Encryption is the process of making information indecipherable to protect it from unauthorized viewing or use. A key is required to decode the information. The Microsoft Encrypting File System (EFS) provides encryption for data in NTFS files stored on disk. This encryption is public key-based and runs as an integrated system service, making it easy to manage, difficult to attack, and transparent to the file owner. If a user who attempts to access an encrypted NTFS file has the private key to that file, the file can be decrypted so that the user can open the file and work with it transparently as a normal document. A user without the private key is denied access.
Windows XP Professional also includes the Cipher command, which provides the ability to encrypt and decrypt files and folders from a command prompt. Windows XP Professional also provides a recovery agent. In the event that the owner loses the private key, the recovery agent can still recover the encrypted file.
EFS allows users to encrypt NTFS files by using a strong public key-based cryptographic scheme that encrypts all files in a folder. Users with roaming profiles can use the same key with trusted remote systems. No administrative effort is needed to begin, and most operations are transparent. Backups and copies of encrypted files are also encrypted if they are in NTFS volumes. Files remain encrypted if you move or rename them, and temporary files created during editing and left unencrypted in the paging file or in a temporary file do not defeat encryption.
You can set policies to recover EFS-encrypted data when necessary. The recovery policy is integrated with overall Windows XP Professional security policy. Control of this policy can be delegated to individuals with recovery authority, and different recovery policies can be configured for different parts of the enterprise. Data recovery discloses only the recovered data, not the key that was used to encrypt the file. Several protections ensure that data recovery is possible and that no data is lost in the case of total system failure.
EFS is implemented either from Windows Explorer or from the command line. It can be enabled or disabled for a computer, domain, or organizational unit (OU) by resetting recovery policy in the Group Policy console in Microsoft Management Console (MMC).
You can use EFS to encrypt and decrypt files on remote file servers but not to encrypt data that is transferred over the network. Windows XP Professional provides network protocols, such as Secure Sockets Layer (SSL) authentication, to encrypt data over the network.
Table 14.4 lists the key features provided by Windows XP Professional EFS.
Table 14.4??EFS Features
The recommended method to encrypt files is to create an NTFS folder and then encrypt the folder. To encrypt a folder, in the Properties dialog box for the folder, click the General tab. In the General tab, click Advanced, and then select the Encrypt Contents To Secure Data check box. All files placed in the folder are encrypted and the folder is now marked for encryption. Folders that are marked for encryption are not actually encrypted; only the files within the folder are encrypted.
After you encrypt the folder, when you save a file in that folder, the file is encrypted using file encryption keys, which are fast symmetric keys designed for bulk encryption. The file is encrypted in blocks, with a different file encryption key for each block. All of the file encryption keys are stored and encrypted in the Data Decryption field (DDF) and the Data Recovery field (DRF) in the file header.
You use a file that you encrypted just like you would use any other file, as encryption is transparent. There is one exception to using an encrypted file just like you would any other file: encrypted files can't be shared. You do not need to decrypt a file you encrypted before you can use it. When you open an encrypted file, your private key is applied to the DDF to unlock the list of file encryption keys, allowing the file contents to appear normally. EFS automatically detects an encrypted file and locates a user certificate and associated private key. You open the file, make changes to it, and save it, as you would any other file. However, if someone else tries to open your encrypted file, he or she is unable to access the file and receives an access denied message.
Decrypting a folder or file refers to clearing the Encrypt Contents To Secure Data check box in a folder's or file's Advanced Attributes dialog box, which you access from the folder's or file's Properties dialog box. Once decrypted, the file remains so until you select the Encrypt Contents To Secure Data check box. The only reason you might want to decrypt a file would be if other people needed access to the folder or file-for example, if you want to share the folder or make the file available across the network.
The Cipher command provides the ability to encrypt and decrypt files and folders from a command prompt. The following example shows the available switches for the Cipher command, described in Table 14.5:
cipher [/e | /d] [/s:folder_name] [/a] [/i] [/f] [/q] [/h] [/k] [file_name [...]]
Table 14.5??Cipher Command Switches
If you run the Cipher command without parameters, it displays the encryption state of the current folder and any files that it contains. You can specify multiple filenames and use wildcards. You must put spaces between multiple parameters.
If you lose your file encryption certificate and associated private key through disk failure or any other reason, a person designated as the recovery agent can open the file using his or her own certificate and associated private key. If the recovery agent is on another computer in the network, send the file to the recovery agent. The recovery agent can bring his or her private key to the owner's computer, but it is never a good security practice to copy a private key onto another computer.
It is a good security practice to rotate recovery agents. However, if the agent designation changes, access to the file is denied. For this reason, you should keep recovery certificates and private keys until all files that are encrypted with them have been updated.
The person designated as the recovery agent has a special certificate and associated private key that allow data recovery. To recover an encrypted file, the recovery agent does the following:
You can disable EFS for a domain, OU, or computer by applying an empty Encrypted Data Recovery Agent policy setting. Until Encrypted Data Recovery Agent settings are configured and applied through Group Policy, there is no policy, so the default recovery agents are used by EFS. EFS must use the recovery agents that are listed in the Encrypted Data Recovery Agents Group Policy agent if the settings have been configured and applied. If the policy that is applied is empty, EFS does not operate.
In this practice, you log on as an administrator and encrypt a folder and its files. You then log on using a different user account and attempt to open an encrypted file and disable encryption on the encrypted file. Finally, you log on again with the same administrative account and decrypt the folder and its contents that you previously encrypted.
Run the EncryptingFiles file in the Demos folder on the CD-ROM accompanying this book for a demonstration of encrypting folders and files, accessing encrypting files, and decrypting encrypted files.
In this exercise, you will encrypt a folder and its contents.
Windows XP Professional displays the Properties dialog box with the General tab active.
The Advanced Attributes dialog box appears.
An Encryption Warning dialog box informs you that you are about to encrypt a file that is not in an encrypted folder. The default is to encrypt the folder and file, but you can also choose to encrypt only the file.
The Advanced Attributes dialog box appears.
The Confirm Attribute Change dialog box informs you that you are about to encrypt a folder. You have two choices: you can encrypt only this folder, or you can encrypt the folder and all subfolders and files in the folder.
The File1 Properties dialog box appears.
The Advanced Attributes dialog box appears. Notice that the Encrypt Contents To Secure Data check box is selected.
In this exercise, you log on using the User5 account and then attempt to open an encrypted file. You then try to disable encryption on the encrypted files.
The Error Applying Attributes dialog box appears and informs you that access to the file is denied.
In this exercise, you decrypt the folder and file that you previously encrypted.
The following questions will help you determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. The answers are in Appendix A, "Questions and Answers."