USING "ENCRYPTING FILE SYSTEM" TO PROTECT FILES AND

advertisement
USING "ENCRYPTING FILE
SYSTEM" TO PROTECT
FILES AND FOLDERS
IN "WINDOWS.."
1
Web location for this
presentation:
http://aztcs.org
Click on
“Meeting Notes”
2
SUMMARY
Many of the "editions" of
"Windows 2000", "Windows
XP", "Windows Vista",
"Windows 7", and "Windows 8"
have the "Encrypting File
System" (EFS) for securing files
and/or folders inside NTFS hard
3
drive partitions.
•
•
•
•
TOPICS
Basics of Encrypting File System
"EFS" versus "BitLocker"
"Encrypting File System" Service
Using the "Certificate Manager" to
Check for Existing Personal "Public
Key Certificates"
• Encrypting A File or Folder with EFS
• Using the "Certificate Manager" to
Export a Newly-Created Public Key and
4
Private Key
TOPICS (continued)
• .PFX "Personal Information Exchange"
files
• Decrypting an EFS-encrypted file/folder
• Deleted Certificates Stay in RAM And
Are Active Until You Reboot
5
BASICS OF EFS
• The "Encrypting File System"
(EFS) is a feature of "NTFS"
hard drives (and partitions)
for many editions of
"Windows 2000" through
"Windows 8".
6
BASICS OF EFS (continued)
• When view in "Windows
Explorer" ("File Explorer"), a
folder that contains only
"Encrypting File System"encrypted files will have it's
name in green text:
7
8
BASICS OF EFS (continued)
• When viewed in "Windows
Explorer" ("File Explorer"),
a file that is encrypted by
"Encrypting File System"
will have it's name in
green text:
9
10
BASICS OF EFS (continued)
• Another user on the same computer
will be unable to open/view the EFSprotected file.
• If someone takes your hard drive,
and puts it into an external hard drive
enclosure and attaches the
enclosure to their own computer,
they will be unable to open/view the
EFS-protected file.
11
12
13
BASICS OF EFS (continued)
• "ESF" is a feature of "NTFS"
hard drives (and partitions)
for many editions of
"Windows 2000" through
"Windows 8".
14
BASICS OF EFS (continued)
• In EFS, "public key
certificates", "private keys",
and passwords to controll the
various keys all work together
to give you "two factor
authentication".
15
BASICS OF EFS (continued)
• The advantages of having
certificates are detailed in `
http://www.trustico.com/material/Te
chpaper_10_Best_Practices_Securi
ng_Your_Enterprise.pdf#page=6
and
http://serverfault.com/questions/182
980/how-is-using-client-certificatesmore-secure-than-tls-plus-basic16
authentication
BASICS OF EFS (continued)
• According to
http://en.wikipedia.org/wiki/Encr
ypting_File_System, Ecrypting
File System (EFS) is available
for the following editions of
"Windows..":
17
BASICS OF EFS (continued)
18
BASICS OF EFS (continued)
• "Windows Vista Starter", "..Home
Basic", and "..Home Premium"
allow only decryption--so you can
read encrypted files but you
cannot encrypt them according to
http://pcworld.about.net/od/encry
ption1/The-Simple-Way-to-KeepYour-Pr.htm
19
BASICS OF EFS (continued)
• For "Windows Vista Starter",
"..Home Basic", and "..Home
Premium" you can decrypt EFSencrypted files using the cipher
command line command. See
http://windows.microsoft.com/isIS/windows-vista/What-isEncrypting-File-System-EFS
20
BASICS OF EFS (continued)
• "Windows 7 Starter", "..Home
Basic", and "..Home Premium"
allow only decryption--so you can
read encrypted files but you not
encrypt them
21
BASICS OF EFS (continued)
• For "Windows 7 Starter", "..Home
Basic", and "..Home Premium"
you can decrypt EFS-encrypted
files using the cipher command
line command.
22
BASICS OF EFS (continued)
• See
http://answers.microsoft.com/enus/windows/forum/windows_7windows_programs/cipherexereturns-error-the-request-isnot/9d5cb3fc-d092-4551-bc9ff62dbd46f37c?msgId=5ad136cadedf-4013-8f1c-81627b907895
23
BASICS OF EFS (continued)
24
BASICS OF EFS (continued)
• "Encrypting File System" is also
available for NTFS drives/partitions
for the "..Pro" and "..Enterprise"
editions of "Windows 8".
• "Encrypting File System" will not be
available for the "..RT" or "Windows
8" editions of "Windows 8".
