Protect your data with Win2K file encryption

Don't let file permissions be your only line of defense for protecting critical data files. If you're running Win2K, you can take advantage of file encryption to provide an extra layer of security. See how it works and learn about some important caveats.

Nearly every organization has confidential files that it wants to protect. Often, this is accomplished through the setting of file permissions. While this serves as a good first line of protection, motivated and resourceful attackers—both internally and externally—can get around this. Thus, in Windows 2000, there is another layer of protection called file encryption. Let’s take a look at how this technology works and how it can be used to protect sensitive data.

How file encryption works
Encrypting File System (EFS) is an extension of the NTFS file system that lets you encrypt files and folders using the expanded Data Encryption Standard (DESX) algorithm. When a file or folder is encrypted by a particular user, that user can read and write to that file or folder transparently, but no other user can access it, even if they have the permissions to copy the file or folder to another machine.

Encryption travels with a file. If you copy a file to a folder that doesn't have encryption turned on, the file remains encrypted unless you specifically disable it. This is important, since one tactic I have seen used often is to designate a folder as encrypted and then dump files in there indiscriminately. If you designate a folder as encrypted and then put an unencrypted file in it, the file will be encrypted and will stay encrypted even if you move it out of that folder. Some users don't want this, however, so the best way to keep track of what's encrypted is to work on a file-by-file basis as much as possible. Keep in mind that when encrypting a folder, the folder object itself is not actually encrypted; only the files within it are.

In NTFS, there is also a built-in tradeoff between encryption and compression. Encrypted files can't be compressed and vice versa. And if you move an encrypted file to a volume that doesn't support encryption, the encryption is removed. In theory, it's possible to use this to defeat the encryption, but with proper use of user permissions, it won't be possible for anyone except the owner of the file to do this.

Managing file encryption
Turning on encryption for a file or folder is easy enough:
  1. Right-click on a file or folder.
  2. Select Properties and click Advanced. (If you don't see an Advanced button, make sure you're not looking at objects on a FAT16 or a FAT32 drive, since encryption is not supported on these platforms.)
  3. Select the Encrypt Contents To Secure Data check box and click OK (see Figure A).
  4. To undo encryption, just deselect the same check box.

Figure A

Remember, the way files are encrypted makes them untransportable—by design. This means that a file encrypted on computer A cannot be unpacked on computer B unless you have the certificate used to encrypt the files.

When Windows 2000 is first installed, it randomly generates a series of encryption certificates. The system is designed so that even if you reinstall Windows on the same computer, you won't get the same certificates twice. Once those certificates are created, they're kept in Windows 2000's protected storage and can't be duplicated simply by copying a file from one machine to another. However, there is a way to transfer encryption certificates between computers.

To move or make a backup copy of your encryption certificate, here's what you do:
  1. Log in as administrator.
  2. Go to the Control Panel and launch Administrative Tools.
  3. Launch Local Security Settings.
  4. Expand Public Key Policies and look in the Encrypted Data Recovery Agents folder.
  5. That folder should contain a certificate, issued to and by Administrator. Right-click on it and select All Tasks | Export.
  6. Click Next to begin the Export Wizard.
  7. Choose to export the private key—you'll be asked for a password later to protect the certificate when you do this.
  8. Select Include All Certificates If Possible and Enable Strong Protection. Do not select Delete The Private Key If Export Is Successful unless you really want to do that. Chances are you won't.
  9. Select and confirm a password.
  10. Choose a filename.
  11. Click Finish to export the certificate file.

Once you've done this, get that encryption certificate file off of your system! Put it somewhere safe. If an attacker gets his or her hands on this file, all of your encryption on that computer will be worthless.

Now, assuming you've reinstalled Windows and you want to reaccess your encrypted files, all you need to do is provide the file produced here, double-click on it, and then reboot—just to be safe. Keep in mind that if you do this on a machine that already has encrypted files on it, you won't be able to access them, since the encryption on those files was generated by a different certificate from the one you are importing. Here are a couple of Microsoft links that can help with moving and restoring EFS files:

Final caveats
When working with EFS, keep the following points in mind:
  • Never encrypt any kind of system file. The overhead involved in constantly unencrytpting and reencrypting the files will bring your system to its knees!
  • You can encrypt executables, but there will be a certain amount of overhead involved in decrypting a file every time it's accessed. Also, the bigger the file, the longer the decryption time.
  • Encrypted files can be compressed with third-party programs, but the resulting file will not be encrypted, nor will the file you unpack from the archive. There may be exceptions to this based on what compression product you're using.

How are you utilizing Win2K file encryption?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.


Editor's Picks