1 using "encrypting file system" to protect files and folders in "windows.."
TRANSCRIPT
- Slide 1
1 USING "ENCRYPTING FILE SYSTEM" TO PROTECT FILES AND FOLDERS IN "WINDOWS.." Slide 2 2 Web location for this presentation: http://aztcs.org Click on Meeting Notes Slide 3 3 SUMMARY Many of the "editions" of "Windows 2000", "Windows XP", "Windows Vista", "Windows 7", and "Windows 8" have the "Encrypting File System" (EFS) for securing files and/or folders inside NTFS hard drive partitions. Slide 4 4 TOPICS Basics of Encrypting File System "EFS" versus "BitLocker" "Encrypting File System" Service Using the "Certificate Manager" to Check for Existing Personal "Public Key Certificates" Encrypting A File or Folder with EFS Using the "Certificate Manager" to Export a Newly-Created Public Key and Private Key Slide 5 5 TOPICS (continued).PFX "Personal Information Exchange" files Decrypting an EFS-encrypted file/folder Deleted Certificates Stay in RAM And Are Active Until You Reboot Slide 6 6 BASICS OF EFS The "Encrypting File System" (EFS) is a feature of "NTFS" hard drives (and partitions) for many editions of "Windows 2000" through "Windows 8". Slide 7 7 BASICS OF EFS (continued) When view in "Windows Explorer" ("File Explorer"), a folder that contains only "Encrypting File System"- encrypted files will have it's name in green text: Slide 8 8 Slide 9 9 BASICS OF EFS (continued) When viewed in "Windows Explorer" ("File Explorer"), a file that is encrypted by "Encrypting File System" will have it's name in green text: Slide 10 10 Slide 11 11 BASICS OF EFS (continued) Another user on the same computer will be unable to open/view the EFS- protected file. If someone takes your hard drive, and puts it into an external hard drive enclosure and attaches the enclosure to their own computer, they will be unable to open/view the EFS-protected file. Slide 12 12 Slide 13 13 Slide 14 14 BASICS OF EFS (continued) "ESF" is a feature of "NTFS" hard drives (and partitions) for many editions of "Windows 2000" through "Windows 8". Slide 15 15 BASICS OF EFS (continued) In EFS, "public key certificates", "private keys", and passwords to controll the various keys all work together to give you "two factor authentication". Slide 16 16 BASICS OF EFS (continued) The advantages of having certificates are detailed in ` http://www.trustico.com/material/Te chpaper_10_Best_Practices_Securi ng_Your_Enterprise.pdf#page=6 and http://serverfault.com/questions/182 980/how-is-using-client-certificates- more-secure-than-tls-plus-basic- authentication http://www.trustico.com/material/Te chpaper_10_Best_Practices_Securi ng_Your_Enterprise.pdf#page=6 http://serverfault.com/questions/182 980/how-is-using-client-certificates- more-secure-than-tls-plus-basic- authentication Slide 17 17 BASICS OF EFS (continued) According to http://en.wikipedia.org/wiki/Encr ypting_File_System, Ecrypting File System (EFS) is available for the following editions of "Windows..": http://en.wikipedia.org/wiki/Encr ypting_File_System Slide 18 18 BASICS OF EFS (continued) Slide 19 19 BASICS OF EFS (continued) "Windows Vista Starter", "..Home Basic", and "..Home Premium" allow only decryption--so you can read encrypted files but you cannot encrypt them according to http://pcworld.about.net/od/encry ption1/The-Simple-Way-to-Keep- Your-Pr.htm http://pcworld.about.net/od/encry ption1/The-Simple-Way-to-Keep- Your-Pr.htm Slide 20 20 BASICS OF EFS (continued) For "Windows Vista Starter", "..Home Basic", and "..Home Premium" you can decrypt EFS- encrypted files using the cipher command line command. See http://windows.microsoft.com/is- IS/windows-vista/What-is- Encrypting-File-System-EFS http://windows.microsoft.com/is- IS/windows-vista/What-is- Encrypting-File-System-EFS Slide 21 21 BASICS OF EFS (continued) "Windows 