•
Reference:
http://en.wikipedia.org/wiki/Windows_8_edition
25
s#Comparison_chart
"EFS" VERSUS "BITLOCKER"
• "Bitlocker" is used to encrypt entire
hard drives or hard drive partitions
whiile "Encrypting File System" is
used to encrypt individual data files
and/or folders
• "EFS" causes less of a
performance reduction on your
Windows computer
26
"EFS" VERSUS "BITLOCKER" (continued)
• See
http://www.lockergnome.com/windo
ws/2012/04/25/bitlocker-vs-efs/
27
"ENCRYPTING FILE SYSTEM"
SERVICE MUST BE SET TO
"MANUAL" OR "AUTOMATIC"
• In order to encrypt or decrypt a
file or folder, the "Encrypting
File System" services has to be
set to "Manual" or "Automatic":
You can run services.msc from
any search box or "Run" box in
"Windows.." to turn it on:
28
"ENCRYPTING FILE SYSTEM" SERVICE SET
TO "MANUAL" OR "AUTOMATIC" (continued)
• Step 1: Click on the "Start"
button in versions of "Windows"
prior to "..8" or, for "Windows
8..", hover over the lower-left
"Hot Corner" and use the
RIGHT mouse" to click on "Run"
in the pop-up "Power User
Context Menu":
29
"ENCRYPTING FILE SYSTEM" SERVICE SET
TO "MANUAL" OR "AUTOMATIC" (continued)
• Step 2: Type in
services.msc
• Step 3: Press once on the Enter
key.
30
31
"ENCRYPTING FILE SYSTEM" SERVICE SET
TO "MANUAL" OR "AUTOMATIC" (continued)
• Step 4: A "Services" Microsoft
Management Console window
will be displayed:
32
33
"ENCRYPTING FILE SYSTEM" SERVICE SET
TO "MANUAL" OR "AUTOMATIC" (continued)
• Step 5: Use the vertical scroll bar
on the right to scroll downward until
you locate the "Encrypting File
System" service.
• Step 6: Use your RIGHT mouse
button to click on it.
• Step 7: A pop-up context menu will
be displayed:
34
"ENCRYPTING FILE SYSTEM" SERVICE SET
TO "MANUAL" OR "AUTOMATIC" (continued)
• Step 8: Click on "Properties" in the
pop-up context menu:
35
36
"ENCRYPTING FILE SYSTEM" SERVICE SET
TO "MANUAL" OR "AUTOMATIC" (continued)
• Step 9: A "Properties" dialog box will
be displayed.
• Step 10: Make sure that "Startup
type" is set to "Manual" or
"Automatic". "Manual" is preferable.
• Step 11: Click on the "Apply" button
if it is not grayed out.`
37
"ENCRYPTING FILE SYSTEM" SERVICE SET
TO "MANUAL" OR "AUTOMATIC" (continued)
• Step 12: Close the "Properties"
dialog box.
• Step 13: Close the "Services"
Microsoft Management Console
window.
38
39
USING THE "CERTIFICATE MANAGER"
TO CHECK FOR EXISTING PERSONAL
"PUBLIC KEY CERTIFICATES"
• Step 1: Click on the "Start" button in
versions of "Windows" prior to "..8"
or, for "Windows 8..", hover over the
lower-left "Hot Corner" and use the
RIGHT mouse" to click on "Run" in
the pop-up "Power User Context
Menu":
40
41
USING THE "CERTIFICATE MANAGER"
TO CHECK FOR EXISTING PERSONAL
"PUBLIC KEY CERTIFICATES" (continued)
• Step 2: Use the right mouse button
to click on "cmd.exe" in versions of
"Windows" prior to "..8" or, for
"Windows 8..", use the left mouse
button to click on "Command
Prompt (Admin) in the pop-up
Power User Tasks menu:
42
43
USING THE "CERTIFICATE MANAGER"
TO CHECK FOR EXISTING PERSONAL
"PUBLIC KEY CERTIFICATES" (continued)
• Step 3: Use the left mouse button to
click on "Run as administrator" in
versions of "Windows" prior to "..8"
or, for "Windows 8..", use the left
mouse button to click on the "Yes"
button of the "User Account Control"
dialog box:
44
45
USING THE "CERTIFICATE MANAGER"
TO CHECK FOR EXISTING PERSONAL
"PUBLIC KEY CERTIFICATES" (continued)
• Step 4: A command prompt window,
will be displayed:
46
47
USING THE "CERTIFICATE MANAGER"
TO CHECK FOR EXISTING PERSONAL
"PUBLIC KEY CERTIFICATES" (continued)
• Step 5: Inside the command prompt
window, type in
certmgr.msc
• Step 6: Press once on the Enter
key.
