Best practices for the Encrypting File System

View products that this article applies to. Article ID : 223316 6

Last Review : February 1 ! 2 Revisio" : 11.

#his article was previously published u"der $223316

On This Page
%&''AR(

')R* I+F)R'A#I)+ ,ow to e"able *"crypti"- File %yste. /ile shari",ow to e"crypt a /ile /or .ultiple users ,ow to e"crypt a"d decrypt usi"- the *"crypti"- File %yste. *"crypti"- a /older *"crypt a /older a"d its co"te"ts Decrypti"- a /older Additio"al i"/or.atio" ,ow /iles are e"crypted 0hy you .ust bac1 up your certi/icates ,ow to bac1 up your certi/icate A22LI*% #)

SUMMARY
'icroso/t 0i"dows i"cludes the ability to e"crypt data directly o" volu.es that use the +#F% /ile syste. so that "o other user ca" use the data. (ou ca" e"crypt /iles a"d /olders i/ you set a" attribute i" the ob3ect4s Properties dialo- bo5. 6ecause the e"cryptio"7decryptio" process is tra"spare"t to users! .a1e sure that or-a"i8atio"s that wa"t to use /ile e"cryptio" /ully pro.ote stro"- -uideli"es about its usa-e. 6ac1 to the top

MORE INFORMATION
#he /ollowi"- is the list o/ sta"dard practices: 9 #each users to e5port their certi/icates a"d private 1eys to re.ovable .edia a"d store the .edia securely whe" it is "ot i" use. For the -reatest possible security! the private 1ey .ust be re.oved /ro. the co.puter whe"ever the co.puter is "ot i" use. #his protects a-ai"st attac1ers who physically obtai" the co.puter a"d try to access the private 1ey. 0he" the e"crypted /iles .ust be accessed! the private 1ey ca" easily be i.ported /ro. the re.ovable .edia. 9 *"crypt the 'y Docu.e"ts /older /or all users :User_profile;'y Docu.e"ts<. #his .a1es sure that the perso"al /older! where .ost docu.e"ts are stored! is e"crypted by de/ault. 9 #each users to "ever e"crypt i"dividual /iles but to e"crypt /olders. 2ro-ra.s wor1 o" /iles i" various ways. *"crypti"/iles co"siste"tly at the /older level .a1es sure that /iles are "ot u"e5pectedly decrypted. 9 #he private 1eys that are associated with recovery certi/icates are e5tre.ely se"sitive. #hese 1eys .ust be -e"erated either o" a co.puter that is physically secured! or their certi/icates .ust be e5ported to a .p/5 /ile! protected with a stro"- password! a"d saved o" a dis1 that is stored i" a physically secure locatio". 9 Recovery a-e"t certi/icates .ust be assi-"ed to special recovery a-e"t accou"ts that are "ot used /or a"y other purpose.

9 Do "ot destroy recovery certi/icates or private 1eys whe" recovery a-e"ts are cha"-ed. :A-e"ts are cha"-ed
periodically<. =eep the. all! u"til all /iles that .ay have bee" e"crypted with the. are updated.

9 Desi-"ate two or .ore recovery a-e"t accou"ts per or-a"i8atio"al u"it :)&<! depe"di"- o" the si8e o/ the )&. Desi-"ate
two or .ore co.puters /or recovery! o"e /or each desi-"ated recovery a-e"t accou"t. >ra"t per.issio"s to appropriate ad.i"istrators to use the recovery a-e"t accou"ts. It is a -ood idea to have two recovery a-e"t accou"ts to provide redu"da"cy /or /ile recovery. ,avi"- two co.puters that hold these 1eys provides .ore redu"da"cy to allow recovery o/ lost data. 9 I.ple.e"t a recovery a-e"t archive pro-ra. to .a1e sure that e"crypted /iles ca" be recovered by usi"- obsolete recovery 1eys. Recovery certi/icates a"d private 1eys .ust be e5ported a"d stored i" a co"trolled a"d secure .a""er. Ideally! as with all secure data! archives .ust be stored i" a co"trolled access vault a"d you .ust have two archives: a .aster a"d a bac1up. #he .aster is 1ept o"?site! while the bac1up is located i" a secure o//?site locatio". 9 Avoid usi"- pri"t spool /iles i" your pri"t server architecture! or .a1e sure that pri"t spool /iles are -e"erated i" a" e"crypted /older. 9 #he *"crypti"- File %yste. does ta1e so.e @2& overhead every ti.e a user e"crypts a"d decrypts a /ile. 2la" your server usa-e wisely. Load bala"ce your servers whe" there are .a"y clie"ts usi"- *"crypti"- File %yste. :*F%<. 6ac1 to the top

