Encrypting Files and Folders

Encrypting Files and Folders
Throughout this book, we explain various methods for keeping snoops away from your data: password-protected user -accounts, restrictive NTFS permissions, prudent network sharing, firewalls, and so on. But what if, despite your best efforts, your files fall into the wrong hands? This is certainly a risk if you travel with a portable computer—a popular target for thieves. But even offices and homes in low-crime neighborhoods are sometimes burglarized, putting your desktop computers at risk. A stealthier thief—perhaps a coworker or someone who manages to penetrate your computer's defenses through the Internet—can also make off with your files.

Nearly every computer, whether it's in a business or a home, contains some sensitive data that must never be available outside your most trusted circle (or, in some cases, to anyone else at all). In addition to financial data—such as your accounting records or personal finance files—your computer might be the repository for marketing plans, trade secrets, medical history, diaries, address books, and similar information. If someone can obtain a file by downloading it from your computer or by borrowing (or stealing) your portable computer, they know your secrets.

In this chapter, we discuss the Encrypting File System (EFS), a feature of Microsoft Windows XP Professional and Windows 2000 that can prevent the loss of such confidential data. EFS encodes your files so that even if thieves are able to obtain a file, they can't read it. The files are readable only when you log on to the computer with your user account (which, presumably, you have protected with a strong password). In fact, even someone else logging on to your computer won't have access to your encrypted files, which provides protection on systems that are shared by more than one user.

NOTE
--------------------------------------------------------------------------------

EFS is not available on computers running Windows XP Home Edition.
Security Checklist: Encrypting Data
Once you set up EFS, it works silently in the background, requiring no further attention. If you don't implement EFS correctly, however, you can undermine your security efforts. For example, your editing program can leave unencrypted temporary files on your drive. To adequately protect your data and, more important, to avoid permanently and irrevocably locking yourself out of your own folders, be sure to observe these guidelines:

If you use Windows 2000, install Service Pack 2 or the High Encryption Pack to enable 128-bit encryption.
Encrypt a file or folder to create a personal encryption certificate.
Export the personal encryption certificate for each account.
If you use Windows XP, be sure you have a Password Reset Disk. Also consider creating and designating a data recovery agent.
Export and protect the private keys for recovery accounts, and then remove them from the computer. This prevents someone from accessing your files using the data recovery agent account.
Encrypt the My Documents folder and any other local folder you use for storing documents.
Always encrypt folders, not files. When a folder is encrypted, all files created in that folder are encrypted. (Many programs save a new copy of the document you are editing. This copy will be encrypted if you encrypt the folder, but it will be not be encrypted if you encrypt only the original file.)
Don't destroy file recovery certificates and private keys when you change data recovery agent policies. Keep them until you are sure that all the files they protect have been updated.
Configure a policy so that the page file is cleared when you shut down your computer. Otherwise, data from files that were decrypted during a working session might remain in the page file, which a thief could peruse. (For details, see Exploring Security Options).
Disable hibernation (a power-saving option you configure in Control Panel, Power Options). If your system goes into hibernation while encrypted files are open (and therefore decrypted), the data is accessible to a thief who views the Hiberfil.sys file.
NOTE
--------------------------------------------------------------------------------

EFS in Windows XP Professional offers several features that are not available in Windows 2000, the first version of Windows to include EFS support. We note these additional features throughout this chapter, but here's a preview of the significant differences in Windows XP:

You can share your encrypted files with other users you designate.
You can store encrypted files in a shared Web folder on a remote computer.
You can encrypt offline files.
Names of encrypted files and folders are displayed in green in Windows Explorer.
Stronger encryption algorithms are available.
No default data recovery agent is required.
Local administrators can't gain access to your encrypted files by changing your password.
Installing Strong Encryption in Windows 2000
--------------------------------------------------------------------------------

Before you begin relying on EFS to protect your data, you should ensure that your copy of Windows 2000 uses strong encryption. (Strong encryption refers to cryptographic operations that use keys of 128 bits or more.)

All versions of Windows XP have built-in support for strong encryption. However, the original Windows 2000 Professional CD includes only 56-bit encryption—the maximum allowed for export from the United States at the time Windows 2000 was completed. In January 2000—only a few weeks before the retail release of Windows 2000—the U.S. government issued new export regulations allowing companies to ship strong encryption products to almost all countries.

If you haven't already done so, you should upgrade to 128-bit encryption, which provides strong encryption for encrypted files on NTFS volumes; for secure network connections, such as those using Internet Protocol Security (IPSec); and for all other encryption-based services. (To find out whether strong encryption is installed on your computer, search for a file named Rsaenh.dll; the file exists in %SystemRoot%\System32 only if strong encryption has been installed.) You can upgrade to strong encryption in any of these ways:

Install Service Pack 2 (or later) for Windows 2000. We recommend this method because SP2 also includes a large number of security patches, bug fixes, and enhancements.
Install from the High Encryption Floppy Disk included in the Windows 2000 Professional retail package. Run Encpack.exe from the floppy disk.
Download and then install the High Encryption Pack from http://www.microsoft.com/windows2000/downloads/recommended/encryption.