48
49
USING THE "CERTIFICATE MANAGER"
TO CHECK FOR EXISTING PERSONAL
"PUBLIC KEY CERTIFICATES" (continued)
• Step 7: A "certmgr" Microsoft
Management Console window will
be displayed:
50
51
USING THE "CERTIFICATE MANAGER"
TO CHECK FOR EXISTING PERSONAL
"PUBLIC KEY CERTIFICATES" (continued)
• Step 8: Double-click on the
Personal group in the right-most
pane:
52
53
54
USING THE "CERTIFICATE MANAGER"
TO CHECK FOR EXISTING PERSONAL
"PUBLIC KEY CERTIFICATES" (continued)
• Step 9: Double-click on
"Certificates" subgroup in the rightmost pane:
55
56
USING THE "CERTIFICATE MANAGER"
TO CHECK FOR EXISTING PERSONAL
"PUBLIC KEY CERTIFICATES" (continued)
• Step 10: Note that you presently
have no "Public Key Certificates" or
subgroups in the "Personal" group:
57
58
ENCRYPTING A FILE OR FOLDER
WITH "ENCRYPTING FILE SYSTEM"
• Step 1: Start "Windows
Explorer" ("File Explorer").
• Step 2: Locate or create the
folder or file that you want to
encrypt.
59
60
ENCRYPTING A FILE OR FOLDER WITH
"ENCRYPTING FILE SYSTEM" (continued)
• Step 3: Use the RIGHT mouse
to click on it.
• Step 4: A pop-up context menu
will be displayed.
• Step 5: Click on "Properties".
61
62
ENCRYPTING A FILE OR FOLDER WITH
"ENCRYPTING FILE SYSTEM" (continued)
• Step 6: A "..Properties" dialog
box will be displayed.
• Step 7: Click on the "Advanced"
button.
63
64
ENCRYPTING A FILE OR FOLDER WITH
"ENCRYPTING FILE SYSTEM" (continued)
• Step 8: An "Advanced
Attributes" box will be displayed:
65
66
ENCRYPTING A FILE OR FOLDER WITH
"ENCRYPTING FILE SYSTEM" (continued)
• Step 9: Put in a checkmark for
"Encrypt contents to secure
data".
• Step 10: Click on the "OK"
button:
• Step 11: The "Advanced
Attributes" box will disappear.
67
68
ENCRYPTING A FILE OR FOLDER WITH
"ENCRYPTING FILE SYSTEM" (continued)
• Step 12: Click on the "Apply"
button of the "..Properties"
dialog box, if the "Apply" button
is not grayed out. Step 11: The
"Advanced Attributes" box will
disappear.
69
70
ENCRYPTING A FILE OR FOLDER WITH
"ENCRYPTING FILE SYSTEM" (continued)
• Step 13: Select the desired
"option button":
71
72
ENCRYPTING A FILE OR FOLDER WITH
"ENCRYPTING FILE SYSTEM" (continued)
• Step 14: Click on the "Continue"
button of the "Access Denied"
dialog box:
73
74
ENCRYPTING A FILE OR FOLDER WITH
"ENCRYPTING FILE SYSTEM" (continued)
• Step 15: The "Access Denied"
box will disappear.
• Step 16: The file name(s) of the
newly-encrypted file(s) will now
be displayed in a green font to
indicate that the file(s) is/are
encrypted by "Encrypting File
75
System".
76
USING THE "CERTIFICATE MANAGER"
TO EXPORT A NEWLY-CREATED
"PUBLIC KEY" AND "PRIVATE KEY"
• Step 1: Click on the "Start" button in
versions of "Windows" prior to "..8"
or, for "Windows 8..", hover over the
lower-left "Hot Corner" and use the
RIGHT mouse" to click on "Run" in
the pop-up "Power User Context
Menu":
77
78
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 2: Use the right mouse button
to click on "cmd.exe" in versions of
"Windows" prior to "..8" or, for
"Windows 8..", use the left mouse
button to click on "Command
Prompt (Admin) in the pop-up
Power User Tasks menu:
79
80
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 3: Use the left mouse button to
click on "Run as administrator" in
versions of "Windows" prior to "..8"
or, for "Windows 8..", use the left
mouse button to click on the "Yes"
button of the "User Account Control"
dialog box:
81
82
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 4: A command prompt window,
will be displayed:
83
84
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 5: Inside the command prompt
window, type in
certmgr.msc
• Step 6: Press once on the Enter
key.
85
86
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 7: A "certmgr" Microsoft
Management Console window will
be displayed:
87
88
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 8: Double-click on the
Personal group in the right-most
pane:
89
90
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 9: Double-click on
"Certificates" subgroup in the rightmost pane:
91
92
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 10: Note that you now have a
newly-created "Public Key
Certificate" in the "Certificates"
subgroup of the "Personal" group:
93
94
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 11: Note that you now have a
newly-created "Public Key
Certificate" in the "Certificates"
subgroup of the "Personal" group:
95
96
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 12: Use the RIGHT mouse
button to click on the newly-created
"Public Key Certificate":
97
98
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 13: Click on "All Tasks" in the
pop-up context menu:
99
100
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 14: Click on "Advanced
Operations" in the secondary
context menu:
101
102
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 15: A "Certificate Export
Wizard" dialog box will be
displayed.
