| File system encryption is an important security function in that the process not only limits who has access to secured data files, but it also encrypts the content of the files so that even if a system is compromised, the data is encrypted and cannot be easily accessed. With the creation of the AutoEnroll user template in the previous section, certificate-based EFS encryption is automatically configured for users managed by the defined group policy. Encrypting Files Using Certificates The file encryption process is initiated by a user choosing a file or folders and noting that the file(s) should be encrypted. To encrypt files, do the following: 1. | Double-click on My Computer from the desktop of a computer system from which files will be encrypted.
| 2. | Navigate to a folder that you want to encrypt (for example, double-click on Local Disk (C:) and identify the folder you want to encrypt).
| | | 3. | Right-click on the folder and select Properties.
| 4. | Click on the Advanced button at the bottom of the Properties page.
| 5. | Check the Encrypt Contents to Secure Data option so the screen looks similar to Figure 12.
Figure 12. Selecting to encrypt the contents of data. 
| 6. | Click OK. If you selected a folder to encrypt, you will be prompted to choose just the folder selected, or the folder and all subfolders and files. Click OK.
|
You will notice the file(s) and folder(s) will turn green to show that the files have been encrypted. Validating That a Certificate Has Been Issued for File Encryption To validate that a certificate has been issued by the certificate server for encryption, go to the certificate server and do the following: 1. | Launch the Certification Authority Microsoft Management Console (MMC) by clicking Start | Run and typing mmc.exe; then click OK.
| 2. | Click File | Add/Remove Snap-in, and then click Add.
| 3. | Select the Certification Authority snap-in and then click Add. Assuming you are on the certificate server, select Local Computer, and then click Finish.
| 4. | Click Close, and then click OK.
| 5. | Expand the Certification Authority folder.
| 6. | Expand the folder for your certificate server.
| | | 7. | Click on the Issued Certificates container and you will see a series of certificates issued. In the example shown in Figure 13, the user chris had a Basic EFS certificate issued to him for the purpose of EFS file encryption.
Figure 13. Confirming a user received a certificate for file encryption. 
|
Ensuring a Recovery Key Agent or Administrator Exists for File Recovery Critical to the recovery of encrypted files is the responsibility of the network administrator to create and manage a recovery key for EFS data certificates. In the event that a user loses or deletes his certificate, or leaves the organization, someone needs to seize control of the encrypted files. Having a recovery agent for EFS files will assist in the decryption and recovery of files. By default, the administrator is added to the Default Domain Policy group policy object as the sole individual who can decrypt EFS files. You can choose to add other individuals with the right to decrypt files, or you can change who has the file decryption rights by Group Policy. To view, edit, or change who has the rights to decrypt EFS files, do the following: 1. | Launch the Active Directory Users and Computers tool by selecting Start | Programs | Administrative Tools and choosing Active Directory Users and Computers.
| 2. | Right-click on the forest name of the network (such as companyabc.com) and choose Properties.
| 3. | Click on the Group Policy tab.
| | | 4. | Highlight the Default Domain Policy and click Edit.
| 5. | Under the Computer Configuration container, expand the Windows Settings folder.
| 6. | Expand the Security Settings folder and then expand the Public Key Policies folder. Click on the Encrypting File System container and you will see the Administrator as the user who has rights to decrypt EFS files similar to what is shown in Figure 14.
Figure 14. The administrator as the individual who can decrypt EFS files. 
|
Recovering Encrypted Files Using the Recovery Key To recover files that were once encrypted by a network user, do the following: 1. | Right click on the Administrator in the Encrypting File System container and choose All Tasks | Export, and then click Next to continue.
| 2. | Click Yes, Export the Private Key, and then click Next.
| 3. | Choose Personal Information Exchange and ensure that the Enable Strong Protection option is checked, and then click Next.
| 4. | Enter a password that you will use in association with this export certificate, and then click Next to continue.
