EFS encryption, armor plate for important files

Text/figure zhangbin
EFS (Encrypting File System, encrypted File System) is a practical function unique to Windows 2000/XP. For files and data on NTFS volumes, You can encrypt and save them through the operating System, this greatly improves data security.

How EFS is encrypted and decrypted
If you use EFS for the first time, the system generates a certificate for EFS encryption, including a pair of keys, that is, the public key of the user and the private key of the user.
When you want to encrypt a file, the system will randomly generate a key for encryption, and then use this key to perform symmetric encryption on the file. After the file is encrypted, the system uses the user public key generated at the beginning to encrypt the random key, and then uses the encrypted result as the file header storage, as shown in 1.

Figure 1
When you want to view EFS encrypted files, use the generated private key to decrypt the file header and obtain the key for encrypting the file body, then use the obtained key to decrypt the body, as shown in figure 2.

Figure 2

Use of EFS
So, how to use EFS for encryption? Right-click a file or folder, click "advanced options" on the "General" tab, select "encrypt content to protect data", and click "OK". The folder is displayed in green.

Figure 3
My encrypted file is under the administrator user. Let's add a user named test, log on to the computer with test, open the encrypted folder, and click any file in it, a message is displayed, as shown in figure 4.

Figure 4
If you want to cancel encryption, remove the "encrypted content to protect data" check box under the same account.
Efsencryption and retrieval encryption can also be performed in the command line. This command uses cipher.exe. The specific command parameters can use "cipher /?" . Encrypt a file as the "cipher/a/e path" and decrypt the "cipher/a/d path" of a file ", use "cipher/a/e/s: path" to encrypt all files and folders in the directory, and use "cipher/d/e/s: path ", where the path can be a folder or a file.

EFS backup
If the user's system crashes or the user's configuration is damaged, and the user does not take any EFS protection measures, All EFS encrypted files will not be opened, so after EFS is enabled, EFS must be protected.
There are two main protection methods: Back up the user's certificate and create an EFS recovery proxy (the domain administrator defaults to the EFS recovery proxy for the domain in the domain environment ). The backup user certificate is mainly used to restore data after the system is re-installed. The EFS recovery proxy is mainly used when a user's configuration file is damaged and cannot be opened. Next I will talk about how to back up user certificates and create an EFS recovery proxy.
1) Back up User Certificates
Enter MMC during running, click "add or delete Management Unit" in the file option, and click "add, in the "ADD management unit" dialog box that appears, select "certificate", as shown in Figure 5. If the user is in the Administrator Group, a window appears asking you to select the certificate type, as shown in figure 6. Select "My User Account" here ". The interface shown in 7 is displayed. Export the certificate about the encrypted file system under the personal certificate. Right-click the certificate, select "Export" from all tasks, select "Export" from whether to export the private key, and then follow the prompts to export the certificate step by step.

Figure 5

Figure 6

Figure 7

The exported key and password must be saved. Otherwise, the exported key and password will be imported to the user certificate of another user to open the EFS encrypted file.
The process for importing a certificate is the same as the method described above. Select "import" for the personal certificate. When selecting the certificate import path, note that the default file type is "X.509 Certificate ", change it to "Personal Information Exchange" to see the certificate with the private key that you just exported. Then, enter the private key that you entered when exporting the certificate.
2) create an EFS recovery proxy
Enter "cipher/R: path" in the command prompt line. After the command is executed, two files are generated, one is the CER file, the other is the PFX file, and the other is the PFX file, as shown in 8. The following shows how to import the CER file to the EFS recovery agent in the local security settings.

Figure 8
Open the local security settings in "Control Panel-> Administrative Tools", select "add data recovery proxy" in "Public Key Policy", select the path to store the CER file, and import the CER file, after the import is successful, an additional certificate is displayed. Then, import PFX to the user's personal certificate storage area. The steps are similar to the above, so we will not describe it. After the import is successful, you can see that the personal certificate area has an additional certificate about file recovery.
Then, you can see the result shown in 9 in the properties of the User-encrypted file. The two certificates must also be saved for future use.

Figure 9
To use the EFS recovery proxy, you can cancel the folder or file encryption attribute and view the file content. The specific usage is to find a file or folder to be restored, and then cancel the encryption of the file.

EFS tips
If you are worried that files cannot be opened because you reinstall the system after using EFS, you can disable EFS.
1) Disable folder EFS encryption
Create a new file DESKTOP. INI in the folder you want to disable EFS encryption. The content is:

[Encryption]
Disable = 1

If the file already exists, add the above content, and then the result shown in 10 will be displayed when the file is encrypted.

Figure 10
2) Disable Working Group machines for EFS
Open the registry, find HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionEFS, and choose to create a New DWORD Value named EFSCONFIGURATION with a value of 1.
3) Disable EFS file encryption in the domain environment
Create a new group policy, press edit, expand the Group Policy, select "Windows Settings-> Security Settings-> Public Key policy-> Encrypted File System", right-click "encrypted file system ", select "content" and then select "allow users to encrypt files by using the encryption system.

EFS considerations
Before using EFS, you must pay attention to the following points: EFS encryption files must be in the NTFS format; EFS encryption files and documents will be displayed in green; EFS and NTFS compression cannot be used at the same time; EFS encryption uses files as the processing unit, not folders as the processing unit. When the user of the encrypted file changes the password, files encrypted with previous passwords cannot be opened (If you enable classic logon in Windows XP, you can use Ctrl + Alt + Dell to change the password ).
Finally, I hope this article will help you use EFS encryption and make your data more secure in the future.