o! to ena"le Encrypting File System file sharing

I" 'icroso/t 0i"dows A2! *F% supports /ile shari"- o/ e"crypted /iles a.o"- .ultiple users. 0ith this support! you ca" -ive i"dividual users per.issio" to access a" e"crypted /ile. #he ability to add additio"al users is restricted to i"dividual /iles. %upport /or .ultiple users o" /olders is "ot provided i" either 'icroso/t 0i"dows 2 or 0i"dows A2. Also! support /or the use o/ -roups o" e"crypted /iles is "ot provided by *F%. A/ter a /ile has bee" e"crypted! /ile shari"- is e"abled throu-h a "ew butto" i" the user i"ter/ace. A /ile .ust be e"crypted /irst a"d the" saved be/ore additio"al users ca" be added. &sers ca" be added either /ro. the local co.puter or /ro. the Active Directory directory service i/ the user has a valid certi/icate /or *F%. #he ability to add additio"al users is restricted to i"dividual /iles. %upport /or .ultiple users o" *F% e"crypted /olders is "ot provided. Also! o"ly i"dividual users ca" be added to /iles. %upport /or the use o/ -roups o" e"crypted /iles is "ot provided by *F%. For i"/or.atio" about how to e"able *F% e"cryptio" o" /olders a"d /iles! see the B,ow to e"crypt a"d decrypt usi"- the *"crypti"- File %yste.B sectio".

o! to encrypt a file for m#ltiple #sers

Note #his procedure applies to 0i"dows A2 o"ly. (ou ca""ot e"crypt a /ile /or .ultiple users i" 0i"dows 2 .

#o do this! /ollow these steps: 1. %tart 'icroso/t 0i"dows *5plorer! a"d the" select the e"crypted /ile that you wa"t to add additio"al users to. 2. Ri-ht?clic1 the e"crypted /ile! a"d the" clic1 Properties. 3. @lic1 A$%ance$ to access the *F% setti"-s. C. @lic1 &etails to add additio"al users. D. @lic1 A$$. #he A$$ dialo- bo5 will display a"y other *F%?capable certi/icates i" your perso"al store or those o/ a"y other users who .ay be i" your B)ther 2eopleB a"d B#rusted 2eopleB certi/icate stores. I/ you do "ot see the user who you wa"t to add! clic1 Fin$ User to search Active Directory. #he Select User wi"dow appears. A dialo- bo5 displays valid *F% certi/icates i" Active Directory based o" your search criteria. I/ "o valid certi/icate is /ou"d /or that user! a .essa-e will i"/or. you that there are "o appropriate certi/icates /or the selected user. I" this case! the i"te"ded users .ust se"d you a copy o/ their certi/icate /or you to i.port. (ou ca" the" add the. to your e"crypted /ile. 6. %elect the certi/icate o/ the user who you wa"t to add! a"d the" clic1 O'. (ou will be retur"ed to the &etails tab! a"d the tab will show the .ultiple users who will have access to the e"crypted /ile a"d the users4 *F% certi/icates. E. Repeat this process u"til you have added all the users who you wa"t to add. @lic1 O' to re-ister the cha"-e a"d co"ti"ue. Note A"y user who ca" decrypt a /ile ca" also re.ove other users i/ the user who does the decrypti"- also has write per.issio"s o" the /ile. 6ac1 to the top

o! to encrypt an$ $ecrypt #sing the Encrypting File System

#he /ollowi"- steps e"crypt a"d decrypt a /ile or /older usi"- the *"crypti"- File %yste.. Note #hese -uideli"es apply to 0i"dows 2 a"d 0i"dows A2.

Encrypting a fol$er
Althou-h you ca" e"crypt /iles i"dividually! we stro"-ly reco..e"d that you desi-"ate a speci/ic /older /or stori"- e"crypted data.

Encrypt a fol$er an$ its contents

Althou-h you ca" e"crypt /iles i"dividually! -e"erally it is a -ood idea to desi-"ate a speci/ic /older where you will store your e"crypted /iles! a"d to e"crypt that /older. I/ you do this! all /iles that are created i" or .oved to this /older will auto.atically obtai" the e"crypted attribute. #o e"crypt a /older a"d its curre"t co"te"ts! /ollow these steps: 1. Ri-ht?clic1 the /older that you wa"t to e"crypt! a"d the" clic1 Properties. 2. I" the Properties dialo- bo5! clic1 A$%ance$. 3. #he A$%ance$ Attri"#tes dialo- bo5 displays attribute optio"s /or co.pressio" a"d e"cryptio". #his dialo- bo5 also i"cludes archive a"d i"de5i"- attributes. Note Althou-h the +#F% /ile syste. supports both co.pressio" a"d e"cryptio"! it does "ot support both at the sa.e ti.e. #his .ea"s that you ca" o"ly select o"e or the other. A /ile or /older ca""ot be both e"crypted a"d co.pressed at the sa.e ti.e. #o e"crypt the /older! clic1 to select the Encrypt contents to sec#re $ata chec1 bo5! a"d the" clic1 O'. C. @lic1 O' to close the A$%ance$ Attri"#tes dialo- bo5. D. I/ the /older you chose to e"crypt i" steps 1 to 3 already co"tai"s /iles! a (onfirm Attri"#te (hanges dialo- bo5 will appear. (ou ca" choose to e"crypt o"ly the /older so that all /iles subseFue"tly .oved to the /older or created i" this /older will be

