File encryption in Windows XP and Its Usage

Windows XP file encryption is powerful and easy to use, so many users use it to protect their important files. However, most users are not familiar with this function and often encounter problems when using it. In the "Computer Hospital" of this magazine, we frequently receive comments from readers. Therefore, here, CHIP will introduce you in detail how to use this function.

Microsoft has built the file encryption function in windows, which was subsequently transplanted to WinXP. With this function, you can simply click a few mouse clicks to encrypt the specified file or folder, in addition, after encryption, we can still access and use them as conveniently as before encryption, which is very convenient. In addition, even if hackers intrude into the system after encryption, they have full control over the access to files and still cannot read these files and folders.

However, the simple and powerful file encryption feature has also plagued many users. Because it is easy to use, many users are happy to use it to protect their important files. However, most users lack real understanding of this function, during use, problems such as leaks and undecryption occur frequently. encrypted files are often important files with a huge impact. For this reason, I have specially sorted out some related knowledge and usage skills for this function to share with you.

　　Encrypt and decrypt files and folders

Users of Windows2000 series, WinXP Professional Edition, and Windows2003 can use the built-in file encryption function, but the premise is that the disk where the files and folders to be encrypted are located must adopt the NTFS file system. At the same time, it should be noted that the encryption and decryption function does not work at startup, so the system files or files in the system directory cannot be encrypted, if files in the operating system installation directory are encrypted, the system cannot be started. In addition, the NTFS file system provides a File compression function that allows users to access files and folders as easily as before compression. However, this function cannot be used together with the file encryption function, this limit does not apply to files compressed by ZIP, RAR, or other compression software.

During encryption, you only need to right-click the file or folder to be encrypted, select "properties", and click "advanced" on the "General" tab of the "properties" dialog box, in the "Advanced properties" dialog box, select the "encrypt content to protect data" check box and confirm that the file can be encrypted. If the folder is encrypted, the "Confirm attribute change" dialog box is displayed, asking you to encrypt the selected folder, encrypted folder, subfolders, and files. The decryption steps are the opposite of encryption. You only need to clear the selected tag on the "encrypt content to protect data" check box in the "Advanced properties" dialog box (1 ), when decrypting a folder, the "Confirm attribute change" dialog box will also pop up asking you to confirm the scope of the decryption operation application.

Figure 1

After encryption, you can directly open and edit a file, or copy or paste the file, in addition, new files created in the encrypted folder or files copied from other folders are automatically encrypted. The name of the encrypted file and folder will be displayed in light green by default. if the name of the encrypted file and folder on your computer is not displayed in color, you can click "My Computer | tools | Folder Options", and then click the "View" tab in the "Folder Options" dialog box, select the "display encrypted or compressed NTFS files in color" check box.

　　Grant or revoke permissions from other users

If necessary, you can grant other users full access to the encrypted files, but you must understand that Windows uses a key-based encryption solution, this is the first time a user uses this function to create an encryption key for the user. Therefore, the user you want to grant permissions to must have used the system encryption function, otherwise, the permission cannot be granted to the other party. The built-in file encryption function in Windows only allows other users to have full access to encrypted files, but does not allow the permission to encrypt folders to other users.

To grant or revoke the access permissions of other users to encrypted files, right-click the encrypted file and select "properties ", on the "General" tab of the "properties" dialog box, click "advanced" and click "details" in the "Advanced properties" dialog box, you can use the "add" and "delete" buttons to add or delete other users who can access the file.

　　Backup key

Many readers can no longer access the files and folders they encrypted after the system failure or system re-installation, and ask for help from the "Computer hospital. However, it is too late. The built-in encryption function of Windows is closely related to the user's account, and the user keys used for decryption are stored in the system, any operation or failure that causes user account changes may cause a disaster. To avoid such a situation, you must take precautions to back up the encryption key immediately after using the encryption function.

The backup key operation is not complex. You only need to click "Start | run" and type "certmgr. msc open the Certificate Manager, and click console in the left-side window to open "certificate" in "individual" under "Certificate-current user ", right-click the certificate whose "expected purpose" is "Encrypted File System" in the right window and point to "all tasks | export ", the system will open the certificate export Wizard to guide you through the operation. The Wizard will ask you if you need to export the private key. You should select export private key ", enter the password to protect the exported private key as required by the wizard, and then select the location of the exported file.