7 Starter", "..Home Basic", and "..Home Premium" allow only decryption--so you can read encrypted files but you not encrypt them Slide 22 22 BASICS OF EFS (continued) For "Windows 7 Starter", "..Home Basic", and "..Home Premium" you can decrypt EFS-encrypted files using the cipher command line command. Slide 23 23 BASICS OF EFS (continued) See http://answers.microsoft.com/en- us/windows/forum/windows_7- windows_programs/cipherexe- returns-error-the-request-is- not/9d5cb3fc-d092-4551-bc9f- f62dbd46f37c?msgId=5ad136ca- dedf-4013-8f1c-81627b907895 http://answers.microsoft.com/en- us/windows/forum/windows_7- windows_programs/cipherexe- returns-error-the-request-is- not/9d5cb3fc-d092-4551-bc9f- f62dbd46f37c?msgId=5ad136ca- dedf-4013-8f1c-81627b907895 Slide 24 24 BASICS OF EFS (continued) Slide 25 25 BASICS OF EFS (continued) "Encrypting File System" is also available for NTFS drives/partitions for the "..Pro" and "..Enterprise" editions of "Windows 8". "Encrypting File System" will not be available for the "..RT" or "Windows 8" editions of "Windows 8". Reference: http://en.wikipedia.org/wiki/Windows_8_edition s#Comparison_chartReference: http://en.wikipedia.org/wiki/Windows_8_edition s#Comparison_chart Slide 26 26 "EFS" VERSUS "BITLOCKER" "Bitlocker" is used to encrypt entire hard drives or hard drive partitions whiile "Encrypting File System" is used to encrypt individual data files and/or folders "EFS" causes less of a performance reduction on your Windows computer Slide 27 27 "EFS" VERSUS "BITLOCKER" (continued) See http://www.lockergnome.com/windo ws/2012/04/25/bitlocker-vs-efs/ http://www.lockergnome.com/windo ws/2012/04/25/bitlocker-vs-efs/ Slide 28 28 "ENCRYPTING FILE SYSTEM" SERVICE MUST BE SET TO "MANUAL" OR "AUTOMATIC" In order to encrypt or decrypt a file or folder, the "Encrypting File System" services has to be set to "Manual" or "Automatic": You can run services.msc from any search box or "Run" box in "Windows.." to turn it on: Slide 29 29 "ENCRYPTING FILE SYSTEM" SERVICE SET TO "MANUAL" OR "AUTOMATIC" (continued) Step 1: Click on the "Start" button in versions of "Windows" prior to "..8" or, for "Windows 8..", hover over the lower-left "Hot Corner" and use the RIGHT mouse" to click on "Run" in the pop-up "Power User Context Menu": Slide 30 30 "ENCRYPTING FILE SYSTEM" SERVICE SET TO "MANUAL" OR "AUTOMATIC" (continued) Step 2: Type in services.msc Step 3: Press once on the Enter key. Slide 31 31 Slide 32 32 "ENCRYPTING FILE SYSTEM" SERVICE SET TO "MANUAL" OR "AUTOMATIC" (continued) Step 4: A "Services" Microsoft Management Console window will be displayed: Slide 33 33 Slide 34 34 "ENCRYPTING FILE SYSTEM" SERVICE SET TO "MANUAL" OR "AUTOMATIC" (continued) Step 5: Use the vertical scroll bar on the right to scroll downward until you locate the "Encrypting File System" service. Step 6: Use your RIGHT mouse button to click on it. Step 7: A pop-up context menu will be displayed: Slide 35 35 "ENCRYPTING FILE SYSTEM" SERVICE SET TO "MANUAL" OR "AUTOMATIC" (continued) Step 8: Click on "Properties" in the pop-up context menu: Slide 36 36 Slide 37 37 "ENCRYPTING FILE SYSTEM" SERVICE SET TO "MANUAL" OR "AUTOMATIC" (continued) Step 9: A "Properties" dialog box will be displayed. Step 10: Make sure that "Startup type" is set to "Manual" or "Automatic". "Manual" is preferable. Step 11: Click on the "Apply" button if it is not grayed out.