e"crypted. I/ you wa"t to also e"crypt all the co"te"ts o/ this /older! clic1 Apply changes to this fol$er) s#"fol$ers) an$ files! a"d the" clic1 O'.

&ecrypting a fol$er
#o decrypt a /older! use basically the sa.e process but i" reverse order: 1. Ri-ht?clic1 the /older that you wa"t to decrypt! a"d the" clic1 Properties. 2. @lic1 A$%ance$. 3. @lic1 to clear the Encrypt contents to sec#re $ata chec1 bo5 to decrypt the data. C. @lic1 O' to close the A$%ance$ Attri"#tes dialo- bo5. D. @lic1 O' to close the Properties dialo- bo5. 6. I/ the /older has /iles i" it! the (onfirm Attri"#te (hanges dialo- bo5 appears. (ou ca" choose to decrypt o"ly the /older. ,owever! this will "ot decrypt a"y /iles curre"tly co"tai"ed i" the /older. I/ you wa"t to decrypt all the co"te"ts o/ this /older! clic1 Apply changes to this fol$er) s#"fol$ers) an$ files! a"d the" clic1 O'. 6ac1 to the top

A$$itional information
o! files are encrypte$
Files are e"crypted throu-h the use o/ al-orith.s that esse"tially rearra"-e! scra.ble! a"d e"code the data. A 1ey pair is ra"do.ly -e"erated whe" you e"crypt your /irst /ile. #his 1ey pair is .ade up o/ a private a"d a public 1ey. #he 1ey pair is used to e"code a"d decode the e"crypted /iles. I/ the 1ey pair is lost or da.a-ed a"d you have "ot desi-"ated a recovery a-e"t! a"d the" there is "o way to recover the data.

*hy yo# m#st "ac+ #p yo#r certificates

6ecause there is "o way to recover data that has bee" e"crypted with a corrupted or .issi"- certi/icate! it is critical that you bac1 up the certi/icates a"d store the. i" a secure locatio". (ou ca" also speci/y a recovery a-e"t. #his a-e"t ca" restore the data. #he recovery a-e"t4s certi/icate serves a di//ere"t purpose tha" the user4s certi/icate.

o! to "ac+ #p yo#r certificate

#o 1. 2. 3. C. bac1 up your certi/icates! /ollow these steps: %tart 'icroso/t I"ter"et *5plorer. )" the Tools .e"u! clic1 Internet Options. )" the (ontent tab! i" the (ertificates sectio"! clic1 (ertificates. @lic1 the Personal tab.

Note #here .ay be several certi/icates prese"t! depe"di"- o" whether you have i"stalled certi/icates /or other purpose. D. %elect o"e certi/icate at a ti.e u"til the (ertificate Inten$e$ P#rposes /ield shows Encrypting File System. #his is the certi/icate that was -e"erated whe" you e"crypted your /irst /older. 6. @lic1 E,port to start the (ertificate E,port *i-ar$! a"d the" clic1 Ne,t. E. @lic1 Yes) e,port the pri%ate +ey to e5port the private 1ey! a"d the" clic1 Ne,t. G. @lic1 Ena"le Strong protection! a"d the" clic1 Ne,t. H. #ype your password. :(ou .ust have a password to protect the private 1ey.< 1 . %peci/y the path where you wa"t to save the 1ey. (ou ca" save the 1ey to a /loppy dis1! a"other locatio" o" the hard dis1! or a @D. I/ the hard dis1 /ails or is re/or.atted! the 1ey a"d the bac1up will be lost. :I/ you bac1 up the 1ey to a /loppy dis1 or @D! you .ust store that dis1 or @D i" a secure locatio".< 11. %peci/y the desti"atio"! a"d the" clic1 Ne,t. For additio"al i"/or.atio" about the *"crypti"- File %yste. :*F%<! visit the /ollowi"- 'icroso/t 0eb site: *"crypti"- File %yste. i" 0i"dows 2