• Step 16: Click on the "Next" button:
103
104
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 17: Select the "Yes, export the
private key" option.
• Step 18: Click on the "Next" button:
105
106
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 19: Click on the "Next" button:
107
108
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 20: Click on the "Next" button:
109
110
111
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 21: Type in a password and
record it somewhere in a secure
manner (such as with "Roboform" or
"LastPass"):
112
113
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY"(continued)
• Step 22: Type in the same
password again.
• Step 23: Click on the "Next" button:
114
115
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 24: Click on the "Browse"
button:
116
117
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 25: Use the "Save As" box to
work your way to the hard drive or
flash drive location where you wish
to place the .PFX file:
118
119
120
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 26: When you arrive at the
desired location for the .PFX file,
type in a name for the .PFX file.
• Step 27: Click on the "Save" button:
121
122
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 28: Click on the "Next" button:
123
124
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 29: Click on the "Finish"
button:
125
126
127
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 30: Click on "OK" button:
128
129
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 31: Click on "x" button to close
the "certmgr" window:
130
131
USING THE "CERTIFICATE MANAGER" TO
EXPORT A NEWLY-CREATED "PUBLIC KEY"
AND "PRIVATE KEY" (continued)
• Step 32: Click on "x" button to close
the Command Prompt window:
132
133
134
.PFX FILE(S) (continued)
• .PFX file(s)
= "Personal Information Exchange"
files
• .PFX file(s) an be moved, copied,
renamed, and e-mailed without
restrictions.
135
.PFX FILE(S) (continued)
• Double-click on it to "Import"
the certificate and the private
key into any computer or
Windows user account. Then
you can open/view the
associated the EFS-encrypted
data file
136
DECRYPTING AN EFSENCRYPTED FILE/FOLDER
If your Windows user account or your
Windows computer cannot open an
EFS-encrypted file, do the following:
• Step 1: Obtain the .PFX file (from
the creator/owner of the EFSencrypted file) and double-click on
the .PFX file:
137
138
139
DECRYPTING AN EFS-ENCRYPTED
FILE/FOLDER (continued)
• Step 2: Click on the "Next" button of
the "Certificate Import Wizard":
140
141
DECRYPTING AN EFS-ENCRYPTED
FILE/FOLDER (continued)
• Step 3: Click on the "Next" button:
142
143
144
DECRYPTING AN EFS-ENCRYPTED
FILE/FOLDER (continued)
• Step 4: Type in the password for the
.PFX file (which you should have
obtained from the creator/owner of
the EFS-encrypted data file):
145
146
DECRYPTING AN EFS-ENCRYPTED
FILE/FOLDER (continued)
• Step 5: Select the "Mark this key as
exportable" option.
• Step 6: Click on the "Next" button:
147
148
DECRYPTING AN EFS-ENCRYPTED
FILE/FOLDER (continued)
• Step 7: Click on the "Next" button:
149
150
DECRYPTING AN EFS-ENCRYPTED
FILE/FOLDER (continued)
• Step 8: Click on the "Finish" button:
151
152
DECRYPTING AN EFS-ENCRYPTED
FILE/FOLDER (continued)
• Step 9: Click on the "OK" button:
153
154
DECRYPTING AN EFS-ENCRYPTED
FILE/FOLDER (continued)
• Step 10: If you EFS-encrypted files
are inside an EFS-encrypted folder,
double-click on the folder to open it:
155
156
DECRYPTING AN EFS-ENCRYPTED
FILE/FOLDER (continued)
• Step 11: Double-click on the EFSencrypted data file to open it:
157
158
DECRYPTING AN EFS-ENCRYPTED
FILE/FOLDER (continued)
• Step 12: The EFS-encrypted data
file will open with its default
associated software application
program ("app"):
159
160
DELETED CERTIFICATES STAY IN
RAM UNTIL YOU RE-BOOT
• If you run certmgr.msc to delete
a certificate from your
computer's hard drive, the
certificate will stay active in
RAM, so you have to re-boot to
flush out the active certificate.
161
OPTIONS IN "ACRONIS TRUE IMAGE.."
FOR BACKING UP HARD DRIVES THAT
CONTAIN EFS-ENCRYPTED FILES
• According to
http://www.acronis.com/support/
documentation/ATIH2012/index.
html#267.html:
162
163
Download