` Slide 38 38 "ENCRYPTING FILE SYSTEM" SERVICE SET TO "MANUAL" OR "AUTOMATIC" (continued) Step 12: Close the "Properties" dialog box. Step 13: Close the "Services" Microsoft Management Console window. Slide 39 39 Slide 40 40 USING THE "CERTIFICATE MANAGER" TO CHECK FOR EXISTING PERSONAL "PUBLIC KEY CERTIFICATES" Step 1: Click on the "Start" button in versions of "Windows" prior to "..8" or, for "Windows 8..", hover over the lower-left "Hot Corner" and use the RIGHT mouse" to click on "Run" in the pop-up "Power User Context Menu": Slide 41 41 Slide 42 42 USING THE "CERTIFICATE MANAGER" TO CHECK FOR EXISTING PERSONAL "PUBLIC KEY CERTIFICATES" (continued) Step 2: Use the right mouse button to click on "cmd.exe" in versions of "Windows" prior to "..8" or, for "Windows 8..", use the left mouse button to click on "Command Prompt (Admin) in the pop-up Power User Tasks menu: Slide 43 43 Slide 44 44 USING THE "CERTIFICATE MANAGER" TO CHECK FOR EXISTING PERSONAL "PUBLIC KEY CERTIFICATES" (continued) Step 3: Use the left mouse button to click on "Run as administrator" in versions of "Windows" prior to "..8" or, for "Windows 8..", use the left mouse button to click on the "Yes" button of the "User Account Control" dialog box: Slide 45 45 Slide 46 46 USING THE "CERTIFICATE MANAGER" TO CHECK FOR EXISTING PERSONAL "PUBLIC KEY CERTIFICATES" (continued) Step 4: A command prompt window, will be displayed: Slide 47 47 Slide 48 48 USING THE "CERTIFICATE MANAGER" TO CHECK FOR EXISTING PERSONAL "PUBLIC KEY CERTIFICATES" (continued) Step 5: Inside the command prompt window, type in certmgr.msc Step 6: Press once on the Enter key. Slide 49 49 Slide 50 50 USING THE "CERTIFICATE MANAGER" TO CHECK FOR EXISTING PERSONAL "PUBLIC KEY CERTIFICATES" (continued) Step 7: A "certmgr" Microsoft Management Console window will be displayed: Slide 51 51 Slide 52 52 USING THE "CERTIFICATE MANAGER" TO CHECK FOR EXISTING PERSONAL "PUBLIC KEY CERTIFICATES" (continued) Step 8: Double-click on the Personal group in the right-most pane: Slide 53 53 Slide 54 54 Slide 55 55 USING THE "CERTIFICATE MANAGER" TO CHECK FOR EXISTING PERSONAL "PUBLIC KEY CERTIFICATES" (continued) Step 9: Double-click on "Certificates" subgroup in the right- most pane: Slide 56 56 Slide 57 57 USING THE "CERTIFICATE MANAGER" TO CHECK FOR EXISTING PERSONAL "PUBLIC KEY CERTIFICATES" (continued) Step 10: Note that you presently have no "Public Key Certificates" or subgroups in the "Personal" group: Slide 58 58 Slide 59 59 ENCRYPTING A FILE OR FOLDER WITH "ENCRYPTING FILE SYSTEM" Step 1: Start "Windows Explorer" ("File Explorer"). Step 2: Locate or create the folder or file that you want to encrypt. Slide 60 60 Slide 61 61 ENCRYPTING A FILE OR FOLDER WITH "ENCRYPTING FILE SYSTEM" (continued) Step 3: Use the RIGHT mouse to click on it. Step 4: A pop-up context menu will be displayed. Step 5: Click on "Properties". Slide 62 62 Slide 63 63 ENCRYPTING A FILE OR FOLDER WITH "ENCRYPTING FILE SYSTEM" (continued) Step 6: A "..Properties" dialog box will be displayed. Step 7: Click on the "Advanced" button. Slide 64 64 Slide 65 65 ENCRYPTING A FILE OR FOLDER WITH "ENCRYPTING FILE SYSTEM" (continued) Step 8: An "Advanced Attributes" box will be displayed: Slide 66 66 Slide 67 67 ENCRYPTING A FILE OR FOLDER WITH "ENCRYPTING FILE SYSTEM" (continued) Step 9: Put in a checkmark for "Encrypt contents to secure data". Step 10: Click on the "OK" button: Step 11: The "Advanced Attributes" box will disappear. Slide 68 68 Slide 69 69 ENCRYPTING A FILE OR FOLDER WITH "ENCRYPTING FILE SYSTEM" (continued) Step 12: Click on the "Apply" button of the "..Properties" dialog box, if the "Apply" button is not grayed out. Step 11: The "Advanced Attributes" box will disappear. Slide 70 70 Slide 71 71 ENCRYPTING A FILE OR FOLDER WITH "ENCRYPTING FILE SYSTEM" (continued) Step 13: Select the desired "option button": Slide 72 72 Slide 73 73 ENCRYPTING A FILE OR FOLDER WITH "ENCRYPTING FILE SYSTEM" (continued) Step 14: Click on the "Continue" button of the "Access Denied" dialog box: Slide 74 74 Slide 75 75 ENCRYPTING A FILE OR FOLDER WITH "ENCRYPTING FILE SYSTEM" (continued) Step 15: The "Access Denied" box will disappear. Step 16: The file