Tuesday, October 16, 2007

Hands-on-project 48 -- Encrypting a File

How to Encrypt a File

  1. From Windows Explorer or My Computer, navigate and select the folder you want encrypted. In this example, a folder "Encrypted Folder" will be encrypted so that any file placed inside this folder will be encrypted.



  2. Right click the folder and choose properties and then click the Advanced... button.



  3. Check the Encrypt contents to secure data attribute. Note that a folder may be compressed or encrypted, but not both. Click OK again when done.



    If there are already files and or subfolders inside this folder, an additional pop up dialog will appear, otherwise you are done (go to step 4). This additional dialog (Figure 4) will present two options for you:
    • Apply changes to this folder, subfolders and files - Choose this to encrypt the folder so that everything inside this folder is encrypted, and this includes files and folders that are later moved to or created inside this folder.
    • Apply changes to this folder only - Choose this to encrypt only the folder so that all files/folders subsequently moved or created in this folder will be encrypted. Existing files and folders are not encrypted.
    Choose one radio button and then click OK.



  4. Notice the folder name turns green when the folder has an encrypt attribute set. New files and folder placed inside will also have green names (encrypted). When you copy or move a file out of an encryption folder, the green color of a file/folder name means encryption has been preserved. If the color is black, it means the file has been decrypted.

EFS File Sharing - Sharing Your Encrypted Files

You may share an encrypted file with additional users after you have encrypted the file. You can only do this on a per file basis. EFS file sharing allows other users you designate with the ability to decrypt and encrypt your original encrypted file. These users may also move, copy, or delete the encrypted file if they have such file permissions.

Once a file has been initially encrypted, file sharing is enabled through a new button. After right clicking and selecting the Advanced Properties of an encrypted file, a user may be added by selecting the new Details... Button.

You will be presented with a window showing who has EFS access to this file.

Click the Add... button to add more users.

You may add other users (not groups) from the local machine or from the Active Directory, provided the user has a valid EFS certificate. Users without a valid EFS certificate will not be shown. A valid EFS certificate is automatically created whenever a user encrypts a file, and the user can simply encrypt a file to have one created automatically. Select a user you want to add. If the user is in active directory, you can find the user via the Find User... button. Click OK to return and view the user has been added to the EFS file share list. Click OK again (3 times) and you are done.

Backing Up Your EFS Certificate and Keys

It is important to back up your EFS certificate and keys in the event your user account profile may become corrupted or deleted, in which case you will not have the private key to decrypt your files. If did not backup your keys, but have permitted other users to EFS share your encrypted files, those users can recover your data. You should back up your certificate and keys to an external storage media (floppy, USB mini drive) and have it locked away.

To export your EFS keys and certificate from your computer for backup purposes, do the following:

  • Launch Microsoft Internet Explorer web browser.
  • From the Tools menu, click Internet Options.
  • On the Content tab, in the Certificates section, click Certificates.
  • Click the Personal tab.
  • Notice there may be several certificates present, depending on whether you have installed these certificates for other purposes.



  • Select one certificate at a time until the Certificate Intended Purposes field shows Encrypting File System (Red highlighted area on image). This is the certificate that was generated when you encrypted your first file/folder.
  • Choose the Export button to start the Certificate Export Wizard, and click Next.
  • Choose Yes to export the private key, and then click Next.
  • Choose Enable Strong protection, and then click Next.
  • You will be prompted to type a password to protect your private key. Do not forget this password. Reconfirm the password and click Next.
  • Specify where you want to save the certificate and key into a single file with a .pfx extension. You can specify this path to a storage media such as a floppy disk or USB mini drive and click Next.
  • Choose Finish and you are done. Move the media to safe storage.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)