We recommend that you store exported certificates on disks other than the system disk to avoid overwriting the backup certificates when restoring the system using software such as disk images. After the backup, when the encrypted file account is faulty or you need to access or decrypt the previously encrypted file after the system is re-installed, you only need to right-click the backup certificate, select "Install PFX". The "Certificate import wizard" will pop up to guide you. You only need to enter the password used to protect the backup certificate when you export the certificate, then select the wizard "automatically select the certificate storage area based on the certificate type" to complete the operation. After that, you can access the previous encrypted file.

　　Restore proxy

If you are using multiple accounts at the same time or share a computer with other users, and are worried about changing the account or encrypting files in other accounts, you can consider specifying a file fault recovery agent, the recovery proxy can decrypt all files encrypted by the built-in encryption function in the system. It is generally used by the network administrator to handle file faults on the network and enable the Administrator to decrypt work data encrypted by the employee after the employee leaves office. In Win2000, the default Administrator is the recovery proxy. On WinXP, you must specify the proxy if you want to recover the proxy. However, you must note that the recovery proxy can only decrypt the files encrypted after the specified recovery proxy. Therefore, you should specify the recovery proxy before everyone starts to use the encryption function.

If your computer is in the enterprise network, contact the Administrator to check whether a fault recovery policy has been developed. If you are only using a separate computer, you can follow the steps below to restore the proxy. First, you need to log on to the user account designated as the recovery agent and apply for a fault recovery certificate. The user must be an administrator or a member of the Management Group with administrator privileges. After logging on to a computer on the enterprise network, you can use the "Certificate Manager" described above to apply to the server in "apply for a new certificate" in "Use Task. On your PC, you must click "Start | attachment | command prompt" and type "cipher/r: c: efs.txt”(efs.txt can be any file) in the command line window ), the command line window will prompt you to enter the password to protect the certificate and generate the certificate we need. The generated certificate is a PFX file and a CER file. Right-click the PFX file and select "Install PFX ", in the "Certificate import wizard" that appears, select "automatically select a certificate storage area based on the certificate type" to import the certificate.

Next, click Start | run and type gpedit. msc opens the Group Policy Editor. On the left-side console, click Local Computer Policy | Computer Configuration | Windows Settings | Security Settings | public key policy | encrypted file system ", in the right-side window, right-click and select "add data recovery proxy" (2). In the displayed "add data recovery proxy wizard", browse and select the CER file in the generated certificate, after you enter the password for certificate protection, the wizard imports the certificate to restore the proxy. After that, you only need to use the account designated as the recovery proxy to log on to the system to decrypt all files encrypted after the specified recovery proxy.

　　Disable Encryption

In an environment where multiple users share a computer, we usually designate other users as normal users and restrict them from using certain functions. However, since normal user accounts allow Encryption by default, therefore, it is often difficult to use computers shared by multiple users. If you are worried that other users on your computer may unencrypt files on the disk, you can set a folder to disable encryption or disable file encryption.

If you want to Disable Encryption for a folder, you can edit a text file that contains "[Encryption]" and "Disable = 1" lines and name it "Desktop. ini, put it in a folder that does not want to be encrypted. When other users try to encrypt the folder, the system will prompt you That the folder encryption function is disabled. However, you can only use this method to prevent other users from encrypting the folder. subfolders in the folder will not be protected.

If necessary, you can also completely disable file encryption. in Win2000, you only need to log on to the Administrator and run "secpol. msc opens the Policy Editor, right-click "Security Settings | public key policy | Encrypted File System" on the left console, and select "properties ", in the Properties dialog box, clear the selected tag on the "allow users to use file encryption system (EFS) to encrypt files" check box and restart the computer. In WinXP, there are also corresponding options, but they do not actually work. You need to edit the Registry to disable the file encryption function. Click "Start | run" and then click "register regedit.exe" to open the Registry Editor. Click "HKEY_LOCAL_MACHINESOFTWAREMicrosoft Windows NTCurrentVersionEFS" and Right-click to create a "DWORD" value, double-click the new value and assign the value "1". close the registry and restart the computer. In this way, when other users attempt to use the file encryption function, the system will prompt that the encryption function has been disabled (3 ).

Figure 3

　　Prevent leaks

Due to lack of understanding about the file encryption function, many readers are skeptical about whether the function can actually be used.