right mouse button to click on "cmd.exe" in versions of "Windows" prior to "..8" or, for "Windows 8..", use the left mouse button to click on "Command Prompt (Admin) in the pop-up Power User Tasks menu:

81



• Step 3: Use the left mouse button to click on "Run as administrator" in versions of "Windows" prior to "..8" or, for "Windows 8..", use the left mouse button to click on the "Yes" button of the "User Account Control" dialog box:

83



• Step 4: A command prompt window, will be displayed:

85



• Step 5: Inside the command prompt window, type in certmgr.msc


87



• Step 7: A "certmgr" Microsoft Management Console window will be displayed:

89



• Step 8: Double-click on the Personal group in the right-most pane:

91



• Step 9: Double-click on "Certificates" subgroup in the right-most pane:

93



• Step 10: Note that you now have a newly-created "Public Key Certificate" in the "Certificates" subgroup of the "Personal" group:

95



• Step 11: Note that you now have a newly-created "Public Key Certificate" in the "Certificates" subgroup of the "Personal" group:

97



• Step 12: Use the RIGHT mouse button to click on the newly-created "Public Key Certificate":

99



• Step 13: Click on "All Tasks" in the pop-up context menu:

101



• Step 14: Click on "Advanced Operations" in the secondary context menu:

103



• Step 15: A "Certificate Export Wizard" dialog box will be displayed.

• Step 16: Click on the "Next" button:

105



• Step 17: Select the "Yes, export the private key" option.


107




109




112



• Step 21: Type in a password and record it somewhere in a secure manner (such as with "Roboform" or "LastPass"):

114


AND "PRIVATE KEY"(continued)

• Step 22: Type in the same password again.


116



• Step 24: Click on the "Browse" button:

118



• Step 25: Use the "Save As" box to work your way to the hard drive or flash drive location where you wish to place the .PFX file:

121



• Step 26: When you arrive at the desired location for the .PFX file, type in a name for the .PFX file.

• Step 27: Click on the "Save" button:

123




125



• Step 29: Click on the "Finish" button:

128



• Step 30: Click on "OK" button:

130



• Step 31: Click on "x" button to close the "certmgr" window:

132



• Step 32: Click on "x" button to close the Command Prompt window:

135

• .PFX file(s) = "Personal Information Exchange" files

• .PFX file(s) an be moved, copied, renamed, and e-mailed without restrictions.

.PFX FILE(S) (continued)

136

• Double-click on it to "Import" the certificate and the private key into any computer or Windows user account. Then you can open/view the associated the EFS-encrypted data file

.PFX FILE(S) (continued)

137

If your Windows user account or your Windows computer cannot open an EFS-encrypted file, do the following:•Step 1: Obtain the .PFX file (from the creator/owner of the EFS-encrypted file) and double-click on the .PFX file:

DECRYPTING AN EFS-ENCRYPTED FILE/FOLDER

140

• Step 2: Click on the "Next" button of the "Certificate Import Wizard":

DECRYPTING AN EFS-ENCRYPTED FILE/FOLDER (continued)

142



145

• Step 4: Type in the password for the .PFX file (which you should have obtained from the creator/owner of the EFS-encrypted data file):


147

• Step 5: Select the "Mark this key as exportable" option.



149



151

• Step 8: Click on the "Finish" button:


153

• Step 9: Click on the "OK" button:


155

• Step 10: If you EFS-encrypted files are inside an EFS-encrypted folder, double-click on the folder to open it:


157

• Step 11: Double-click on the EFS-encrypted data file to open it:


159

• Step 12: The EFS-encrypted data file will open with its default associated software application program ("app"):


161

DELETED CERTIFICATES STAY IN RAM UNTIL YOU RE-BOOT

• If you run certmgr.msc to delete a certificate from your computer's hard drive, the certificate will stay active in RAM, so you have to re-boot to flush out the active certificate.

162

OPTIONS IN "ACRONIS TRUE IMAGE.." FOR BACKING UP HARD DRIVES THAT

CONTAIN EFS-ENCRYPTED FILES• According to

http://www.acronis.com/support/documentation/ATIH2012/index.html#267.html:

http://www.acronis.com/support/documentation/ATIH2012/index.html#267.html



using "encrypting file system" to protect files and folders in "windows.."

Documents

basics of efs continuedin

efsprotected file

efsencrypted files

ecrypting file system

efs continuedaccording

basics of efs continuedesf

windows explorer file

windows xp