If someone has administrative privilege on a Windows
Vista computer or has unauthorized physical access to the device,
including if the computer/hard drive was stolen, that person can take
ownership of files and folder, change permissions of a file, and access
the file. Data can be secured against these risks by using encryption.
Encryption
is the process of converting data into a format that cannot be read by
another user. After a user has encrypted a file, it automatically
remains encrypted when the file is stored on disk. Decryption is the
process of converting data from encrypted format back to its original
format. After a user has decrypted a file, the file remains decrypted
when stored on disk.
Windows Vista offers two file encrypting technologies: Encrypting File System (EFS) and BitLocker Drive Encryption.
EFS is used to help protect individual files on any drive on a per-user
basis. BitLocker is designed to help protect all the personal and
systems files on the drive Windows is installed on if your computer is
stolen, or if unauthorized users try to access the computer. You can
use BitLocker Drive Encryption and EFS together to get the protection
offered by both features. Table 5.4 shows the main differences between BitLocker Drive Encryption and EFS.
Table 1. A Comparison Between EFS and BitLocker Drive Encryption
Encrypting File System (EFS) | BitLocker Drive Encryption |
---|
EFS encrypts individual files on any drive. | BitLocker encrypts all personal and system files on the drive where Windows is installed. |
EFS
encrypts files based on the user account associated with it. If a
computer has multiple users or groups, each can encrypt their own files
independently. | BitLocker
does not depend on the individual user accounts associated with files.
BitLocker is either on or off, for all users or groups. |
EFS does not require or use any special hardware. | BitLocker
uses the Trusted Platform Module (TPM), a special microchip in some
newer computers that supports advanced security features. |
You do not have to be an administrator to use EFS. | You must be an administrator to turn BitLocker encryption on or off after it has been enabled. |
Encryption File System
Windows
Vista includes EFS, which allows a user to encrypt and decrypt files
that are stored on an NTFS volume. When you use EFS, folders and files
are still kept secure against those intruders who might gain
unauthorized physical access to the device (for example, as by stealing
a notebook computer or a removable drive).
EFS
is used to encrypt data in files and folders with a key. This key is
stored in protected storage as part of your user profile, and it
provides transparent access to the encrypted data.
Several
improvements have been made to EFS in Windows Vista. Smart cards are
now supported for storing user EFS keys in addition to administrative
recovery keys. If you use smart cards for logon, EFS can operate as a
single sign-on service that gives transparent access to your encrypted
files. The System Page file can also be protected by EFS when you
configure it by using Group Policy.
When
you are using encrypted files on a network, client-side cached copies
of network files can also be encrypted, providing security for these
files even if the portable computer is lost or stolen. When you use
Windows Vista in conjunction with a supported server platform,
encrypted files can be transmitted over the network, and the receiving
Windows Vista client will decrypt them.
Note
EFS
is available only in the Windows Vista Business, Enterprise, and
Ultimate versions. EFS is not fully supported on Windows Vista Starter,
Windows Vista Home Basic, and Windows Vista Home Premium.
To encrypt a folder or file, follow these steps:
1. | Right-click the folder or file you want to encrypt, and then click Properties.
|
2. | Click the General tab, and then click Advanced.
|
3. | Select the Encrypt Contents to Secure Data check box, and then click OK.
|
After you encrypt the file, encrypted files are colored green in Windows Explorer.
Note
You cannot encrypt files or folders that are compressed.
To decrypt a folder or file, follow these steps:
1. | Right-click the folder or file you want to decrypt, and then click Properties.
|
2. | Click the General tab, and then click Advanced.
|
3. | Clear the Encrypt Contents to Secure Data check box, and then click OK.
|
The
first time you encrypt a folder or file, you should back up your
encryption certificate. If your certificate and key are lost or damaged
and you do not have a backup, you won’t be able to use the files that
you have encrypted. To back up your EFS certificate, follow these steps:
1. | Open Certificate Manager by clicking the Start button, typing certmgr.msc into the Search box, and then pressing Enter.
|
2. | Click the arrow next to the Personal folder to expand it.
|
3. | Click Certificates.
|
4. | Click
the certificate that lists Encrypting File System under Intended
Purposes. (You might need to scroll to the right to see this.) If there
is more than one EFS certificate, you should back up all of them.
|
5. | Click the Action menu, point to All Tasks, and then click Export.
|
6. | In the Export Wizard, click Next, click Yes, export the private key, and then click Next.
|
7. | Click Personal Information Exchange, and then click Next.
|
8. | Type
the password you want to use, confirm it, and then click Next. The
export process will create a file to store the certificate.
|
9. | Enter
a name for the file and the location (include the whole path) or click
Browse and navigate to the location, and then enter the filename.
|
10. | Click Finish.
|
11. | Store the backup copy of your EFS certificate in a safe place.
|
If the encrypted file needs to be shared with another user on the same computer, you need to do the following:
1. | Export the EFS certificate.
|
2. | Import the EFS certificate.
|
3. | Add EFS certificate to the shared file.
|
The person with whom you want to share files needs to export his EFS certificate and give it to you by doing the following:
1. | Open Certificate Manager by clicking the Start button, typing certmgr.msc into the Search box, and then pressing Enter.
|
2. | Click the arrow next to the Personal folder to expand it, and then click the EFS certificate that you want to export.
|
3. | Click the Action menu, point to All Tasks, and then click Export.
|
4. | In the Certificate Export Wizard, click Next.
|
5. | Click No, Do Not Export the Private Key, and then click Next.
|
6. | On the Export File Format page, click Next to accept the default format.
|
7. | The
export process creates a file to store the certificate in. Type a name
for the file and the location (include the whole path), or click
Browse, navigate to the location, and then type the filename.
|
8. | Click Finish.
|
After you get the EFS certificate from the person you want to share the file with, you need to import the certificate:
1. | Open Certificate Manager by clicking the Start button, typing certmgr.msc into the Search box, and then pressing Enter.
|
2. | Select the Personal folder.
|
3. | Click the Action menu, point to All Tasks, and click Import.
|
4. | In the Certificate Import Wizard, click Next.
|
5. | Type
the location of the file that contains the certificate, or click
Browse, navigate to the file’s location, and then click Next.
|
6. | Click Place All Certificates in the Following Store, click Browse, click Trusted People, and then click Next.
|
7. | Click Finish.
|
To add the EFS certificate to the shared file, follow these steps:
1. | Right-click the file you want to share, and then click Properties.
|
2. | Click the General tab, and then click Advanced.
|
3. | In the Advanced Attributes dialog box, click Details.
|
4. | In the Encryption Details dialog box that displays, click Add.
|
5. | In the Select User dialog box, click the certificate, and then click OK. |