What should I do if EFS encryption is faulty?

A few days ago, a friend sent me a 100,000-bit urgent request for help message. The files he encrypted with EFS on the company's computer couldn't be opened, and there were all important customer information. He said that due to system user configuration problems, he deleted his account and re-created an account with the same user name, but the previously encrypted folder could no longer be opened. Fortunately, this old man was using Windows 2000. I told him that he could use the recovery proxy to decrypt the data, so that he could put down his mind.

Such a distress can be seen in many technical forums, and more, not every friend is lucky, because important data cannot be opened, causing heavy losses. If you also use Windows 2000/XP and encrypt data, to avoid losses, you need to understand EFS encryption and become a master.

What is EFS

Microsoft upgraded the NTFS file system from Windows 2000 to Windows NT 4.0. Its biggest feature is that the security feature is more powerful, in particular, the encrypted file system EFS is added to encrypt data directly on the volume using the NTFS file system, allowing users to use public key encryption on the system to protect private data.

You can encrypt a private file or folder to prevent others from using it. If a person who does not have the correct permission can access the hard disk and attempts to operate encrypted files or folders, the system will receive an "Access Denied" error message.

In addition, the user authentication process is performed when you log on to Windows, which ensures that the EFS encryption system is transparent to computer users. In other words, as long as an account with the permission is logged on to Windows, you can use your own encrypted file just like opening any common file. Unlike the usual encryption software, a dialog box is displayed, allow you to enter the password, which greatly facilitates the user.

Use ESF to encrypt files

When you use Windows 2000/XP/2003 (note that Windows XP family Edition does not support EFS encrypted file systems) and the disk is formatted as an NTFS file system, you have the conditions for applying EFS.

To use EFS encryption, you only need to open the resource manager, right-click the file (folder) to be encrypted, and select "attribute ", in the "properties" dialog box, click "advanced" to open the "Advanced properties" dialog box, and select "encrypt content to protect data" (cancel the hook before this option to decrypt the file ).

Click "OK" and then "Apply". If the folder is encrypted, the dialog box shown in Figure 2 is displayed, you can select whether to encrypt the folder or add the subfolders and files in the folder as needed.

After clicking "OK", by default, you will find that the color displayed in the resource manager is changed to color, indicating that the file has been encrypted (or compressed.

Tip: You can also not change the file (folder) color. In the resource manager, click "Tools> Folder Options> View ", cancel the color display of the encrypted or compressed NTFS file.
EFS encryption and decryption techniques

In practical applications, we can also use various techniques to complete EFS encryption operations.

1. Add "encryption" right-click the menu

If you think the preceding encryption method is too cumbersome, enter "regedit" in "run", open the Registry Editor, and find HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Advanced, right-click the window on the right, select "New> Dword Value", name "EncryptionContextMenu", and set the key value to "1 ".

Exit the Registry Editor, open the resource manager, select any file (folder) on an NTFS partition, right-click the file, and add the "encryption" option to the menu. You can click this menu to complete encryption and decryption.

2. Disable encryption of a folder

If you want to disable encryption for a folder, you can create a file named "Desktop. ini" in this folder and edit the content in Notepad as follows:

Encryption
Disable = 1

However, this method cannot prohibit files and subfolders in encrypted folders.

3. Completely disable EFS encryption

To completely disable EFS encryption on the machine, you can modify the registry. Click "Start> Run", enter "Regedit", Press enter, open registry editor, find HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionEFS, and click "New> Dword Value" in the "edit" menu ", enter "EfsConfiguration" as the key name and set the key value to "1", so that the EFS encryption on the local machine is disabled. If you want to re-use EFS encryption, you only need to change the key value to "0.

Backup encryption certificate

How to enable the encrypted file after installing the system again

EFS encryption principle

Let's take a look at how EFS works. In EFS, data is encrypted by FEK (file encryption key), while FEK is encrypted and stored together with the user's public key. The order of decryption is exactly the opposite. First, use the private key to decrypt the FEK, then use FEK to decrypt the data. In short, the system uses your public key/private key (collectively referred to as the key) for encryption and decryption.

So where does the key come from? The key is generated by the user's SID. In Windows 2000/XP, each user has a SID (Security Identifier). When EFS is used for the first time, the system generates a key based on the SID. SID is unique, such as the fingerprint of the same person, so the user's key will never be the same, which ensures the reliability of EFS encryption. At present, according to official news, EFS has not been confirmed to have been cracked.

Note that if you reinstall the system, a new SID will be generated, even if you use the original user name and password when installing the system, you cannot directly open the encrypted file (folder). Many friends often ignore this and cause data loss.

