Why Encrypting Files is the Ultimate Protection

It’s perfectly normal for multiple users to share the same computer. That’s why you’re allowed to create more than one user account on the computer! Sadly to say it though, what many of these users do not realize is that their files on these computers are accessible to all users who have physical access to it. Yups, you read right. Although the chances of your roommate trying to sneak into your computer unawares can be rare, you cannot rule out that possibility. People are curious by nature. Heck, being curious is what drives people to invent things. But it can also be a dangerous trait in certain scenarios. For example, let’s say you have a new girlfriend or boyfriend that you just don’t want to let your friends know of yet. Your other friends, however, know that you have pictures of him/her inside your computer. As the saying goes, curiosity kills the cat. Your friends one day wait for you to leave the room. They turn on your computer and boot into a live operating system on a CD. Now they have control of all files in your user account. Because you thought that a strong password protecting your user account is all it takes to keep someone out, you’ll never be any wiser that your friends now know the secret. Of course, this is just a simple scenario I thought of right now but it is definitely in the realm of possibility. So how can you prevent this from happening to you? Simple. It’s called encryption.

The method I’ve used to describe the process in which a stranger (or not) can gain access to all your files is one of the oldest yet easiest one’s around. Just about anyone can do it and all they would need is a blank CD/DVD and a little patience. How is this even possible you ask? Well, you have to remember that your Windows operating system consists of just files. That’s what it boils down to. A bunch of files living on your hard drive. By default, Windows will prevent your from tampering core system files because it knows you’re not suppose to be messing with them in the first place. It also knows to keep user accounts separate from one another. Technically, user Bob should not be able to access user Alice’s files on the same computer unless she says it’s OK. All of these prevention techniques happen “while you are in the actual Windows operating system”. So what happens when you try to gain access to those files via another operating system besides Windows? Well, the playground rules have now all been changed. Because the operating system you are now using doesn’t have to play by the rules of Windows, it sees the files on the hard drive as just that. Files. Nothing more.

  1. So you got a uber 16 character randomly generated password protecting your user account? It doesn’t mean a thing here as we are not booting into Windows. Therefore, user accounts don’t matter. Even if they did, a simple reset of your password would allow us right in.
  2. But I enabled special permissions on those files themselves to allow who can and cannot access those files! Nope, try again. Those “rules” only take effect when you boot into Windows. Because another operating system has been loaded, it doesn’t have to follow those rules.
  3. My files are hidden from view! They can’t be seen! Well, those are just another type of special rule that is enforce on the files when you are loaded into Windows. Even if your files are hidden from view, can you deny that they are still residing physically on the hard drive itself? As long as they are on the hard drive, it can be seen. Hiding your files is just a amateur trick that while it has its uses, you wouldn’t wan to rely on it where your precious data is concerned.

Encryption and Why it’s so Important

OK, so you get the point. Your files are not as safe as you thought they were. So what do we do? As mentioned above, your files are just pieces of information floating around inside your hard drive. If I pluck out a random picture or document and gave it to you, would you be able to open it? Well, of course you can! If I can open it on my computer, why can’t you? Well, what if I scrambled the data on the file itself so that only the person with the key can put it back together? If I gave that file to you, would you be able to open it then? Most likely not. I’ve just said that only the person with the key to unscramble the data can open the file. As you don’t have the key, you wouldn’t be able to open it. This is the basis of how file encryption works. Within Windows, there is a built-in file encryption technology called the Encrypting File System (EFS) that you can use immediately to protect your data.

I’m sorry to announce that EFS is only available in certain editions of Windows. Only Windows XP Professional and all editions of Windows Vista and Windows 7 higher than Home Premium can use this technology. Home Premium users are left to use alternate encryption technologies. If you’ve read up to this point and is disappointed to find that the fix doesn’t apply to you, then I hope you’ve at least got an idea of how dangerous unencrypted files really are. EFS is not the only technology in place to help protect your files. However, it is the easiest to implement as the technology is built-in. If you really want to use it after serious consideration, then I advise you to upgrade your operating system edition to one that does allow use of EFS. If not, then you’ll need to look elsewhere.

EFS is the preferred method to use when trying to encrypt your files on a Windows system because of how seamless it works. Once you’ve done the groundwork and backed up your encryption key (I’ll go over this soon), encryption and decryption of files will pretty much work in the background and you’ll hardly even notice its there. However, you can have a peace of mind that if your laptop or computer gets stolen or whenever your “buddies” want to poke around in your account for “secret” files, they will be denied access.

Enabling EFS on your System

Take the time to heed my advice here. Before you go encrypting your important files left and right, it’s best if you create a couple of dummy files to test EFS with first. If something goes wrong, you can at least rest easy knowing nothing important was destroyed. This is not a joke people. EFS will lock you out of your own data if you do not respect or understand how it works!

