File Encryption without Passwords

Did I ever tell you that I get all sorts of weird requests from some of my clients? So, it’s no surprise when someone requested that I help him devise of a plan to protect all of his important documents and files on an external hard drive he has at home so that no computer but his is able to access those files. Here is the kicker: he is absolutely dead set against having to enter a password before being able to access those files. His main goal is to be able to connect the drive to his laptop whenever he’s at home, log-in, and be able to access the protected files all without having to do anything extra. Allowing other users in his household to store their files on the external hard drive is completely optional, just as long as no one is able to view his protected files but him. OK, so if you think about it, this request is not all that weird as I make it out to be. There’s actually a really simple solution to this and best of all, it’s very easy to implement.

One of the more underrated security features in Windows since debuting in Windows 2000 is the Encryption File System, better known as EFS. It is a encryption system that help users protect their files from unauthorized view and modification. I wrote a detailed article on what EFS is and how you can use it to encrypt your personal files. Therefore, this article will not go into specific details into EFS.

One of the main requirement before being able to use EFS on your system is that you must be using a Windows 7 edition of Professional or higher. If you are on the more popular Home Premium edition, EFS is not available to you.

Before EFS can be used on the external hard drive, it must be formatted with the NTFS file system. If it’s on FAT32, then you will need to clean out the drive saving whatever is important elsewhere, and then formatting it. This is a very simple ordeal. Once you have made sure that the drive is safe to reformat (all files will be erased), simply head into Computer, right-click on the drive and select Format from the menu options.

Format DriveIn the resulting window, be sure to select NTFS as the file system. You can optionally give the drive a label. If you want to perform a more thorough cleanup of the drive, deselect the Quick Format option. To begin the operation, click on the Start button.

NTFS Filesystem FormatOnce you have the drive formatted to NTFS and made sure that you have a Windows 7 edition of Professional or higher, we can begin encrypting files on our external drive!

Encrypting Our Files

There are two ways to use EFS to encrypt our files. We can either choose to encrypt files individually or we can encrypt a folder and any files placed within it will automatically get encrypted. Usually, it’s recommended to go with the latter option but you can definitely use a combination of both if you so choose to. To encrypt a file or folder, the process is the same and will only take a couple of clicks. In my example here, I will encrypt a folder.

Right-click on the folder and choose Properties from the menu option. In the resulting window, hit on the Advanced button. In the Advanced Attributes window, select the “Encrypt Contents to Secure Data” attribute and hit OK. Do the same in the previous window to apply the settings. If you now look back into the drive, you will now find the encrypted folder with a green label. This helps identify which folders have been encrypted with EFS. With the folder encrypted, every file thrown into it will be encrypted automatically and the user will not have to perform any other procedure.

EFS Advanced ButtonEncrypt AttributeEFS Green

Due to how EFS works, we have just fulfilled one of the biggest requirement for our client. Since the only way to decrypt EFS encrypted files is through the certificate that encrypted it in the first place, no other computer besides our client can access them because the certificate is stored in his computer. Therefore, once he connects the drive to his work laptop and logs in, he has complete access to these files. Because EFS decryption works automatically in the background, the client will not have to type in a password of any kind. As soon as he opens an encrypted file, Windows will use his certificate to decrypt it in the background. Once he finishes with the file and saved his changes, the file will then be automatically re-encrypted. Since EFS is file based, other users are allowed to store their personal data on the drive as well. The master client can either make a personal folder for each user or he can even carve out a separate partition for them to use.

If another computer comes along and connects to the eternal hard drive (or if its simply stolen), they will be denied access to the encrypted files.

Certificate Recovery

EFS is an encryption technology based on certificates. Therefore, wouldn’t you say it’s pretty important to back up the one certificate that can decrypt the files we encrypt? Without this certificate, all access to the encrypted data will be denied to you, the actual owner, as well. A lot of people don’t seem to understand this and always think there is a backdoor to help them recover their encrypted data. Whether there is or not, I really don’t think you want to take that chance. A simple certificate backup is all that is needed to ensure you can recover your encrypted files. Of course, you’ll also have to make sure to store that certificate in a safe place! Storing the backup certificate on the original computer is just plain stupidity. A very simple plan is to send an email with the certificate attached to your own email address. That way, you’ll always have access to the key in case an accident happened.

You can read how to perform the certificate backup and recovery procedure in the article I’ve listed in the beginning of this article. It’s also very important that you understand that an attempt to forcibly change the password of the user account (for example, using the method detailed here) will render the certificate useless to decrypt the files. If the user does not have a backup certificate at this point, they will be locked out of their EFS encrypted files. It is possible to gain access back by changing the password back to the original. The safest way to reset a forgotten password without harming your EFS encrypted files is to use the password recovery disc.
VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Comments

  1. So from my understanding I have encrypted my whole my documents, if someone was to steal my laptop and change my windows passwork (which is easy to do) it would reneder the decryption key usless meaning they wouldnt be able to access mt files without knowing my origional password?

    Also if i was to say purchase a new laptop, import my key would i need to have the same userpassword to be able to use the certificate?

    • 1. Yes, that is correct! You can easily try this if you have some spare time. Simply download a password reset disc (I mentioned one above) and change or blank out your user account password. Once logged in, you will not have access to the encrypted files. Then try changing the password back to the original and you should then have access back.

      2. No you do not. This is one of the main reason why you must not let a stranger access to your certificate! He/she can simply import it and have access to your encrypted files, assuming they somehow got hands on your data in the first place. While you exported your certificate, you should have been asked if you wanted to password protect it. This adds more protection before someone can get access to the certificate but it also increases the chance that you might forget the password!

      EFS is file-based encryption. If you want to protect your entire computer (hard drive encryption), then you’ll want to take a look at either Bitlocker which requires Windows 7 Ultimate edition or free utility called TrueCrypt which you can use if you don’t have that Windows 7 edition.

Speak Your Mind

*


(humans only, please) *