| 5. | Type in the name of the file you want this certificate to export as (such as c:\recoverycert), and then click Next to continue.
| 6. | Click Finish.
|
You can now copy the certificate to a USB thumb drive or other device and take the certificate to a system that needs its files recovered. Note You want to be very careful with this exported certificate. It is a master key to unlock any encrypted file on the entire network managed by this group policyidentified individual. One way to protect the key is to export it only for the time you need to recover files, and then delete the key so that it must be exported again for use. Another option is to set encryption recovery at an OU level and associate different individuals as recovery agent administrators. This will allow the organization the ability to associate a different administrator to recover finance- and HR-encrypted documents, rather than common-use word processing and spreadsheet documents.
Now that you have exported the recovery certificate, to recover the files on a system do the following: 1. | Log on to a workstation in which you want to recover encrypted files.
| 2. | Launch the Certificates Microsoft Management Console (MMC) by clicking Start | Run and typing mmc.exe; then click OK.
| 3. | Click File | Add/Remove Snap-in, and then click Add.
| 4. | Select Certificates Snap-in and then click Add. Assuming you logged in as the user and you want to verify that certificates are working, choose My User Account, and then click Finish.
| 5. | Click Close, and then click OK.
| 6. | Expand the Certificates Current User folder.
| 7. | Expand the Personal folder, and then right-click on the Certificates subfolder and choose All Tasks | Import. Click Next to continue.
| 8. | Type in the filename of the certificate you exported from the server (for example, c:\recoverycert.pfx), and then click Next to continue.
| 9. | Enter the password you entered when you exported the certificate from the server, and then click Next.
| 10. | Click Next in the Certificate Store by agreeing to have the certificate placed in the Personal Certificate store, and then click Finish.
| | | 11. | Click OK when prompted that the certificate was successfully imported.
|
Now that you have temporarily imported the administrator file recovery certificate, you can access files that once were inaccessible. You cannot simply cut and paste the files to other directories, though. You need to decrypt the files first, and then place them in other folders. The reason you need to decrypt the files is that they are still encrypted with the old certificate. Simply copying and pasting the files to another directory will retain the old certificate associated to the files. By decrypting the files and then moving them into a new folder, the files will take on any encryption associated with the new folder. To decrypt files, do the following: 1. | Double-click on My Computer from the desktop of a computer system from which files will be decrypted.
| 2. | Navigate to a folder that you want to share (for example, double-click on Local Disk (C:) and identify a folder you want to decrypt).
| 3. | Right-click on the folder and select Properties.
| 4. | Click on the Advanced button at the bottom of the Properties page.
| 5. | Uncheck the Decrypt Contents to Secure Data option so the screen looks similar to Figure 15.
Figure 15. Selecting to decrypt the contents of data. 
| 6. | Click OK. If you selected a folder to decrypt, you will be prompted to apply the changes to the folder as well as subfolders and files. Click OK, and then OK.
|
After you decrypt the files, you can move the files to other folders or just leave the files in the existing folders. Immediately after decrypting the files, you want to remove the administrator recovery key from the system. To do so, do the following: 1. | Launch the Certificates Microsoft Management Console (MMC) by clicking Start | Run and typing mmc.exe; then click OK.
| 2. | Click File | Add/Remove Snap-in, and then click Add.
| 3. | Select Certificates Snap-in, and then click Add. Assuming you logged in as the user and you want to verify that certificates are working, choose My User Account, and then click Finish.
| 4. | Click Close, and then click OK.
| 5. | Expand the Certificates Current User folder.
| 6. | Expand the Personal folder, and then expand the Certificates subfolder.
| 7. | Click to select the Administrator certificate (noted with File Recovery as the Intended Purpose) and press the Delete key. You will be prompted that you will not be able to decrypt data using the certificate. Select Yes to continue.
|
With the administrator certificate successfully removed from the system, you can now have the user move, encrypt, or manage her files, and all changes will be made with her existing EFS certificate key. |
