15.3 Encrypting Files and Folders

If your My Documents folder contains nothing but laundry lists and letters to your mom, data security is probably not a major concern for you. But if there's some stuff on your hard drive that you'd rather keep private ”you know who you are ”Windows XP Professional can help you out. The Encrypting File System (EFS) is an NTFS feature that stores your data in a coded format that only you can read.

POWER USERS' CLINIC Disk Quotas Does one of your account holders have a tendency to become a bit overzealous about downloading stuff from the Web, threatening to overrun your hard drive with shareware junk and MP3 files? Fortunately, it's easy enough for you, the wise administrator, to curb such behavior among holders of Limited accounts (if your drive uses NTFS formatting, as described in Section A.4). Just choose Start My Computer. Right-click the hard drive icon; in the Properties dialog box, click the Quota tab (shown here). Turn on "Enable quota management" to un-dim the other options. You might start by turning on "Deny disk space to users exceeding quota limit." This, of course, is exactly the kind of muzzle you were hoping to place on out-of-control downloaders. The instant they try to save or download a file that pushes their stuff over the limit, an "Insufficient disk space" message appears. They'll simply have to delete some of their other files to make room. Use the "Limit disk space to __" controls to specify the cap you want to put on each account holder. Using these controls, you can specify a certain number of kilobytes (KB), megabytes (MB), gigabytes (GB) ”or even terabytes (TB), petabytes (PB), or exabytes (EB). (Then write a letter to PC World and tell the editors where you bought a multi-exabyte hard drive.) You can also set up a disk-space limit ("Set warning level to ___") that will make a warning appear ”not to the mad downloader, but to you, the administrator. By clicking the Quota Entries button, you get a little report that shows exactly how much disk space each of your account holders has used up. (This is where you'll see the warning, as a written notation.) You may have noticed that Windows lets you set a space limit (and a warning) even if "Enable quota management" isn't turned on. You'd set things up that way if you just want to track your underlings' disk usage without actually limiting them. When you click OK, Windows warns you that it's about to take some time to calculate just how much disk space each account holder has used so far.

The beauty of EFS is that it's effortless and invisible to you, the authorized owner. Windows XP automatically encrypts your files before storing them on the drive, and decrypts them again when you want to read or modify them. Anyone else who logs on to your computer, however, will find these files locked and off-limits.

If you've read ahead to Chapter 17, of course, you might be frowning in confusion at this point. Isn't keeping private files private the whole point of XP's accounts feature? Don't XP Pro's NTFS permissions (Section 17.9) keep busybodies out already?

Yes, but encryption provides additional security. If, for example, you are a top-level agent assigned to protect your government's most closely guarded egg salad recipe, you can use NTFS permissions to deny all other users access to the file containing the information. Nobody but you can open the file in Windows XP.

However, a determined intruder from a foreign nation could conceivably boot the computer using another operating system ”one that doesn't recognize the NTFS permissions system ”and access the hard drive using a special program that reads the raw data stored there. If, however, you had encrypted the file using EFS, that raw data would appear as gibberish, foiling your crafty nemesis.

15.3.1 Using EFS

You use EFS to encrypt your folders and files in much the same way that you use NTFS compression. To encrypt a file or a folder, you open its Properties dialog box, click the Advanced button, turn on the Encrypt Contents To Secure Data checkbox, and click OK (see Figure 15-11).

Figure 15-11. To encrypt a file or folder using EFS, turn on the Encrypt Contents To Secure Data checkbox (at the bottom of its Properties dialog box). If you've selected a folder, a Confirm Attribute Changes dialog box appears, asking if you want to encrypt just that folder or everything inside it, too.

Depending on how much data you've selected, it may take some time for the encryption process to complete. Once the folders and files are encrypted, they appear in a different color from your compressed files (unless, once again, you've turned off the "Show encrypted or compressed NTFS files in color " option).

After your files have been encrypted, you may be surprised to see that, other than their color change, nothing seems to have changed. You can open them the same way you always did, change them, and save them as usual. Windows XP is just doing its job: protecting these files with minimum inconvenience to you.

Still, if you're having difficulty believing that your files are now protected by an invisible force field, try logging off and back on again with a different user name and password. When you try to open an encrypted file now, a message cheerfully informs you that you don't have the proper permissions to access the file. (For more on Windows XP security, see Chapter 17.)

15.3.2 EFS Rules

Any files or folders that you move into an EFS-encrypted folder get encrypted, too. But dragging a file out of it doesn't un-protect it; it remains encrypted as long as it's on an NTFS drive. A protected file loses its encryption only when:

• You manually decrypt the file (by turning off the corresponding checkbox in its Properties dialog box).

• You move it to a FAT 32 drive.

• You transmit it via network or email ”an important point. It means that if somebody can access your hard drive from across the network, they can open your encrypted files, even without knowing your account password! To protect files from prying eyes across the network, you must also use NTFS permissions, as described in Section 17.9.

By the way, EFS doesn't protect files from being deleted. Even if passing evildoers can't open your private file, they can still delete it ”unless you've protected it using XP's permissions feature (Chapter 17). Here again, truly protecting important material involves using several security mechanisms in combination.