Encryption

NTFS support encryption where it keeps file or folder safe from intruders who are unauthorized to access them. When a file or folder encrypted by NTFS, it cannot be access by unauthorized user where there receive error message if they try to open, copy, move, delete or rename the encrypted file or folder. When file encrypted, it is actually transparent for authorized user and any applications. If authorized users access the encrypted file or folder, it will be decrypted automatically without interaction with the user. After the file or folder saved, NTFS re-encrypted the file. Indeed, all encryption / decryption process are occur automatically as long as you mark the file or folder as encrypted.

What is encryption actually? Encryption is a process that converts the data into a secret code to hide its substance and ensure the data security. When you encrypted a file or folder for a first time, a key pair randomly generated which contain of private and public key. This key is used to encrypt and decrypt the file or folder. The technology that allows files to be encrypted in NTFS file system called Encrypting File System (EFS) and it is available in MS Windows 2000 and later operating systems. Why is EFS created? NTFS allows object permission to restrict the access to the file or folder from unauthorized user. Although it can protect the file or folder but if the attacker gains physical access to computer, for instance, they removed the hard-disk and mounted it on other Windows system, any user with administrator privileges can take ownership of the partition ignoring the previous permission. This is when the Encrypting File System (EFS) plays the role to protect the file being read by unauthorized user. The essence of EFS is that, encrypted file or folder only can be viewed by the creator of the file. For creator, the encrypted file appears as normal file and they are not required to go through any decryption procedure to view the file contents. The decryption process is done automatically. Other user including the Administrator also cannot view the encrypted file as the only want who can view is the one who encrypted the file. Unlike, NTFS object permission, although you have the administrator privileges and intend to change the file's ownership, the fact is you still won't be able to read the encrypted file as you weren't the one who originally encrypted the file. NTFS ensure the security of the file from physical attacker because only appropriate user can gain the access on the encrypted file.

I'll show you on how to use EFS on Windows XP. Before using EFS you need to create your own account with password protected. When you encrypted a file, it is only accessible to your account and other users have no access to this encrypted file. Bear in mind, lock your workstation when you are away as failing to do so means that other user can access to your data. It is strongly recommended that you designate a specific folder to store all the encrypted data in your account as all files that are created in or moved to this folder obtain the encrypted attribute. Let's say that you created an encryption folder to stores all the encrypted data in this folder. To encrypt a folder and its current content, follow these steps:

1. Right-click the folder and click Properties.

2. In the properties dialog box, click Advanced.

3. In Advanced Attributes dialog box, check on Encrypt contents to secure data check box and then click OK. Please take note that NTFS cannot support compression and encryption at the same time meaning that you can only check either compression or encrypted at a time.

4. Click OK once again to close the Advanced Attributes dialog box.

5. In Confirm Attribute Changes, select option to apply changes to the folder only or the folder, sub folder and file. (Only appear for folder encryption that contains file but not in file encryption)

After you encrypted the folder, the folder name color will be changed into green. To decrypt a encrypt folder or file, just follow the same step but unchecked Encrypt contents to secure data check box in the Advanced Attributes dialog box. EFS also enable the encrypted file to be share by multiple users where you can give individual users permission to access an encrypted file. Unfortunately, this ability only support encrypted file only but not on folder encrypted. Before you can add additional user on a file, you need to encrypt it first. Bear in mind EFS only support access for multiple user but not for a groups of user in an encrypted file. To encrypt a file for multiple users, follow these steps (apply to windows XP and above):

1. Right-click the encrypted file and click Properties.

2. In the properties dialog box, click Advanced.

3. In Advanced Attributes dialog box, Click Details to add additional users.

4. In Encryption Details dialog box, click Add. The Encryption Details dialog box shows users that can access the file and data recovery agent for the file.

5. In Select User dialog box, you can select which user certificate you want to have an access to the file. If you do not see the user click Find User to search Active Directory. Select which user certificate you want to have an access to the file. If the intended user's certificate is not found, they need to send you a copy of their certificate. You need to import the certificate and add them to the encrypted file.

6. After you select the user, click OK until you closed all the dialog box.

EFS uses users' certificate to identified users that can access the encrypted file. As mention earlier, when you encrypt your first file, a key pair randomly generated which contain of private and public key. You need to back up your certificates as if you lost or damaged it, and then there is no way for you to recover the encrypted data. You can store the backup certificates at the secure location. The backup certificates can be import when you lost or damaged your certificates. To backup certificates, follow these steps:

1. Start Microsoft Internet Explorer.

2. On the Tools menu, click Internet Options

3. On the Content tab, click Certificates

4. Click Personal tab

5. Select intended certificate. Note that when you encrypted your first folder, a certificate was generated. Make sure the selected certificate shows Encrypting File System in the Certificate Intended Purposes. This is certificate that generated earlier.

6. Click Export to start the Certificate Export Wizard, and click Next

7. Click Yes, export the private key and click Next

8. Click Enable Strong protection, and click Next

9. Type your password. (To protect the private key)

10. Specify the path where you want to save it. You can save to a floppy disk, CD or other removable storage. Click Next and then Finish.

To import the certificates, follow the same steps as backup certificates but Click Import on a certificates dialog box. After that, follow these steps:

1. The Certificate Import Wizard appeared and you need to specify the file and path location of the certificates that you want to import. Click Next

2. Type the password of the certificate that you want to import. Check on the Mark this key as exportable, to allow you backup your certificate (Enable you to export the certificate) Click Next.

3. Select Place all certificates in the following store, and then click Next

4. Click Finish to complete the import wizard.

EFS can give a different results when you moving, copying and saving an encrypted files. When you copy an encrypted file to a medium that not support EFS, such as floppy disk (FAT file system), the encryption is removed. Please remember that encryption process is an attribute based and for that reason encryption will be removed in a medium that not support this attribute. When you encrypted a folder which contains no data, any files that are placed into the folder are encrypted. Bear in mind, the file only accessible to user who transfer or create the file within this folder. For instance, if user A encrypted a blank folder and user B created a file within the folder, only user B can view the data but not user A. Although user A created the encrypted folder, but user B are the one who place the file or encrypted the file. This cause only use B can view the data.

On the other hand, when you encrypted a folder which already contains data, you will be prompt whether to encrypt the files in the folder or not. Let's suppose that user choose to encrypt the file that contains in the folder. The files that contain in the folder only can be view by the user who encrypted the folder. File that copy in this folder only can be view by the user who encrypted the folder but not by the user who place the file in this folder. Ok, now let's suppose that user who encrypted the folder choose to not encrypt the existing files. The files remain unencrypted and accessible to anyone who can access the folder, but if user renames the existing file, then the file will become encrypted.

In general, when you copy a file, it will inherit the EFS properties of the target location. If you move a file, it will not inherit the EFS properties of the target location. EFS can be performed on a file and folder but not on a volume. You also cannot encrypt system's root directory.

Technorati : EFS, Encryption, certificates, security
Del.icio.us : EFS, Encryption, certificates, security
Ice Rocket : EFS, Encryption, certificates, security
Flickr : EFS, Encryption, certificates, security
Zooomr : EFS, Encryption, certificates, security
Buzznet : EFS, Encryption, certificates, security
Riya : EFS, Encryption, certificates, security
43 Things : EFS, Encryption, certificates, security