Backup key

Since EFS uses encryption keys for encryption and decryption, data can be restored as long as the encryption key exists. Therefore, backing up a key is the best way to save time.

Click Start> Run. In the run dialog box, enter certmgr. msc open the Certificate Manager, open the "personal> Certificate" under "Certificate> current user", as long as you have performed encryption operations, in the right window, there will be a certificate with the same name as the user name (if there are multiple certificates, select "expected purpose" as "encrypted file system.

Right-click the certificate and choose "all tasks> export". In the "Certificate export wizard" that appears, select "export private key ", enter a password as required by the Wizard to protect the exported private key and store it as a file with the PFX suffix.

When the encrypted file account encounters a problem or needs to access or decrypt the previously encrypted file after the system is re-installed, right-click the backup certificate and select "Install PFX ", the "Certificate import wizard" is displayed. Enter the password used to protect the backup certificate when you export the certificate. Then, select "automatically select the certificate storage area" in the Wizard. After that, you can access the previously encrypted file.

Note: any other user who has obtained your backup certificate can decrypt your encrypted file. Therefore, you must ensure the security of the backup certificate.
Knowledge

1. Copy unencrypted files to encrypted folders. These files are automatically encrypted.

2. If the encrypted file is moved to the NTFS partition, the data will retain the encryption attribute. If it is moved to the FAT (FAT32) partition, the data will be automatically decrypted. In addition, files stored in the NTFS partition cannot be compressed and encrypted at the same time.

3. Windows system files and system folders cannot be encrypted.

Use recovery proxy to decrypt files

How to open the encrypted file after deleting the user

EFS encryption is secure and reliable. Can I re-create an identical user once a user account is deleted, as mentioned at the beginning? The answer is no. Although the re-created user has the same name as the previous user, the system does not allocate the same SID (Remember, it is impossible to have the same SID! Unless it is a clone system), so the keys are different, and the encrypted file cannot be opened.

Of course, this is not a completely unsolved solution, because the files encrypted with EFS can be opened by the "Restore proxy" in addition to the encryptor himself. Recovery proxy is a special user used to unbind files encrypted with EFS.

For Windows 2000, the default recovery proxy is Administrator in standalone and workgroup environments, and Windows XP does not have the default recovery proxy in standalone and workgroup environments. The domain environment is completely different. For all Windows 2000/XP computers that are added to the domain, the default recovery proxy is all the domain administrators. So I said that the netizen was lucky because he used Windows 2000. He could use the Administrator user to log on to the system and then directly open or decrypt the file.

A large number of friends who use Windows XP are not so lucky. Because there is no default recovery proxy, and no recovery proxy is set in advance, once the user is deleted, you will face data loss. Therefore, if you are using a Windows XP user, set the recovery proxy in advance.

Set Windows XP recovery proxy

1. first, determine which USER to use as the recovery proxy. You can set any USER. For example, if you want the USER to become the recovery proxy, log on to the system using the USER account (Administrator is generally recommended as the recovery proxy ).

2. in "run", enter "cipher/rc: est" (test can be any other name). After you press enter, the system will prompt you to ask if you want to use a password to protect the certificate, you can set a password by yourself, or press enter without password protection. After that, we can find test in the root directory of drive C. cer and test. pfx files (in resource manager, click "Tools> Folder Options> View" and deselect "Hide extensions of known file types" to see the file suffix ).

3. right-click the PFX file and select "Install PFX". The "Certificate import wizard" is displayed. If you are prompted to enter the password, enter the password set in step 2, select "indicate this private key as exported", and then select "automatically select certificate storage area based on the certificate type" to import the certificate.

4. Enter "gpedit. msc" in "run" and press enter to open the Group Policy Editor. Under "Computer Configuration> Windows Settings> Security Settings> Public Key Policy> file system encryption", right-click and select "add data recovery proxy ", press the "add fault recovery agent wizard" to open test. cer. the USER is successfully set as the specified recovery proxy.

Now, you can log on to the USER to decrypt all the files (folders) encrypted after the specified recovery proxy. Note: files that have been encrypted before the proxy is restored cannot be decrypted. Therefore, you must set the proxy in advance.
EFS encryption FAQs

1. After the system is reinstalled, can the proxy restore the encrypted data by default?

No. Assume that the Administrator user restores the proxy by default. After the system is reinstalled, the SID of the Administrator has changed, so it cannot be used as the recovery proxy of the previous user, the file can be opened only when the backup certificate is imported.

2. Whether the data encrypted by EFS is exclusive