Use EFS to encrypt windows files

A friend once asked the following questions:
First, my encrypted file cannot be opened. Can I convert NTFS format partitions to FAT32 partitions?
Second, after the encrypted data is reinstalled to the operating system, the encrypted data cannot be opened now. Can I use the same user name and password of the previous system to open it?
Third, the system is restored using GHOST, and the user account and corresponding SID are not changed. Can you open the encrypted data file?
After we encrypt files in XP/2000/2003, we often fail to open encrypted files due to one or more problems, resulting in losses to enterprises or individuals. Now, I want to tell you that it is not easy to say. Don't be surprised. I hope it will help you.
What is EFS?
Encrypting File System is an encrypted File System. It is based on a public key policy and has three benefits: cost reduction, transparency, and security.
 
EFS encryption is based on public key policies. When you use EFS to encrypt a File or folder, the system first generates a FEK consisting of pseudo-random numbers (File Encryption Key, File Encryption Key ), then, the encrypted file will be created using FEK and data extension standard X algorithm, stored on the hard disk, and unencrypted original files will be deleted. Then, the system uses your public key to encrypt the FEK and stores the encrypted FEK in the same encrypted file. When accessing the encrypted file, the system first decrypts the FEK using the current user's private key, and then decrypts the file using FEK. When you use EFS for the first time, if you do not have a public/private key pair (collectively referred to as a key), the key is generated first and then encrypted. If you log on to the domain environment, the key generation depends on the domain controller; otherwise, the key generation depends on the local machine.
The EFS encryption system is transparent to users. That is to say, if you encrypt some data, your access to the data will be completely allowed and will not be subject to any restrictions. When other unauthorized users attempt to access encrypted data, they receive an error message "Access Denied. The user authentication process of EFS encryption is performed when you log on to Windows. As long as you log on to Windows, you can open any authorized encrypted file.
 
 
How to Use EFS encryption?
Here, I would like to introduce several methods and precautions and specific requirements for using EFS.
1. Operating System Requirements: It must be 2000/XP/2003 or a new version of the system to be released by Microsoft, such as 95/98/me/NT.
2. NTFS version requirements: 5. Version 0 or later, that is, NTFS partitions formatted with version 2000/XP/2003 and the new version of the system to be released by Microsoft can be used, while NTFS partitions formatted by the NT system cannot, although it is a partition in NTFS format, the NTFS version is 4. 0.
3. Only partitions in NTFS format can use EFS encryption technology
4. The key should be backed up in time after EFS encryption is used for the first time
5. If you copy unencrypted files to folders with encryption properties, these files will be automatically encrypted. If the encrypted data is moved out, the data remains encrypted if it is moved to the NTFS partition. If it is moved to the FAT partition, the data will be automatically decrypted.
6. data encrypted by EFS cannot be directly shared in Windows.
7. the encryption and compression functions in NTFSF partitions cannot be enabled simultaneously
8. files and folders in Windows cannot be encrypted.
 
We will introduce how to use EFS encryption in 2000/XP/2003:
Right-click the file to be encrypted-> properties-> advanced-> encrypted content to protect data-> OK. The data file is encrypted.
What should we do to prevent loss and the encrypted file cannot be opened? If the system crashes after the encrypted file is reinstalled, the encrypted file cannot be opened. After the user name or password is changed, the encrypted file cannot be opened. Use GHOST to restore the system, encrypted Files cannot be opened.
We need to pay attention to two key points:

First, back up the key in time.

In 2000, perform the following operations:
Start> RUN> MMC> Delete management unit> Add> certificate> my account> OK.
After adding the admission policy to the certificate, select the certificate, individual, right-click the certificate in the right column, select all tasks, export, export the private key, next, default, next, enter the password, next, back up the certificate to a directory or USB flash drive to save it.
In this way, once the system is reinstalled or the user name or password cannot be opened, you only need to right-click the exported certificate, install the certificate, and import it. In this way, the encrypted file can be opened again.
Second, set a valid EFS encryption recovery proxy

In 2000, perform the following operations:
In 2000, any user-encrypted file can be opened by logging on to the Administrator as long as the system has not been reinstalled or changed accordingly. Except adminsitrator, files encrypted by different users cannot be opened to each other. For example, in 2000, user A encrypts file A and user B encrypts file B, user A cannot open file B. On the contrary, user B cannot open file A. To open file A or file B, you must use administrator to log in. In addition, if file A gives user B the permission, it is another matter. Method: In 2000, after logging on to user A, right-click File A, properties, and advanced, click details, add, select user B certificate, OK, and OK. Once user B logs in, user B can open the file encrypted by user A, and vice versa.
Now let's talk about how to set the recovery Proxy:
To use other users as the recovery proxy. If you want to use User A as the recovery proxy, you must first log in with administrator, export the certificate of the Administrator user, and then log out with user, upload the adminsitrator user certificate to the Group Policy under user A's logon. Once the import is successful, user A becomes the EFS encryption recovery proxy. In this case, user A can open any user-encrypted file.