IT tutorials
 
Technology
 

Windows 8 : Managing Disk Compression and File Encryption (part 2) - Encrypting Drives and Data

9/17/2013 1:44:44 AM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

2. Encrypting Drives and Data

NTFS has many advantages over other file systems that you can use with Windows 8. One of the major advantages is the capability to automatically encrypt and decrypt data using the Encrypting File System (EFS). When you encrypt data, you add an extra layer of protection to sensitive data—and this extra layer acts as a security blanket blocking all other users from reading the contents of the encrypted files. Indeed, one of the great benefits of encryption is that only the designated user can access the data. This benefit is also a disadvantage in that the user must remove encryption before authorized users can access the data.

Note

As discussed previously, you can’t compress encrypted files. The encryption and compression features of NTFS are mutually exclusive. You can use one feature or the other, but not both.

Understanding Encryption and EFS

File encryption is supported on a per-folder or per-file basis. Any file placed in a folder marked for encryption is automatically encrypted. Files in encrypted format can be read only by the person who encrypted the file. Before other users can read an encrypted file, the user must decrypt the file.

Every encrypted file has a unique encryption key. This means that an encrypted file can be copied, moved, and renamed just like any other file—and in most cases, these actions don’t affect the encryption of the data. The user who encrypts the file always has access to the file, provided that the user’s public-key certificate is available on the computer that he or she is using. For this user, the encryption and decryption process is handled automatically and is transparent.

EFS is the process that handles encryption and decryption. The default setup for EFS allows users to encrypt files without needing special permission. Files are encrypted using a public/private key that EFS automatically generates on a per-user basis.

Encryption certificates are stored as part of the data in user profiles. If a user works with multiple computers and wants to use encryption, an administrator needs to configure a roaming profile for that user. A roaming profile ensures that the user’s profile data and public-key certificates are accessible from other computers. Without this, users won’t be able to access their encrypted files on another computer.

Although they are separate features, both BitLocker Drive Encryption and EFS have a built-in data-recovery system to guard against data loss. This recovery system ensures that encrypted data can be recovered in the event that a user’s public-key certificate is lost or deleted. The most common scenario for this is when a user leaves the company and the associated user account is deleted. A manager might have been able to log on to the user’s account, check files, and save important files to other folders, but if the user account has been deleted, encrypted volumes and files will be accessible only if the encryption is removed or if the files are moved to a FAT or FAT32 volume (where EFS encryption isn’t supported and BitLocker encryption is not enabled).

To access encrypted files after the user account has been deleted, you need to use a recovery agent. Recovery agents have access to the file encryption key necessary to unlock data in encrypted files. To protect sensitive data, however, recovery agents don’t have access to a user’s private key or any private key information.

Windows 8 will encrypt volumes without designated BitLocker recovery agents, but Windows 8 won’t encrypt files without designated EFS recovery agents. EFS recovery agents are designated automatically, and the necessary recovery certificates are generated automatically as well. This ensures that encrypted files can always be recovered.

Recovery agents are configured at two levels:

  • Domain The recovery agent for a domain is configured automatically when the first Windows 8 domain controller is installed. By default, the recovery agent is the domain administrator. Through Group Policy, domain administrators can designate additional recovery agents. Domain administrators can also delegate recovery-agent privileges to designated security administrators.

  • Local computer When a computer is part of a workgroup or in a stand-alone configuration, the recovery agent is the administrator of the local computer by default. Additional recovery agents can be designated. Further, if you want local recovery agents in a domain environment rather than domain-level recovery agents, you must delete the recovery policy from the Group Policy for the domain.

You can delete recovery agents if you don’t want to use them. However, if you delete all recovery agents for EFS, EFS will no longer encrypt files. One or more recovery agents must be configured for EFS to function.

Encrypting Directories and Files

With NTFS volumes, Windows 8 lets you select files and folders for encryption. When you encrypt files, the file data is converted to an encrypted format that can be read only by the person who encrypted the file. Users can encrypt files only if they have the proper access permissions. When you encrypt folders, the folder is marked as encrypted, but only the files within it are actually encrypted. All files that are created in or added to a folder marked as encrypted are encrypted automatically. Note that File Explorer shows the names of encrypted resources in green.

To encrypt a file or directory, follow these steps:

  1. In File Explorer, press and hold or right-click the file or directory that you want to encrypt, and then tap or click Properties.

  2. On the General tab of the Properties dialog box, tap or click Advanced, and then select the Encrypt Contents To Secure Data check box. Tap or click OK twice.

Note

You can’t encrypt compressed files, system files, or read-only files. If you try to encrypt compressed files, the files are automatically uncompressed and then encrypted. If you try to encrypt system files, you’ll get an error.

For an individual file, Windows 8 marks the file as encrypted and then encrypts it. For a directory, Windows 8 marks the directory as encrypted and then encrypts all the files in it. If the directory contains subfolders, Windows 8 displays a dialog box that allows you to encrypt all the subfolders associated with the directory. Simply select Apply Changes To This Folder, Subfolders And Files, and then tap or click OK twice.

Note

On NTFS volumes, files remain encrypted even when they are moved, copied, and renamed. If you copy or move an encrypted file to a FAT, FAT32, or exFAT drive, the file is automatically decrypted before it is copied or moved. This means that you must have proper permissions to copy or move the file.

Working with Encrypted Files and Folders

Previously, I said that you can copy, move, and rename encrypted files and folders just like any other files. This is true, but I qualified this by saying “in most cases.” When you work with encrypted files, you’ll have few problems so long as you work with NTFS volumes on the same computer. When you work with other file systems or other computers, you might run into problems. Two of the most common scenarios are these:

  • Copying between volumes on the same computer When you copy or move an encrypted file or folder from one NTFS volume to another NTFS volume on the same computer, the files remain encrypted. However, if you copy or move encrypted files to a FAT, FAT32, or exFAT volume, the files are decrypted before transfer and then transferred as standard files and therefore end up in their destinations as unencrypted files. FAT, FAT32, and exFAT don’t support encryption.

