Before you start
Objectives: Learn how to use Encryption File System (EFS) in Windows Vista, and how to manage private keys used for EFS.
Prerequisites: you have to know what is EFS in general.
Key terms: file, access, user, button, efs, encrypted, folder, case, keys, window, list, account
Encrypting Files
In this example we will first take a look at how to encrypt some file. We have some example text file in our example folder. To encrypt our “Example File”, we will right-click it, and on the General tab we will click on the “Advanced” button. The “Advanced Attributes” windows will appear, and here we will check the “Encrypt contents to secure data” option.
EFS Checked
When we click OK button, and then OK again, we will get an Encryption Warning window. We will have to choose if we want to encrypt the file and its parent folder, or if we want to encrypt the file only. If we choose the first option, everything inside the folder will be encrypted. In our case we will encrypt the file only.
EFS Warning
Notice that the file which is encrypted is colored green. This tells us visually that the file is encrypted. We can still open that file because we have encrypted it (we have the private key).
Green File
If we right-click that file again, go to its properties, and click the Advanced button again, we can now click the “Details” button. When we do that, a “User Access” window will open. This window lists all users which have access to that particular file. By default this list will contain only the user which encrypted the file.
User Access Window
Note that in this window we can click on the “Add” button to name additional users which will have access to our encrypted file. We can only add individual users, meaning we can’t add groups of users. The lower part of this window lists all DRAs which have access to the file. Vista installation which is not a member of the domain does not have a DRA by default.
Now let’s try to access that encrypted file by using another account on our system. In our case we will use the “hrlec” account, which is a standard user account (doesn’t have administrative rights). Our file is located in “C:\Example Folder\Example File.txt”. Let’s try and open that file with “hrlec” account.
Access Denied
We are able to access the folder in which the file is located, but we are not able to open the file. We get a “Access is denied” message. EFS doesn’t care about the NTFS permissions which are set on the folder and file, it only cares about its own permissions. Now, let’s create new file in this folder by using the “hrlec” account and encrypt it. We will encrypt the file only. Now we have two files which are both green, so we don’t actually know which user has access to which file.
Two Files
Let’s go to the properties of the “hrlec file”, and add another user which will have access to that file. To do that we will click the Details button in “Advanced Attributes” window, and then click on the “Add” button. In our case we only have two accounts which can be added to the list. In order for users to appear in this list, users have to already use EFS in some form. If they are not using EFS, they will not be in this list. To use EFS, user can simply encrypt some file, and that will include him in the EFS. This will create their certificates.
User Certificates
In our case we will select the “ivancic” certificate and add it to the list. Remember that if we loose our EFS keys, we wont be able to access our files which are encrypted. To back-up keys we can click on the “Back up keys” button in the “User Access” window. We have to select the user from the list and then click the button. The wizard will appear. In our case we are able to create a PFX file which contains the private key.
hrlecKey File
We should keep that file in a safe place. Only original user should have access to that file. When we click Next, we have to enter the password to maintain security. After the password, we simply specify the name of the file which will be exported. In our case this will be “hrlecKey”, and we will save it in “C:\Example Folder\”.
If we try to open that certificate, a Certificate Import Wizard will appear. This way we can recover our encrypted files in case if we have lost original keys. We can also manage our keys in Control Panel > User Accounts and Family Safety > User Accounts.
Manage Keys in Control Panel
To open the key management wizard we have to click the “Manage your file encryption certificates” option. We can use this wizard to select or create certificates, back up certificates and keys, etc.