Using the Encrypting File System

Using the Encrypting File System
The Encrypting File System allows you to encrypt files on an NTFS volume so that only you can use them. This offers a level of protection beyond that provided by NTFS permissions, which you can use to restrict access to your files by others who log on to your computer. NTFS permissions are vulnerable for a couple of reasons. First, all users with administrative privileges can grant themselves (or others) permission to access your files. What's worse, anyone who gains physical access to your computer can boot from a floppy disk (or from another operating system, if your computer is set up for dual booting) and use a utility such as NTFSDOS (available from Sysinternals, http://www.sysinternals.com) to read the files on your hard disk—without having to provide a user name or password. Portable computers, which are more easily stolen, are especially vulnerable to this type of information loss.

TIP
--------------------------------------------------------------------------------

Require a startup password on portable computers

On most computers, you can use BIOS settings to construct another obstacle for anyone who steals your computer. Set your BIOS so that a password is required to start the computer or to enter the BIOS setup program, and set the boot options so that the computer can't be booted from a floppy disk or CD. Unfortunately, this type of protection can also be circumvented. For example, removing the hard disk and installing it in another computer makes its files available to someone with the proper tools.

A much more effective method is to remove the Syskey startup key from the computer. To start the computer, you'll then need to enter a password (or insert a floppy disk that contains the startup key, depending on how you set up Syskey protection) before you can log on. For details about configuring this protection, see Adding Another Layer of Protection with Syskey.

EFS provides a secure way to store your sensitive data. Windows creates a randomly generated file encryption key (FEK) and then transparently encrypts the data using this FEK as data is written to disk. Windows then encrypts the FEK using your public key. (Windows creates a personal encryption certificate with a public/private key pair for you the first time you use EFS.) The FEK is a symmetric key (that is, the same key is used for encrypting and decrypting data), which is orders of magnitude faster than public key encryption. The FEK, and therefore the data it protects, can be decrypted only with your certificate and its associated private key, which are available only when you log on with your user name and password. (Designated data recovery agents can also decrypt your data. For information about data recovery agents, see Recovering Encrypted Data.) Other individuals who attempt to use your encrypted files receive an "access denied" message. Even administrators and others who have permission to take ownership of files are unable to open your encrypted files.

You can encrypt individual files, folders, or entire drives. We recommend that you encrypt folders instead of individual files. If you have hard disk volumes that contain only data (that is, drives other than the system drive and boot drive), consider encrypting the entire drive. When you encrypt a folder or drive, the existing files it contains are encrypted, and new files that you create in the folder or drive are encrypted automatically, as are temporary files that your applications create in the folder or drive. (For example, Microsoft Word creates a copy of a document in the folder where it's stored when you open the document for editing. If the document's folder isn't encrypted, the temporary copy isn't encrypted—giving prying eyes a potential opportunity to view your data.) For this reason, you should also consider encrypting your %Temp% and %Tmp% folders, which many applications use to store temporary copies of documents that are open for editing. (Note, however, that doing so might slow your system considerably, and it might prevent some installation programs from running properly.)