Protecting Files with EFS

There's no denying that strong file encryption offers some of the highest levels of file security possible. However, using different encryption techniques without understanding how they work (and the precaution you need to take) can be dangerous. Begin randomly encrypting data without understanding the risks, and you can easily find yourself unable to access your own files. Encryption techniques may be designed with an eye toward keeping others from opening and viewing your files, but if used incorrectly (or flippantly), it's just as easy to lock yourself out - for good.

To use the Windows Vista EFS encryption capabilities effectively (and safely), it's important to be familiar with the following:

• How EFS works

• How to designate a Data Recovery Agent (DRA)

• How to encrypt files and folders

• How to manage EFS encryption keys

Each of these concepts and tasks are explored in more detail in the following sections.

How EFS Works

EFS works in a way that is fundamentally similar to any public key cryptographic system. When a user encrypts a file or folder for the first time, an EFS certificate is automatically created (and stored) for the person's user account, along with a public/private key pair. Although the encryption and decryption processes associated with EFS are completely transparent to users, a number of functions take place in the background.

Imagine that you create a folder under Documents called Encrypted Files. If you save a file to this location and then select the option to encrypt it, the following processes take place:

1. Windows Vista generates a unique key to encrypt the file, known as a File Encryption Key (FEK). The FEK is fundamentally similar to the unique session key used to encrypt an e-mail message or the transfer or information between your web browser and a secure web site.

2. After creating the unique FEK and using it to encrypt the file, Windows Vista encrypts the FEK with your public key. Once the FEK is encrypted, it is stored in the headers of the encrypted file.

When you attempt to open (decrypt) a file that was encrypted with your EFS public key, the following processes take place:

1. Windows Vista notes that the file you are trying to open is encrypted and attempts to use your private key to decrypt the FEK.

2. If the FEK is successfully decrypted, it is then used to decrypt and open the file.

In cases where another user has encrypted a file that you attempt to open, your private key cannot decrypt the FEK, which in turn cannot decrypt the file. Only the user who encrypted a file can decrypt and view it by default.

Designating a Data Recovery Agent

When you encrypt a file using EFS, you can only use your user account's private key to decrypt the FEK stored with the file by default. If you ever lose or change the private key, you will not be able to decrypt the FEK, and therefore will not be able to decrypt and open the file.

Although backing up your EFS certificate and private key is a great way to help ensure that you can access EFS encrypted files should a problem occur, also consider assigning to at least one user the role of Data Recovery Agent (DRA).

In simple terms, a DRA is a user account (usually an Administrator) who can decrypt and restore EFS encrypted files, should the need arise. When a DRA exists, this user account's private key is also used to encrypt a copy of each file's FEK. Ultimately, this means that both the user who encrypts a file and the DRA can decrypt the file if necessary. For example, if you encrypt a file and your private key is subsequently lost or destroyed, the user designated as the DRA can always log on and decrypt the file, ensuring that access to it is not lost for good.

Designating a user account as the DRA for your Windows Vista system is always a good idea and considered a best practice. Although the chances of you losing or destroying your private key may be small, other problems can occur when you use EFS encryption. For example, if an Administrator were to reset or change your password, you would automatically lose access to all of your EFS encrypted files. This is a security feature that helps to ensure that an Administrator cannot change your password and log on with your account to open and view your encrypted files. If this was to happen and a DRA were not designated, you would lose access to your encrypted files. If a DRA were designated, however, this user account would be able to log on and restore your encrypted files.

Windows Vista does not designate a DRA by default, so it's up to you to select a user account for this purpose. Instead of using an existing user account as a DRA, you may want to consider creating an Administrator account dedicated to the task, and then log on with this account only when you need to decrypt and restore an EFS encrypted file. As always, the DRA user account should be assigned a strong password.

Designating a DRA is a two-step process. First, you need to log on with the user account that acts as the DRA and generates a recovery certificate. When complete, you use the Local Security Policy MMC to add the DRA certificate to your Windows Vista system's public key policy.

Follow these steps to create an EFS certificate to designate the user account as the Data Recovery Agent:

1. Log on to Windows Vista using the user account that will act as your EFS Data Recovery Agent.

2. Select Start → All Programs → Accessories → Command Prompt.

3. Type cipher /R:recoverycert and press Enter.

4. When prompted, type a strong password to protect the Data Recovery Agent's private key and press Enter.

5. Type the password again to confirm it, and press Enter. The certificate for the Data Recovery Agent is generated, as shown in Figure 14-1. Close the Command Prompt window.

   
   Figure 14-1: Creating a certificate for a Data Recovery Agent with the Cipher command.

Follow these steps to add the DRA certificate to your Windows Vista system's public key policy:

1. Select Start → Control Panel → Administrative Tools → Local Security Policy.

2. Expand Public Key Policies.

3. Right-click the Encrypting File System folder and select Add Data Recovery Agent.

4. On the Add Recovery Agent Wizard welcome screen, click Next.

5. On the Select Recovery Agents screen, click Browse Folders. Browse to the recoverycert.pfx file created in the previous exercise, and then click Open. At the Add Recovery Agent window, click Yes. Your Data Recovery Agent user account is now listed as shown in Figure 14-2. Click Next.

   
   Figure 14-2: Selecting a Data Recovery Agent.

6. Click Finish to complete the process. The certificate of this user account is now listed in the Encrypting File System folder, as shown in Figure 14-3. This user will now be able to open and recover all EFS encrypted files, including those encrypted by other users.

   
   Figure 14-3: Viewing Data Recovery Agents in EFS Public Key Policy.

Encrypting Files and Folders

EFS encrypts and decrypts files in a completely transparent manner. When your user account encrypts a file, decrypting it is as simple as opening the file. Similarly, you can re-encrypt an open file that you've changed by saving it as you would any file.

