Did I ever tell you that I get all sorts of weird requests from some of my clients? So, it’s no surprise when someone requested that I help him devise of a plan to protect all of his important documents and files on an external hard drive he has at home so that no computer but his is able to access those files. Here is the kicker: he is absolutely dead set against having to enter a password before being able to access those files. His main goal is to be able to connect the drive to his laptop whenever he’s at home, log-in, and be able to access the protected files all without having to do anything extra. Allowing other users in his household to store their files on the external hard drive is completely optional, just as long as no one is able to view his protected files but him. OK, so if you think about it, this request is not all that weird as I make it out to be. There’s actually a really simple solution to this and best of all, it’s very easy to implement.
One of the more underrated security features in Windows since debuting in Windows 2000 is the Encryption File System, better known as EFS. It is a encryption system that help users protect their files from unauthorized view and modification. I wrote a detailed article on what EFS is and how you can use it to encrypt your personal files. Therefore, this article will not go into specific details into EFS.One of the main requirement before being able to use EFS on your system is that you must be using a Windows 7 edition of Professional or higher. If you are on the more popular Home Premium edition, EFS is not available to you.
Before EFS can be used on the external hard drive, it must be formatted with the NTFS file system. If it’s on FAT32, then you will need to clean out the drive saving whatever is important elsewhere, and then formatting it. This is a very simple ordeal. Once you have made sure that the drive is safe to reformat (all files will be erased), simply head into Computer, right-click on the drive and select Format from the menu options.
In the resulting window, be sure to select NTFS as the file system. You can optionally give the drive a label. If you want to perform a more thorough cleanup of the drive, deselect the Quick Format option. To begin the operation, click on the Start button.
Encrypting Our Files
There are two ways to use EFS to encrypt our files. We can either choose to encrypt files individually or we can encrypt a folder and any files placed within it will automatically get encrypted. Usually, it’s recommended to go with the latter option but you can definitely use a combination of both if you so choose to. To encrypt a file or folder, the process is the same and will only take a couple of clicks. In my example here, I will encrypt a folder.
Right-click on the folder and choose Properties from the menu option. In the resulting window, hit on the Advanced button. In the Advanced Attributes window, select the “Encrypt Contents to Secure Data” attribute and hit OK. Do the same in the previous window to apply the settings. If you now look back into the drive, you will now find the encrypted folder with a green label. This helps identify which folders have been encrypted with EFS. With the folder encrypted, every file thrown into it will be encrypted automatically and the user will not have to perform any other procedure.
If another computer comes along and connects to the eternal hard drive (or if its simply stolen), they will be denied access to the encrypted files.
EFS is an encryption technology based on certificates. Therefore, wouldn’t you say it’s pretty important to back up the one certificate that can decrypt the files we encrypt? Without this certificate, all access to the encrypted data will be denied to you, the actual owner, as well. A lot of people don’t seem to understand this and always think there is a backdoor to help them recover their encrypted data. Whether there is or not, I really don’t think you want to take that chance. A simple certificate backup is all that is needed to ensure you can recover your encrypted files. Of course, you’ll also have to make sure to store that certificate in a safe place! Storing the backup certificate on the original computer is just plain stupidity. A very simple plan is to send an email with the certificate attached to your own email address. That way, you’ll always have access to the key in case an accident happened.You can read how to perform the certificate backup and recovery procedure in the article I’ve listed in the beginning of this article. It’s also very important that you understand that an attempt to forcibly change the password of the user account (for example, using the method detailed here) will render the certificate useless to decrypt the files. If the user does not have a backup certificate at this point, they will be locked out of their EFS encrypted files. It is possible to gain access back by changing the password back to the original. The safest way to reset a forgotten password without harming your EFS encrypted files is to use the password recovery disc.