Encrypt those files
With security on the minds of so many people today, it's a good idea to review all the provisions for security that Windows makes available to the Windows administrator. You can take advantage of a bevy of security features in Windows 2000. This tip looks at the Encrypting File System, or EFS. EFS allows users to encrypt data files that are stored in an NTFS partition. This secures those files from unauthorized snooping, particularly on notebook computers, or computers that are used by more than one person.
Got a Windows security tip of your own? Why not send it in? We'll post it on our Web site, thus granting you instant fame, and we'll enter you in our tips contest for some neat prizes.
Windows 2000's Encrypting File System (EFS) lets users secure data on a hard drive using public-key encryption. Even if an attacker gains access to data on a hard drive, files on the drive that have been encrypted are useless without the decryption key.
This feature has significant benefits for notebook-computer users and organizations that need to secure highly sensitive data. Users can encrypt either individual files or entire folders. If a folder is encrypted, any file written to that folder will be automatically encrypted.
A Windows 2000 user does not have to be an expert in file encryption to use this facility. The one thing to keep in mind though is that EFS only works with NTFS partition. But you'll have to provide some training to users who wish to use EFS.
Encrypting a file or folder is a simple matter:
- Right click on the file or folder to be encrypted and select Properties.
- On the General tab click Advanced.
- Check the box that reads "Encrypt Contents to Secure Data."
- Select OK to confirm.
- You will then be prompted whether to encrypt the file or the folder and its contents. In most cases, it's advisable to encrypt the folder and its contents.
Only the user who encrypted the file can decrypt it, as follows:
- Right click the folder or file and select Properties.
- On the General tab, click Advanced.
- Un-check the box that reads "Encrypt Contents to Secure Data."
- Click OK to confirm.
Using encrypted files proceeds as does using any other file. The user who encrypted the file can open, close, modify, etc., the file. But an intruder cannot do so.
Remember, if a file or folder is compressed, it cannot be encrypted. So you have to decompress the file of folder if you want to encrypt it. You cannot share an encrypted file. That would defeat the purpose of encrypting it. You can transmit an encrypted file over a network, but it won't be encrypted during the transmission unless you have other security measures in place.
EFS places increased administrative requirements for system administrators, most importantly in the area of managing encryption keys. In particular, you should ensure that users have a backup of their file-encryption certificate and corresponding private key. That way, if for some reason the encryption data becomes unavailable, users can upload the certificate and key from a floppy to recover whatever files are still available.
Adesh Rampat has 10 years experience with network and IT administration. He is a member of the Association of Internet Professionals, the Institute for Network Professionals and the International Webmasters Association. He has also lectured extensively on a variety of topics.
Did you like this tip? If so, (or if not) why not let us know. Send an email to us and sound off.
Fast Software Encryption
by Bruce Schneier
Online Price: $50.00
Publisher Name: Springer-Verlag
Date published: August 2001
This book constitutes the thoroughly refereed post-proceedings of the 7th International Workshop on Fast Software Encryption, FSE 2000, held in New York City, USA in April 2000. The 21 revised full papers presented were carefully reviewed and selected from a total of 53 submissions. The volume presents topical sections on stream-cipher cryptanalysis, new ciphers, AES cryptanalysis, block-cipher cryptanalysis, and theoretical work.
This was first published in September 2001