Section 21.3. Encrypting Files and Folders: Business Enterprise Ultimate

21.3. Encrypting Files and Folders: Business ¢ Enterprise ¢ Ultimate

If your Documents folder contains nothing but laundry lists and letters to your mom, data security is probably not a major concern for you. But if there's some stuff on your hard drive that you'd rather keep privateyou know who you areWindows (Business Edition and higher) can help you out. The Encrypting File System (EFS) is an NTFS feature that stores your data in a coded format that only you can read.

The beauty of EFS is that it's effortless and invisible to you, the authorized owner. Windows Vista automatically encrypts your files before storing them on the drive, and decrypts them again when you want to read or modify them. Anyone else who logs on to your computer, however, will find these files locked and off-limits.

If you've read ahead to Chapter 23, of course, you might be frowning in confusion at this point. Isn't keeping private files private the whole point of Vista's accounts feature? Don't Vista's NTFS permissions (page 692) keep busybodies out already?

POWER USERS' CLINIC
Disk Quotas

Does one of your account holders have a tendency to become a bit overzealous about downloading stuff from the Web, threatening to overrun your hard drive with shareware junk and MP3 files? Fortunately, it's easy enough for you, the wise administrator, to curb such behavior among holders of Standard accounts.

Just choose Start Computer. Right-click the hard drive icon; from the shortcut menu, choose Properties. In the Properties dialog box, click the Quota tab (shown here). Click Show Quota Settings to bring up the Quota Settings dialog box, and then turn on Enable Quota Management.

You might start by turning on "Deny disk space to users exceeding quota limit." This, of course, is exactly the kind of muzzle you were hoping to place on out-of-control downloaders. The instant they try to save or download a file that pushes their stuff over the limit, an "Insufficient disk space" message appears. They'll simply have to delete some of their other files to make room.

Use the "Limit disk space to __" controls to specify the cap you want to put on each account holder. Using these controls, you can specify a certain number of kilobytes (KB), megabytes (MB), gigabytes (GB)or even terabytes (TB), petabytes (PB), or exabytes (EB). (Then write a letter to PC World and tell the editors where you bought a multiexabyte hard drive.)

You can also set up a disk-space limit ("Set warning level to ___") that will make a warning appearnot to the mad downloader, but to you, the administrator. By clicking the Quota Entries button, you get a little report that shows exactly how much disk space each of your account holders has used up. (This is where you'll see the warning as a written notation.)

If you just want to track your underlings' disk usage without actually limiting them, set the warning level to the desired value, but set the Limit Disk Space value to something impossibly high, like several exabytes.

When you click OK, Windows warns you that it's about to take some time to calculate just how much disk space each account holder has used so far.

Yes, but encryption provides additional security. If, for example, you're a top-level agent assigned to protect your government's most closely guarded egg salad recipe, you can use NTFS permissions to deny all other users access to the file containing the information. Nobody but you can open the file in Windows Vista.

However, a determined intruder from a foreign nation could conceivably boot the computer using another operating systemone that doesn't recognize the NTFS permissions systemand access the hard drive using a special program that reads the raw data stored there. If, however, you had encrypted the file using EFS, that raw data would appear as gibberish, foiling your crafty nemesis.

21.3.1. Using EFS

You use EFS to encrypt your folders and files in much the same way that you use NTFS compression. To encrypt a file or a folder, you open its Properties dialog box, click the Advanced button, turn on the "Encrypt contents to secure data" checkbox, and click OK (see Figure 21-7). (For a quicker way, see page 791.)

Figure 21-7. To encrypt a file or folder using EFS, turn on the "Encrypt contents to secure data" checkbox (at the bottom of its Properties dialog box). If you've selected a folder, a Confirm Attribute Changes dialog box appears, asking if you want to encrypt just that folder or everything inside it, too .

Depending on how much data you've selected, it may take some time for the encryption process to complete. Once the folders and files are encrypted, they appear in a different color from your compressed files (unless, once again, you've turned off the "Show encrypted or compressed NTFS files in color " option).

Note: You can't encrypt certain files and folders, such as system files, or any files in the system root folder (usually the Windows folder). You can't encrypt files and folders on FAT 32 drives , either.Finally, note that you can't both encrypt and compress the same file or folder. If you attempt to encrypt a compressed file or folder, Windows Vista needs to decompress it first. You can, however, encrypt files that have been compressed using another technology, such as Zip files or compressed image files.

After your files have been encrypted, you may be surprised to see that, other than their color change, nothing seems to have changed. You can open them the same way you always did, change them, and save them as usual. Vista is just doing its job: protecting these files with minimum inconvenience to you.

Still, if you're having difficulty believing that your files are now protected by an invisible force field, try logging off and back on again with a different user name and password. When you try to open an encrypted file now, a message cheerfully informs you that you don't have the proper permissions to access the file. (For more on Windows Vista security, see Chapter 10.)

21.3.2. EFS Rules

Any files or folders that you move into an EFS-encrypted folder get encrypted, too. But dragging a file out of it doesn't unprotect it; it remains encrypted as long as it's on an NTFS drive. A protected file loses its encryption only when:

You manually decrypt the file (by turning off the corresponding checkbox in its Properties dialog box).
You move it to a FAT 32 drive.
You transmit it via a network or emailwhen you attach the file to an email or send it across the network, Vista will decrypt the file before sending it on its way.

By the way, EFS doesn't protect files from being deleted. Even if passing evildoers can't open your private file, they can still delete itunless you've protected it using Vista's permissions feature (Chapter 23). Here, again, truly protecting important material involves using several security mechanisms in combination.

GEM IN THE ROUGH
Recovering Encrypted Data

Every now and then, encrypted data becomes inaccessible. Maybe a hard drive crash nukes your password, and therefore your ability to open your own encrypted files. Or maybe a disgruntled employee quits, deliberately refusing to divulge his password or decrypt his important files first.

The first time you encrypt a file, Vista puts a prompt in the notification area suggesting that you back up your encryption key. Click the prompt to start the process of backing up your key (that is, your password).

You can also back up your key by right-clicking an encrypted file and selecting Properties. In the Properties dialog box, click Advanced, and then click Details. You can then select your user name and click Back Up Keys to start the process.

Once you've backed it up to a CD or flash drive, keep it secret, keep it safe, and don't make multiple copies of it. If you lose your key, you can restore it by double-clicking on this file and then going through the Certificate Import Wizard. You'll need to provide the password you supplied when you backed up the key, so don't forget it!

If all else fails, Windows Vista has a fallback mechanisma back door. The local Administrator account on a PC can be designated as a recover agent for users, which gives the administrator the ability to decrypt their files in case of an emergency. For instructions on setting up this feature, see http://support.microsoft.com/kb/887414.