It’s really easy to begin using EFS on your Windows system. All it takes is a couple of clicks and you’re good to go. No, seriously. A couple of clicks. With EFS, you can either encrypt a whole folder or individual files (the former is preferred). With a EFS enabled folder, all files dumped into that folder will automatically get encrypted without having you to take any action. This is the preferred method because there can be times where you would just forget to encrypt a single file. Or it could be that you initially thought a file was unimportant (therefore it doesn’t get encrypted) until your computer gets stolen. By encrypting your most used folders, you can rest assured that everything within it gets encrypted whether it’s important or not. Why take the chance?

In this very simple example, I’ll encrypt a folder and place a photo within it. As soon as you encrypt your first folder or file, a very special key gets generated for you. This special key is what is needed to decrypt all your encrypted files. This is very important to remember and I’ll repeat it again. This special key is absolutely needed to decrypt your files! Without it, you are locked out of your own files even if you are the owner.

EFS is much, much more complicated than just relying on a single key to encrypt and decrypt your data. A lot of things work in the background to ensure that EFS is secure and that’s one of the good things about it. A lot of things happen in the background but yet you as the user never really have to bother with any of it if you so wish. EFS will still work. However, if you do want to learn about the details of EFS, I highly suggest you go over this article by Steve Riley. He goes over the detail of how EFS can protect data on your laptop should it one day be stolen. A more in-depth technical look can be found in this Technet article as well.

Alright so let’s get started. A friend sent me a very funny picture so I’ll use that as the example here. Just pretend that the picture is some sort of highly secret file you don’t want others to see. I’ll create a folder called Sensitive and place the photo called Secretpic into that folder. I’m then going to right click on the folder and select Properties from the menu. Under the General tab, I’ll click on the Advanced button. On the next window, I’ll place a checkmark next to the “Encrypt contents to secure data” option and hit OK twice. You’ll be presented with another dialog box asking whether you’ll want to encrypt everything within this folder only (Sensitive) or to this folder and all subfolders and files as well. In my case, I’ll want to encrypt all subfolders and files under Sensitive as well so I’ll choose the appropriate choice. Immediately, your computer will start to encrypt your contents. If this is your first time using EFS, the computer will automatically generate a certificate (private key) for your account. This private key is then used from now on to further encrypt your other contents. Also, you’ll be presented with a message in your system tray reminding you to backup your file encryption key. If you look back into your encrypted folder, the folder and filenames should now all be in green text. This easily lets you know that the contents are encrypted with EFS. Anytime you open a file that has been encrypted, your system will decrypt it in the background. In many cases, this is almost instantaneous. Once you finish with the file, it will silently get encrypted again all without you having to do anything.

Since your file encryption key is the lifeblood of the EFS system, you’ll definitely want to make a backup copy of the key and place it somewhere safe. Start by typing in the word “encryption” in your Start menu and select the “Manage File Encryption Certificates” option. Click Next on the welcome screen. In the next window, you should be asked to select which file certificate you want to backup. In many cases, you should only have one, which was just created minutes ago when you first used EFS to encrypt that folder. Hit Next. The next page will ask you to choose a backup location along with protecting it with a password. If you use LastPass, KeePass or another type of password management system, create a strong randomly generated password to help protect this certificate. Just make sure that you keep a record of it within your password management software otherwise you won’t be able to extract it later on! Once you hit Next, you can skip the next screen asking you to update your encrypted files and that should be it. Your backup EFS certificate should have been created at the specified location.

It bears repeating that you must absolutely be positive that you backup this certificate! This is your only way to decrypt your files should your computer crash and you can’t log into Windows. There are third-party programs and utilities out there that claims to be able to recover your encrypted files as long as you know your password but do you really want to go through that? Also, a lot of people say that you need to place it in a safe place. That’s true but I rather you place it somewhere that you actually remember! Because your certificate is protected with a highly random generated password (hopefully you’ve done that), it should be safe to even keep a backup of the certificate within an email and send it to yourself. Whatever should happen, do not forget where you place your backup certificate!

Page 2: Testing EFS and Recovery Process –>

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)
Why Encrypting Files is the Ultimate Protection, 5.0 out of 5 based on 1 rating

Pages: 1 2

Comments

  1. Forsyth Blythe-Smythe says:

    “With EFS, you can either encrypt a whole folder or individual files (the latter is preferred). ”

    Considering what you say after this, did you mean “the former”?

    Thanks for this helpful article

  2. THank you for this post, i never new this technology was built into windows. Also been worried about if my laptop was stollen well this has solved my problem :). Made a backup of the key on a Memory stick, two email addreses and dropbox should be all fine :).

    • No worries Shane. A lot of other users out there also never knew about EFS. I can’t really blame them however, as only certain higher editions of Windows had access to this security feature. Most users with the Home edition never could use this and many probably wouldn’t spend the money for an OS upgrade just for this.

Speak Your Mind

*


(humans only, please) *