  • Copying between volumes on a different computer When you copy or move an encrypted file or folder from one NTFS volume to another NTFS volume on a different computer, the files remain encrypted so long as the destination computer allows you to encrypt files and the remote computer is trusted for delegation. Otherwise, the files are decrypted and then transferred as standard files. The same is true when you copy or move encrypted files to a FAT, FAT32, or exFAT volume on another computer. FAT, FAT32, and exFAT don’t support encryption.

After you transfer a sensitive file that has been encrypted, you might want to confirm that the encryption is still applied. Press and hold or right-click the file, and then tap or click Properties. On the General tab of the Properties dialog box, tap or click Advanced. The Encrypt Contents To Secure Data option should be selected.

Configuring Recovery Policy

In domains, EFS and BitLocker recovery policies are configured automatically for domain controllers and member computers. By default, domain administrators are the designated EFS and BitLocker recovery agents for all computers in domains. In workgroups or homegroups, the local administrator is the designated EFS recovery agent for a stand-alone workstation. BitLocker has no default recovery agent for homegroups or workgroups.

Through the Group Policy console, you can view, assign, and delete recovery agents. To do that, follow these steps:

  1. Open a Group Policy Object for editing in the Group Policy Management Editor.

  2. Open the Encrypted Data Recovery Agents node in Group Policy. To do this, expand Computer Configuration, Windows Settings, Security Settings, Public Key Policies, and then select either Encrypting File System or BitLocker Drive Encryption, as appropriate for the type of recovery agent you want to work with.

  3. The right pane lists the recovery certificates currently assigned. Recovery certificates are listed according to who issued them, to whom they are issued, expiration date, purpose, and other properties.

  4. To designate an additional recovery agent, press and hold or right-click the Encrypting File System or BitLocker Drive Encryption node, and then tap or click Add Data Recovery Agent. This starts the Add Recovery Agent Wizard, which you can use to select a previously generated certificate that has been assigned to a user and then mark it as a designated recovery certificate. Tap or click Next.

  5. On the Select Recovery Agents page, tap or click Browse Directory. In the Find Users, Contacts, And Groups dialog box, select the user you want to work with.

    Note

    Before you can designate additional recovery agents, you must set up a root Certificate Authority (CA) in the domain. Then you must use the Certificates snap-in to generate a personal certificate that uses the EFS Recovery Agent template. The root CA must then approve the certificate request so that the certificate can be used.

  6. To delete a recovery agent, select the recovery agent’s certificate in the right pane, and then press Delete. When prompted to confirm the action, tap or click Yes to permanently and irrevocably delete the certificate. With EFS, if the recovery policy is empty (meaning that it has no other designated recovery agents), EFS will be turned off so that files can no longer be encrypted; existing EFS-encrypted resources won’t have a recovery agent.

Sharing Decrypted Files

By default, encrypted files can be viewed only by the file owner. If you want other users to be able to access an encrypted file, you must decrypt the file or grant the users special access to the file by completing the following procedure:

  1. Press and hold or right-click the file or folder in File Explorer, and then select Properties.

  2. On the General tab of the Properties dialog box, tap or click Advanced, and then tap or click Details in the Advanced Attributes dialog box.

    The User Access To dialog box appears. Users who have access to the encrypted file are listed by name.

  3. To allow another user to access the file, tap or click Add.

  4. If a user certificate is available for the user to whom you are granting access, select the user’s name in the list provided, and then tap or click OK. Otherwise, tap or click Find User to locate the certificate for the user.

Decrypting Files and Directories

File Explorer shows the names of encrypted resources in green. If you decide later that you want to decrypt a file or directory, reverse the process by following these steps:

  1. Press and hold or right-click the file or directory in File Explorer.

  2. On the General tab of the related Properties dialog box, tap or click Advanced. Clear the Encrypt Contents To Secure Data check box. Tap or click OK twice.

With files, Windows 8 decrypts the file and restores it to its original format. With directories, Windows 8 decrypts the files within the directory. If the directory contains subfolders, you have the opportunity to remove encryption from the subfolders. To do this, select Apply Changes To This Folder, Subfolders And Files when prompted, and then tap or click OK.

Tip

Windows 8 also provides a command-line utility called Cipher (Cipher.exe) for encrypting and decrypting your data. Typing cipher at the command prompt without additional parameters shows you the encryption status of all folders in the current directory.
 
Others
 
- Windows 8 : Managing Disk Compression and File Encryption (part 1) - Compressing Drives and Data
- Windows 8 : Managing Disk Drives and File Systems - Working with Removable Storage Devices, Working with Data Discs
- Sharepoint 2010 : Business Connectivity Services - The BCS Object Model
- Sharepoint 2010 : Business Connectivity Services - BCS with Visual Studio 2010
- Sharepoint 2010 : Business Connectivity Services - BCS and SharePoint Designer
- Windows Phone 8 : Services - Consuming OData (part 2) - Generating a Service Reference for OData, Retrieving Data, Updating Data
- Windows Phone 8 : Services - Consuming OData (part 1) - How OData Works, The URI
- Windows Home Server 2011 : Using File Server Resource Manager (part 2) - Creating a Quota, Creating a File Screen
- Windows Home Server 2011 : Using File Server Resource Manager (part 1) - Creating a Quota Template
- Windows Home Server 2011 : Managing Storage - Using Folder Redirection
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us