Making data more secure: six tricks for EFS encryption

Windows 2000/XP/Server 2003 users must have heard of or been in contact with EFS. However, due to its complexity, data may be lost if it is difficult to do so. Therefore, many people do not use it. In fact, EFS is not as difficult as we think. The key is to really play with it. We need to master several key tricks ......

Term genie

　　EFS: Encrypting File System, which is used to encrypt the File System. It helps you encrypt files and folders stored on NTFS disk volumes.

NTFS: A disk format supported by Windows 2000/XP/2003, especially for network and disk quotas, file encryption, and other management security features. NTFS supports file encryption management to provide users with high-level security assurance.

MMC: Microsoft Management Console, short for, is a Management tool integrated to manage networks, computers, services, and other system components. MMC does not perform management functions, but integrates management tools. The main tool type that can be added to the control panel is called a management unit. Other projects that can be added include ActiveX controls, links to Web pages, folders, task board views, and tasks.

Because the EFS user authentication process is performed when you log on to Windows, you only need to authorize the user to log on to Windows to open any authorized encrypted file. Therefore, in fact, EFS is transparent to users. That is to say, if you encrypt some data, your access to the data will not be limited, and there will be no prompts, you will not feel its existence. However, when other unauthorized users attempt to access encrypted data, they will receive an "Access Denied" error message to protect our encrypted files.

TIPS:

　　If you want to use EFS to encrypt the file system, you must format the partition of the encrypted file in Windows 2000/XP/Server 2003 to NTFS format.

Practice 1: Practice EFS folder Encryption

　　Step 1: Right-click the folder to be encrypted, select "properties", click the "General" tab in the pop-up window, and then click "Properties> advanced" at the bottom ", in the "compression or encryption properties" column, select "encrypt content to protect data" (1 ).

Figure 1

Step 2: click "OK", return to the file properties, and click "Apply". The "Confirm attribute change" window appears, in "use this application for this folder, subfolders, and files", click "√", and then click "OK" to encrypt the file. In this way, the original and all new files and subfolders in this folder are automatically encrypted.

Step 3: If you want to cancel encryption, you only need to right-click the folder and deselect the "encrypt content to protect data" check box. OK.

Tips

　　In command line mode, you can also use the "cipher" command to encrypt and decrypt data, and enter "cipher /?" Press enter to obtain the specific command parameters.

Practice 2: Right-click to easily encrypt and decrypt data

　　It is difficult to encrypt the file multiple times by using the above method. In fact, you only need to modify the registry and add the "encryption" and "decryption" options to the right-click menu, you can right-click to complete the operation as needed. Click Start> Run, enter regedit, and press enter to open the Registry Editor. Locate [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Exporer/Advanced]. click "New> DWORD Value" on the "edit" menu, enter EncryptionContextMenu as the key name, and set the key value to "1 ". Exit Registry Editor, open Resource Manager, select any file or folder on an NTFS partition, right-click it, and find the corresponding encryption and decryption options in the right-click menu, click to complete encryption/decryption (2 ).

Figure 2

Practice 3: multiple users prohibit special folder Encryption

　　When multiple users share computers, we usually designate users as normal user permissions, but normal user accounts allow Encryption by default, therefore, if someone uses EFS to encrypt files on a computer shared by multiple users, it will inevitably cause a lot of trouble for other users. Therefore, you need to set some specific folders to prohibit encryption or disable file encryption.

First, let's talk about how to prohibit Encryption of a folder by creating a file named Desktop. ini with notepad in the folder, and then adding the following content: [Encryption] Disable = 1

Finally, save the file. In this way, if other users attempt to encrypt the folder in the future, an error message will appear and the folder cannot be encrypted. Note: You can only use this method to prevent other users from encrypting the folder. subfolders in the folder will not be protected.

Practice 4: Disable EFS encryption

To completely disable EFS encryption, open registry editor, go to [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionEFS], and click New> Dword Value on the edit menu ", then, enter EfsConfiguration as the key name and set the key value to "1", so that the EFS encryption on the local machine is disabled.

Practice 5: Export EFS keys

　　After using EFS encryption in Windows 2000/XP, if you reinstall the system, the previously encrypted file cannot be opened! If you have not backed up the key in advance, the data will never be opened. It can be seen that it is important to back up keys.

Step 1: first, log on with a local account, preferably a user with administrator permissions. Click Start> Run, enter MMC, and press enter to open the Control Panel Interface.

Step 2: click "Control Panel> Add/delete Management Unit" in the control panel, and click "add" in the displayed "Add/delete Management Unit" dialog box, in the "add independent management unit" dialog box, select "certificate" and click "add" to add the unit.

If you are an administrator, You must select the certificate method, select "My User Certificate", click "close", and click "OK" to return to the control panel.

Step 3: Expand "Control Panel root node → certificate → individual → certificate → select account in the right window" on the left, right-click and select "all tasks → export ", the certificate export wizard is displayed (3 ).

Figure 3

Step 4: click "Next", select "Yes, export private key", click "Next", and select "if possible" under "Private Information Exchange, add all certificates to the certificate path and enable enhanced protection, and click "Next" to go to the password setting page.

Step 5: Enter the set password, which is very important. once forgotten, the password will never be obtained and the certificate will not be imported in the future. After entering the information, click "Next" and select the location and file name for saving the private key.

Step 6: click "finish" to bring up the "export successful" dialog box, indicating that your certificate and key have been exported successfully. open the path to save the key, you will see an "envelope + key" icon, which is your valuable key! If you lose it, it not only means that you can no longer open your data, but also means that others can easily open your data.

Practice 6: Import EFS keys

　　After the system is reinstalled, we cannot open files encrypted by EFS. Therefore, before reinstalling the system, remember to export the key and then import the backup key to the new system, to obtain permissions.

　Tips

　　★Make sure that you have the right to view the imported key. Otherwise, it is useless to import the key. This must be done during export.

★Remember the password set during export. It is best to use the same user name as export.

Step 1: double-click the exported key (the file under the "envelope + key" icon). The "Certificate import wizard" Welcome Page is displayed. Click "Next" to confirm