Hack75.Hide Folders and Files with the Encrypting File System

Hack 75. Hide Folders and Files with the Encrypting File System

Protect all the information on your PC from prying eyes using XP Professional's built-in encryption scheme.

If you have Windows XP Pro, you can use the Encrypting File System (EFS) to encrypt your files so that no one else can read them.

Home Edition users won't be pleased to know that EFS isn't available for Windows XP home users.

EFS lets you encrypt only the files and folders of your choice; you can encrypt a single file or folder or all your files and folders. Encrypted files and folders show up in Windows Explorer in green, so you can tell at a glance which have been encrypted. You can work with encrypted files and folders transparently. In other words, after you encrypt them, you open and close them as you normally would any other file. They're decrypted on the fly as you open them, and then decrypted as you close them. You're the only person who can read or use the files. Encryption is tied to your account name, so even other accounts on the same computer won't be able to read or use them, unless you specifically grant access to certain accounts.

Each time you encrypt a file, EFS generates a random number for that file called the file encryption key (FEK). EFS uses that FEK to encrypt the file's contents with a variant of the Data Encryption Standard (DES) algorithm, called DESX. (DESX features more powerful encryption than DES.) The FEK itself is encrypted as well using RSA public key-based encryption.

EFS does have a few minor limitations you should be aware of:

• EFS works only on NTFS volumes. If you have a FAT or FAT32 volume, you'll have to convert it to NTFS [Hack #30] if you want to use EFS.

• EFS won't work on compressed files. You'll have to decompress them if you want to encrypt them. Similarly, if you want to compress an encrypted file, you'll have to decrypt it.

• EFS can't encrypt files in the C:\Windows folder or any files marked with the System attribute.

When you work with encrypted files and folders, they seem to behave like any other files on your hard disk. In fact, though, their behavior is somewhat different, and you might notice files you thought were encrypted suddenly become decrypted for no apparent reason. So, before you turn on encryption, you should understand the common actions you can take with encrypted files and folders, and what the results will be. Table 8-1 lists what you need to know.

8.2.1. Encrypting Files and Folders

To encrypt a file or folder, right-click the file or folder and choose Properties General Advanced. The Advanced Attributes dialog box appears, as shown in Figure 8-1.

If no Advanced button appears on the Properties dialog box, it means you aren't using NTFS, so you can't use encryption.

Figure 8-1. Encrypting files or folders using the Advanced Attributes dialog box

Check the box next to "Encrypt contents to secure data." Note that you can't check both this box and the "Compress contents to save disk space" box. You can either compress the item or encrypt it, but not both.

Click OK and then OK again. If you're encrypting a folder, the Confirm Attributes Changes dialog box appears, as shown in Figure 8-2. You have a choice of encrypting the folder only, or encrypting the folder plus all subfolders and all the files in the folder and subfolders. If you encrypt the folder only, none of the files currently in the folder will be encrypted, but any new files you create, move, or copy into the folder will be encrypted.

Figure 8-2. Encrypting the folder only, or all the subfolders and files as well

If you're encrypting a file in an unencrypted folder, the Encryption Warning box will appear, as shown in Figure 8-3. You have the choice of encrypting the file only, or the file and the parent folder. As a general rule, you should encrypt the folder as well as the file because if you encrypt only the file, you might accidentally decrypt it without realizing it. Some applications save copies of your files and delete the original; in those instances, the files become decrypted simply by editing them. If you encrypt the folder as well, all files added to the folder are encrypted, so the saved file is automatically encrypted. Click OK after you make your choice.

Figure 8-3. Encrypting the parent folder as well as the file

Note that you won't be able to encrypt every file on your system. Files that have the System attribute, as well as files located in C:\Windows and its subfolders, can't be encrypted.

8.2.2. Decrypting Files and Folders

You decrypt files and folders in the same way that you encrypt them. Right-click the file or folder, choose Properties General Advanced, clear the check from the box next to "Encrypt contents to secure data," and click OK and then OK again.

8.2.3. Letting Others Use Your Encrypted Files

When you encrypt files, you can still share them with others and let them use them as if they were not encrypteda process that XP defines as transparent. You'll be able to share them this way only with other users on the same computer or with others on your network. You designate who can use the files and who can't. To allow specified people to use your encrypted files, right-click an unencrypted file and choose Properties General Advanced. The Advanced Attributes dialog box appears. Click Details. The Encryption Details dialog box appears, as shown in Figure 8-4. It lists all the users who are allowed to use the file transparently. Click Add.

Figure 8-4. The Encryption Details dialog box

The Select User dialog box appears. Choose the user you want to be able to use your encrypted files, and click OK. Only users who have Encrypting File System certificates on the computer will show up on this list. The easiest way for someone to create a certificate is to encrypt any file; that automatically creates a certificate.

8.2.4. Encrypting and Decrypting from the Command Line

If you prefer the command line to a graphical interface, you can encrypt and decrypt using the cipher.exe command-line tool. To find out the current state of encryption of the directory you're in, type cipher without parameters at a command prompt. cipher tells you the state of the directory. For individual files, it lists a U next to files that are not encrypted, and an E next to those that are encrypted.

When used with parameters, cipher can encrypt and decrypt files and folders, show encryption information, create new encryption keys, and generate a recovery agent key and certificate.

To encrypt or decrypt a folder or file, use the complete path, filename (if you're acting on a file), and any appropriate switches, as outlined in Table 8-2. The /E switch encrypts folders or files, and the /D switch decrypts them. To perform the task on multiple folders or files, separate them with single spaces. For example, to encrypt the \Secret and \Topsecret folders, issue this command:

cipher /E \Secret \Topsecret

Note that you can use wildcards with the cipher command. Using the command line instead of the graphical interface is particularly useful for performing bulk or batch operationsfor example, simultaneously encrypting or decrypting multiple folders or files, or types of files within folders. Let's say, for example, you want to encrypt every .doc file in the \Secret and \Topsecret folders, but not touch any other files in those folders. You issue this command:

cipher /E  /A \Secret\*.DOC  \Topsecret\*.DOC

Table 8-2 lists the most useful command-line switches for cipher. For more help, type cipher /? at the command line.