HANDOUT - Encryption 204.02
ENCRYPTION TECHNIQUES
Encryption puts data into code that must be translated before it can be
accessed. Encryption can be accomplished using a variety of techniques
within the Operating System.
BitLocker Encryption
In the Ultimate and Enterprise versions of Vista and Windows 7, BitLocker Drive Encryption can
be used to help protect all files stored on the drive that Windows is installed on and on any
other fixed disk drive. In addition, BitLocker To Go can be used to protect files stored on
external hard drives or flash drives. NOTE: BitLocker is not available in Windows XP or earlier.
BitLocker encrypts the entire drive, not just files or folders. Any new files or folders added to a
BitLocker drive are automatically encrypted. Files remain encrypted only while they are stored
in the encrypted drive. Files copied to another drive or computers are decrypted. If you share
files with other users through a network, these files are encrypted while stored on your
encrypted drive, but they can be accessed normally by authorized users.
If you encrypt the operating system drive, BitLocker checks the computer during startup for any
conditions that could represent a security risk (for example, a change to the BIOS or changes to
any startup files). If a potential security risk is detected, BitLocker will lock the operating system
drive and require a special BitLocker recovery key to unlock it. Make sure that you create this
recovery key when you turn on BitLocker for the first time; otherwise, you could permanently
lose access to your files. If your computer has the Trusted Platform Module (TPM) chip,
BitLocker uses it to seal the keys that are used to unlock the encrypted operating system drive.
When you start your computer, BitLocker asks the TPM for the keys to the drive and unlocks it.
If you encrypt data drives (fixed or removable), you can unlock an encrypted drive with a
password or a smart card, or you can set the drive to automatically unlock when you log on to
the computer.
You can turn off BitLocker at any time, either temporarily by suspending it, or permanently by
decrypting the drive.
Encrypting File System (EFS)
Encrypted File System (EFS) is a feature of Windows that you can use to store information on
your hard disk in an encrypted format. EFS encrypts ONLY files and folders, not an entire drive.
Page | 1
HANDOUT - Encryption 204.02
Some key features of EFS:

Encrypting is simple. Just select a checkbox in the file or folder's properties to turn it on.

You have control over who can read the files.

Files are encrypted when you close them, but they are automatically ready to use when you open them.

If you change your mind about encrypting a file, clear the checkbox in the file's properties.
NOTE: EFS is only available in the Ultimate or Business Editions of Vista and Windows 7 and in
XP Professional. Home Editions can decrypt files and modify encrypted files by using cipher.exe
in a command prompt.
EFS cannot encrypt Windows system files, and the EFS recovery key is stored on the local
computer. These two weaknesses can be offset by using BitLocker in conjunction with EFS and
by moving the EFS recovery key to an external drive.
Page | 2