Using Encrypted Data

Using Encrypted Data
You'll notice no significant difference in working with encrypted folders or files if you're logged on with the same account you used when you encrypted them. In fact, you might forget that you're using encrypted files.

INSIDEOUT
--------------------------------------------------------------------------------

Identifying encrypted files

Because EFS works transparently, knowing which folders and files are encrypted requires a close look. The process of right-clicking each file and then choosing Properties, General, Advanced (followed by Cancel, Cancel) is tedious. Fortunately, you can determine whether a folder or file is encrypted in any of these additional, and easier, ways:

In Windows XP (but not Windows 2000), you can tell at a glance: By default, Windows Explorer displays the names of encrypted objects in green. (If they're not green, you need to set an option. In Windows Explorer, choose Tools, Folder Options. On the View tab, select Show Encrypted Or Compressed NTFS Files In Color. Windows Explorer uses blue for compressed files.)
In Windows Explorer, use Details view. Choose View, Choose Details, and then select Attributes. Encrypted files show the letter E in the Attributes column.
In a Command Prompt window, type cipher with no parameters to display the encryption state of the current folder and its files. Cipher precedes the name of each encrypted file with an E; a U (for unencrypted) identifies other files. To display only specific files (or files in another folder), append a file specification (including wildcards if you like) to the Cipher command line.
To list all encrypted files on all local drives, type cipher /u /n in a Command Prompt window.
Encrypted files differ from unencrypted files in several subtle but important ways:

When you are logged on with an account different from the one you used when you encrypted a file... If you try to open an encrypted file, you get an "access denied" message. Likewise, if you try to decrypt an encrypted file by clearing the encryption attribute, you get an "access denied" message. However, if you have Modify or Full Control permission, you can delete or rename an encrypted file.

When you copy or move an unencrypted file to an encrypted folder... The copy you add to the encrypted folder becomes encrypted.

TIP
--------------------------------------------------------------------------------

You can override the default automatic encryption behavior by configuring a policy. In Group Policy (Gpedit.msc), open Computer Configuration\Administrative Templates\System. Double-click Do Not Automatically Encrypt Files Moved To Encrypted Folders and select Enabled.
When you copy an encrypted file... If you copy an encrypted file to an NTFS volume on your computer or another computer running Windows XP or Windows 2000, it remains encrypted. (If EFS is disabled on the target computer, Windows refuses to copy the file, instead displaying a red-herring "access denied" message.) If you copy an encrypted file to a FAT volume (including floppy disks) or to an NTFS volume on a computer that is running Windows NT, the file becomes decrypted.

When you move an encrypted file... If you move an encrypted file to another folder on the same volume, the file remains encrypted. Moving the file to another volume is essentially a "copy and then delete" process; moving your own encrypted files is handled the same way as the copy operation just described. If you move someone else's encrypted file to a FAT volume, you get an "access denied" message.

When you rename an encrypted file... The file is renamed and it remains encrypted.

When you delete an encrypted file... The restorable file (if you delete to the Recycle Bin) remains encrypted.

When you back up an encrypted file using Windows Backup... You've picked the best way to back up encrypted files or move them between systems! The files in the backup media remain encrypted, whether they're on disk or tape. (Because most removable media can't be formatted as NTFS, an ordinary copy becomes decrypted.)

When you use encrypted files on a different computer... Your personal encryption certificate and its private key must be available on the computer. You can copy the keys manually. For details, see Backing Up Your Certificates. If you use roaming profiles, your encryption keys are automatically available on all computers you log on to with that user account.

CAUTION
--------------------------------------------------------------------------------

Other users with permission to delete a file (that is, users with Modify or Full Control permission) can't use your encrypted files—but they can make them difficult for you to use. Any such user can rename your files, which can make them difficult to find, and also can delete your files. (Even if the user merely deletes them to the Recycle Bin and doesn't remove them altogether, the deleted files are unavailable to you because you don't have access to any other user's Recycle Bin.) Therefore, if you're concerned about protecting your files from other authorized users as well as from a thief who steals your computer, you should modify the NTFS permissions to prevent any type of modification by other users. For more information, see Sharing Documents Securely on a Multiuser Computer.
Like the encryption process, decryption is done transparently. That is, you work with your encrypted files exactly the same way you work with unencrypted files. When Windows detects that a file you're accessing is encrypted, it finds your certificate and uses its private key to decrypt the data as it is read from the disk.

To permanently decrypt a folder or file, clear the Encrypt Contents To Secure Data check box in the Advanced Attributes dialog box. If you decrypt a folder, Windows asks whether you want to decrypt only the folder or the folder and its contents. If you choose the latter option, Windows prohibits you from decrypting any files for which you don't hold a valid encryption certificate. If you change the attribute for a file that you encrypted, Windows decrypts it without further ado. If you attempt to decrypt a file that someone else encrypted, you get an "access denied" message.