NTFS5, the native file system used by Windows XP has a very cool feature called EFS, or Encrypted File System. EFS is an invisible file encryption method that is built directly into the file system. This provides an extra layer of protection for keeping your folders private.
This guide will explain what it is and how to use it effectively. Please note that the EFS features have been removed from Windows XP Home Edition. “Removed?” You ask. Yes, removed, as I said earlier EFS is built into NTFS (NT File System), the ability to enable it has been removed from XP Home Edition.
So what operating system have this feature? Any Microsoft operating system 2000 or newer has this feature. However, only the Professional and Server releases have it enabled. So here’s the list as it stands at the time of this writing.
Windows 2000 Pro or Server, Windows XP 32-bit Pro, Windows XP 64-bit Pro, and Windows Server 2003. I’m not sure, but I assume the same rule will apply to Windows Vista releases.
So the techies might be asking, “How can they remove EFS if it’s native to the file system?” The answer, the Home and Pro versions use different NTFS drivers.
Encrypting a File or Folder with EFS
The process for removing the EFS attributes is just the opposite the the above. Follow the same procedure and remove the checkmark we just added.
Okay, so now we know how to do it, but how does EFS work? Well, I’m going to be as basic as possible in my approach. I’m not about to begin trying to explain encryption in this single post.
Basically, your computer creates a sort of password hash using your user information and then applies it to an algorithm and encodes your files. In basic english, that means that without being logged on with your user ID and password, the computer literally cannot read the file’s contents. You might compare it to trying to read an Arabic newspaper. (That, of course, assuming you can’t read Arabic.)
By default EFS uses DESX (56-bit) in Windows 2000 and DESX (128-bit) in Windows XP. Windows XP SP1 and higher use AES (256-bit) by default. Optionally 3DES (168-bit) in Windows XP and Windows 2003 (and Windows 2000 with High Encryption Pack) may be used. All of these algorithms make use of a random cipher key so they present a fairly strong encryption. Your average joe is not going to crack this thing in any reasonable amount of time, especially if you use a strong Windows password. Also note that 3DES complies with Federal Information Processing Standards (FIPS 140-1 Level 1) and is significantly stronger than the default DESX encryption. You have to enable the use of 3DES. I’ll show you that later in this article.
Now we have a basic understanding of what it does and how to do it, but is there anything else we should know. Well, yes. Let’s suppose you reload Windows and can’t log on with the user that originally encrypted the files. (Even recreating a user with the same name will not work.) You won’t be able to view the files because your current user won’t be able to decrypt them. That’s could make for a big nightmare.
Luckily, Windows provides a way for us to backup our EFS information to prevent this from happening. The backup that is created can be used to grant any user (current or future) access to the files by using a created floppy disk. Don’t worry, not anyone who finds this floppy disk can use it. The backup procedure will setup the floppy so that it requires a password to use it. (I knew what you were thinking…)
Without wasting any more time, here’s how to create the backup.
Backing Up Your EFS Key – Method 1
In the future you will not have to add the Certificates snap-in. Instead you will be able to start at step 7.
Backing Up Your EFS Key – Method 2
Windows 2003 user have the option to backup using a button on the Details page under Advanced Properties when encrypting a file.
As I said, Windows XP Pro and higher give the option to use the stronger 3DES algorithm, however, it is not installed by default.
Enabling Advanced Encryption By Using 3DES
Once 3DES is enabled, you will still be able to open files that were encrypted with DESX. So you can enable this option at any time.
Allowing Multiple User Access to Protected Files
You may find that you want to share an encrypted resource. Note that you cannot share an EFS encrypted folder. You must allow access on a per file basis.
“But I’ve disabled share-level access to my files and allow access only to the users that I want. What good will EFS do me?”
Okay, the permissions here rely on ACL’s or Access Control Lists. ACL’s are extremely effective, but the problem here is that they are completely useless outside of the Windows environment. In other words, if someone connects your computer (or connects your hard drive to a computer) running a different operating system such as Linux your ACL’s don’t mean a thing. They’ll be browsing through your files like they weren’t even there.
“I don’t have anything to hide. Why waste my time?”
EFS is just an added bonus feature for the home PC owner. And since it works by itself in the background, it doesn’t require any extra effort to use it. Besides, a little extra security never hurt anyone.