name(s) of the newly-encrypted file(s) will now be displayed in a green font to indicate that the file(s) is/are encrypted by "Encrypting File System". Slide 76 76 Slide 77 77 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" Step 1: Click on the "Start" button in versions of "Windows" prior to "..8" or, for "Windows 8..", hover over the lower-left "Hot Corner" and use the RIGHT mouse" to click on "Run" in the pop-up "Power User Context Menu": Slide 78 78 Slide 79 79 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 2: Use the right mouse button to click on "cmd.exe" in versions of "Windows" prior to "..8" or, for "Windows 8..", use the left mouse button to click on "Command Prompt (Admin) in the pop-up Power User Tasks menu: Slide 80 80 Slide 81 81 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 3: Use the left mouse button to click on "Run as administrator" in versions of "Windows" prior to "..8" or, for "Windows 8..", use the left mouse button to click on the "Yes" button of the "User Account Control" dialog box: Slide 82 82 Slide 83 83 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 4: A command prompt window, will be displayed: Slide 84 84 Slide 85 85 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 5: Inside the command prompt window, type in certmgr.msc Step 6: Press once on the Enter key. Slide 86 86 Slide 87 87 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 7: A "certmgr" Microsoft Management Console window will be displayed: Slide 88 88 Slide 89 89 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 8: Double-click on the Personal group in the right-most pane: Slide 90 90 Slide 91 91 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 9: Double-click on "Certificates" subgroup in the right- most pane: Slide 92 92 Slide 93 93 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 10: Note that you now have a newly-created "Public Key Certificate" in the "Certificates" subgroup of the "Personal" group: Slide 94 94 Slide 95 95 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 11: Note that you now have a newly-created "Public Key Certificate" in the "Certificates" subgroup of the "Personal" group: Slide 96 96 Slide 97 97 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 12: Use the RIGHT mouse button to click on the newly-created "Public Key Certificate": Slide 98 98 Slide 99 99 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 13: Click on "All Tasks" in the pop-up context menu: Slide 100 100 Slide 101 101 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 14: Click on "Advanced Operations" in the secondary context menu: Slide 102 102 Slide 103 103 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 15: A "Certificate Export Wizard" dialog box will be displayed. Step 16: Click on the "Next" button: Slide 104 104 Slide 105 105 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 17: Select the "Yes, export the private key" option. Step 18: Click on the "Next" button: Slide 106 106 Slide 107 107 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 19: Click on the "Next" button: Slide 108 108 Slide 109 109 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 20: Click on the "Next" button: Slide 110 110 Slide 111 111 Slide 112 112 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 21: Type in a password and record it somewhere in a secure manner (such as with "Roboform" or "LastPass"): Slide 113 113 Slide 114 114 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY"(continued) Step 22: Type in the same password again. Step 23: Click on the "Next" button: Slide 115 115 Slide 116 116 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 24: Click on the "Browse" button: Slide 117 117 Slide 118 118 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 25: Use the "Save As" box