Windows Vista enables you to encrypt files stored on drives that use the NTFS file system, with the exception of operating system files. Although you can encrypt files individually, an easier way to work with EFS is to set the encryption attribute on a folder instead. When you set the encryption attribute on a folder, the folder itself is not encrypted. However, every file that you save to that folder is automatically encrypted without the need to make changes to the attributes of each individual file.

Follow these steps to encrypt a folder using Windows Explorer:

1. Log on to Windows Vista with your everyday user account.

2. Select Start → Computer.

3. Browse to drive C: and create a new folder named Encrypted Files.

4. Right-click the Encrypted Files folder and select Properties.

5. In the Attributes section of the General tab, click the Advanced button.

6. In the Compress Or Encrypt attributes section, select Encrypt Contents To Secure Data, as shown in Figure 14-4. Click OK.

   
   Figure 14-4: Encrypting a folder.

7. Click OK to close the properties of the Encrypted Files folder. The name of this folder now appears in green text, alerting you to the fact that the encryption attribute is configured.

8. Select Start → All Programs → Accessories → Notepad.

9. In the Notepad window, type This is my encrypted file and then select File → Save As.

10. Browse to the Encrypted Files folder, name the file Test.txt, and then click Save. Because you saved the file to a folder with its encryption attribute set, this new file is encrypted automatically.

11. Right-click the Test.txt file and select Properties.

12. Click the Advanced button in the Attributes section. The file is encrypted - the Encrypt Contents To Secure Data check box is selected.

13. Click the Details button to open the Encryption Details window, as shown in Figure 14-5. Notice that your user account name is listed in the section Users Who Can Access This File, and that the Data Recovery Agent user account configured earlier is listed in the Recovery Certificates For This File As Defined By Recovery Policy section.

    
    Figure 14-5: Reviewing the details associated with an encrypted file.

After you've encrypted a file, it is only accessible to your user account and the DRA, assuming that you've designated one. When another user attempts to access a file that you've encrypted, he cannot decrypt the file, and therefore cannot view its contents.

Follow these steps to test the security of an encrypted file:

1. Log on to Windows Vista with a user account other than the one you used to encrypt the folder in the previous exercise and your defined DRA.

2. Select Start → Computer and browse to the Encrypted Files folder on your C: drive.

3. Double-click the encrypted Test.txt file. Because this user account does not have access to the encrypted file, the Notepad window opens but an Access is Denied message appears, as shown in Figure 14-6.

   
   Figure 14-6: This message displays when you try to open an encrypted file belonging to another user.

In most cases, you encrypt files to keep them secure and inaccessible to other users. However, there may be times when you want the security benefits that encryption provides, but also want one or more other users to be able to access these protected files. Windows Vista's EFS feature makes it possible to share encrypted files, if necessary.

When you encrypt a file for multi-user access, you not only need to encrypt the file, but also specify the other user accounts that can decrypt it. When you grant other user accounts access to an encrypted file, their private keys are also used to encrypt the file's FEK, thus allowing them to decrypt the FEK and the file it protects. You can only share EFS encrypted files on a file-by-file basis - you cannot configure EFS encryption on a folder for multi-user access.

Follow these steps to share an EFS encrypted file with another user:

1. Log on to Windows Vista with your everyday user account.

2. Select Start → Computer and browse to the Encrypted Files folder on your C: drive.

3. Right-click the Test.txt file and select Properties.

4. In the Attributes section, click the Advanced button. In the Advanced Attributes window, click Details.

5. Click the Add button, and then select the user with whom you want to share access to the file, as shown in Figure 14-7. Click OK three times. This user will now have access to the encrypted file.

   
   Figure 14-7: EFS enables you to share access to encrypted files with other users.

Managing EFS Encryption Keys

If you do decide to use EFS to securely encrypt important files, then it's absolutely essential to ensure that your EFS certificate (including your private key) is properly backed up. If you do not back up your certificate and lose access to your private key for any reason (as a result of a system crash, for example), you will not be able to decrypt and restore your files. While designating a DRA helps you to gain access to these files in the event of a problem specific to your user account, a system crash can also mean that the DRA certificate and private key will become inaccessible. For this reason, you should immediately export and securely store a copy of your EFS certificate and private key when you begin using EFS to encrypt files.

Follow these steps to export your EFS certificate and private key:

1. Select Start → All Programs → Accessories → Run.

2. In the Open text box, type certmgr.msc and click OK.

3. Expand Certificates → Current User → Personal → Certificates. Your EFS certificate is listed, as shown in Figure 14-8.

   
   Figure 14-8: Use the Certificates MMC to manage your EFS certificate.

4. Right-click your EFS certificate and select All Tasks → Export.

5. When you see the Certificate Export Wizard Welcome Screen, click Next.

6. On the Export Private Key screen, click Yes, export the private key, and click Next.

7. On the Export File Format screen, click Next.

8. On the Password screen, enter and then confirm a strong password to protect your certificate and private key, and then click Next.

9. On the File To Export screen, click the Browse button and then browse to the folder in which you want to store the exported Certificate. Enter a name for the certificate in the File Name text box, and then click Save.

10. Click Next, and then click Finish.

11. Save the exported certificate to a floppy disk or CD, and then save it in a safe place in case you ever need to import it in the future to gain access to an EFS encrypted file.

If you do lose access to your EFS certificate and private key, you can restore it from your backed up version by opening the Certificates MMC, expanding Certificates → Current User → Personal → Certificates, and then right-clicking the Certificates folder and selecting All Tasks → Import. Follow the steps of the Certificate Import Wizard to restore the backed up copy of your certificate and regain access to your EFS encrypted files.