Leo Laporte
The Tech Guy
2–5p ET Sat & Sun
- Home
- Saturday Show
- Sunday Show?
- Past Shows
- Audio Archives
- Stations
- Chat
- Watch Live
- Forums
- Tips
- FAQ
- Glossary
- Contact Leo
Sponsors
- Angie’s List
- Carbonite
- DSLExtreme
- ESET NOD32 Antivirus
- GoToAssist
- GoToMeeting
- GoToMyPC
- Make It Work
- Stamps.com
Leo Links
Windows Encrypted File System (EFS)
This is my first article at Leoville.tv. Pardon me should there be any grammatical/typo error(s) in the writting (english is not my first language). Corrections/Edits/Additions are most welcome. Thanks. —Kalic
If you’re using Windows 2000 or Windows XP Professional and your disk is formatted with NTFS you can use the system’s built-in encryption to keep others from reading your files, even the System Administrator. This way, you can protect your sensitive data. However, keep in mind that others would still be able to alter the file (not the content of course). It means they can search for the file, delete or move them to another folder, etc. The encrypted files or data in the encrypted folder are still visible to others but they cannot access them (to open the file or to read the content). It is nearly impossible to crack the encryption. If you would like to disable others from entering your folders or directories without permission, then the Windows File/Folder Permissions? would need to be set. But that’s another topic.
How to encrypt/decrypt files/folders with Windows XP
Begin by right-clicking on the folder/file to encrypt, select “Properties…” from the pop-up menu. Click the “Advanced…” button. Check the “Encrypt contents to secure data box”. Subsequently, you may be ask to choose whether to encrypt all the files in that folder or just the file you have selected. Pick the preferred one and click “OK” and we are done.
Notice that the encrypted file will be in green color (Compressed file is in blue). If users form other login accounts tried to open it - the Access is denied window will shows up (as displayed above). In this case, Notepad failed to open the file. You can also use Tweak UI from Microsoft to simplify the process of encrypt/decrypt. By putting in the encryption functionality to the context menu, encrypt/decrypt can be done by right-clicking on a file/folders. Launch Tweak UI, select “Explorer”. Over the right panel, check the “Show “Encrypt” on context menu” and click “OK”.
 |
| Back to Top |
How to back up your certificate
You only need to perform this once.
Backing up files is a good habit for all computer users. More importantly, is to backup your encryption certificate(s) or key(s), if you have ever encrypted data in your system. A unique certificate associates with your account was created and stored in the account the first time data were encrypted. Although users may not realized this, since users always login to thier own accounts to open encrypted files, that unique encryption certificate is needed to authenticate that the user has the right to access or decrypt those data.
Problem occurs when users clean install their Windows XP. Unfortunately, like some of the callers, even with the same user name and password; even if those data were still intact; they cannot open those files because the special certificate tied closely to those data was missing. Therefore, be wise to always backup your data with the encryption certificate as well. So back up now. Losing data is better than having them but cannot access them - so cruel!
Step 1
Begin by login to your user account. To backup the certificate(s), we need to get to the file first. There are two ways of accessing the account’s certificate:
- Using Internet Explorer: Go to menu:
“Tools|Internet Options”select the“Content”tab and click on the“Certificates…”button. This will brings up the Certificates windows showing a certificates under the“Personal”tab. It has the same name as your login. Select it and click on on the“Export”button and follow Step 2. - The second way is: Go to
“Start|Run”, type in“certmgr.msc”into the box and hit enter. A window named Certificates will pops up. Expand the Certificates - Current User to“Personal|Certificates”. A certificate with login name shows up on the right panel (in this example, it is named Bill). Lastly, right click on certificate and select:“All task|Export”. We are now ready for Step 2.
 |
Step 2
A Certificate Export Wizard will appears. Click “Next >”. |
 |
Here, you will be asked to export the key or not. Select “Yes,…” and proceed. |
 |
Check only the first two options and click “Next >”. |
 |
| Enter a new password and confirm to protect your certificate. Only those who have the password can import (restore) the backed up certificate to their accounts. This is to ensure nobody else but you have the right to access your encrypted files. Please don’t forget the password. |
 |
| Choose a directory and file name to save your certificate. Remember to back it up to a safer place like burning it to a CD. I don’t trust Floppy disk. |
 |
This will brings us to the end of the “Certificate Export Wizard”. Confirm all your inputs and click “Finish” and we are done! You will see “The export was successful.” |
 |
 |
| Back to Top |
How to restore your certificate
After reinstalling your system or you would like to associate the backed up certificate to a new account, then the backed up certificate would need to be restored. It is pretty straight forward to do so.
But before that, for convenience purposes, always restore the backed up certificate first before starting to encrypt data on a new account. The new account will then continues to use the backed up certificate for encryption and prevent Windows XP from generating a new account’s certificate for new encryption. As a result, you don’t need to back up this new certificate as well (if not, you’d have two certificates to back up).
Just double click on your backed up certificate and this will brings up the Certificate Import Wizard. Follow the instructions given by the wizard. You will need to enter the password (if you’ve chosen to export private key) created during certificate export.
 |
| Below is a .gif generated slideshow (remember to enable browser’s animation, if you can’t see it). Just follow it step-by-step. |
 |
| You should see the confirmation window when the certificate is successfully imported. Done! |
 |
| Back to Top |
References
Internal Links
External Links
- Wikipedia:EFS
- MCSEWorld: What’s EFS?
- Microsoft: Best practices for the Encrypting File System
- Microsoft Windows XP Resource Kit - Overview of EFS
- Guide: Windows XP Pro - Using File Encryption
- How to Share Files Using Encrypting File System
- EFS 密钥导出/导入完全攻略 (chinese)
EFS Related Softwares
¹ Screenshots used in this article were taken using TechSmith SnagIt 7. Images were later converted to 8-bit, 128-colors, .PNG format, using Macromedia Fireworks MX 2004 to further reduce the size.
² The above screenshots of a copyrighted computer program were distributed under fair use provision of United States copyright law.
| Back to Top |