to work your way to the hard drive or flash drive location where you wish to place the.PFX file: Slide 119 119 Slide 120 120 Slide 121 121 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 26: When you arrive at the desired location for the.PFX file, type in a name for the.PFX file. Step 27: Click on the "Save" button: Slide 122 122 Slide 123 123 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 28: Click on the "Next" button: Slide 124 124 Slide 125 125 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 29: Click on the "Finish" button: Slide 126 126 Slide 127 127 Slide 128 128 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 30: Click on "OK" button: Slide 129 129 Slide 130 130 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 31: Click on "x" button to close the "certmgr" window: Slide 131 131 Slide 132 132 USING THE "CERTIFICATE MANAGER" TO EXPORT A NEWLY-CREATED "PUBLIC KEY" AND "PRIVATE KEY" (continued) Step 32: Click on "x" button to close the Command Prompt window: Slide 133 133 Slide 134 134 Slide 135 135.PFX file(s) = "Personal Information Exchange" files.PFX file(s) an be moved, copied, renamed, and e-mailed without restrictions..PFX FILE(S) (continued) Slide 136 136 Double-click on it to "Import" the certificate and the private key into any computer or Windows user account. Then you can open/view the associated the EFS-encrypted data file.PFX FILE(S) (continued) Slide 137 137 If your Windows user account or your Windows computer cannot open an EFS-encrypted file, do the following: Step 1: Obtain the.PFX file (from the creator/owner of the EFS- encrypted file) and double-click on the.PFX file: DECRYPTING AN EFS- ENCRYPTED FILE/FOLDER Slide 138 138 Slide 139 139 Slide 140 140 Step 2: Click on the "Next" button of the "Certificate Import Wizard": DECRYPTING AN EFS-ENCRYPTED FILE/FOLDER (continued) Slide 141 141 Slide 142 142 Step 3: Click on the "Next" button: DECRYPTING AN EFS-ENCRYPTED FILE/FOLDER (continued) Slide 143 143 Slide 144 144 Slide 145 145 Step 4: Type in the password for the.PFX file (which you should have obtained from the creator/owner of the EFS-encrypted data file): DECRYPTING AN EFS-ENCRYPTED FILE/FOLDER (continued) Slide 146 146 Slide 147 147 Step 5: Select the "Mark this key as exportable" option. Step 6: Click on the "Next" button: DECRYPTING AN EFS-ENCRYPTED FILE/FOLDER (continued) Slide 148 148 Slide 149 149 Step 7: Click on the "Next" button: DECRYPTING AN EFS-ENCRYPTED FILE/FOLDER (continued) Slide 150 150 Slide 151 151 Step 8: Click on the "Finish" button: DECRYPTING AN EFS-ENCRYPTED FILE/FOLDER (continued) Slide 152 152 Slide 153 153 Step 9: Click on the "OK" button: DECRYPTING AN EFS-ENCRYPTED FILE/FOLDER (continued) Slide 154 154 Slide 155 155 Step 10: If you EFS-encrypted files are inside an EFS-encrypted folder, double-click on the folder to open it: DECRYPTING AN EFS-ENCRYPTED FILE/FOLDER (continued) Slide 156 156 Slide 157 157 Step 11: Double-click on the EFS- encrypted data file to open it: DECRYPTING AN EFS-ENCRYPTED FILE/FOLDER (continued) Slide 158 158 Slide 159 159 Step 12: The EFS-encrypted data file will open with its default associated software application program ("app"): DECRYPTING AN EFS-ENCRYPTED FILE/FOLDER (continued) Slide 160 160 Slide 161 161 DELETED CERTIFICATES STAY IN RAM UNTIL YOU RE-BOOT If you run certmgr.msc to delete a certificate from your computer's hard drive, the certificate will stay active in RAM, so you have to re-boot to flush out the active certificate. Slide 162 162 OPTIONS IN "ACRONIS TRUE IMAGE.." FOR BACKING UP HARD DRIVES THAT CONTAIN EFS-ENCRYPTED FILES According to http://www.acronis.com/support/ documentation/ATIH2012/index. html#267.html: http://www.acronis.com/support/ documentation/ATIH2012/index. html#267.html Slide 163 163