Working with the encrypting file system

Thursday Sep 28th 2000 by Brien M. Posey

Windows 2000 supports individual file encryption. While this protects individual files from unwanted tampering, network administrators must plan how to support and manage the encryption and decryption process.


Several years ago, Microsoft introduced the NTFS file system. The idea was to create a file system that would protect files on the local hard disk from prying eyes. Unless a users have the proper permissions, they can't read, write, or modify the files residing on such a partition. Although NTFS was a good idea, since its creation a number of utilities have been published on the Internet that allow anyone to gain full access to an NTFS partition without having to enter any security credentials. Such utilities expose the need for a more secure file system.

Because of this need, Microsoft introduced a new version of NTFS with Windows 2000. This version supports an encrypting file system (EFS). By using encryption on the individual files, even if a hacker were to gain access to them, the files would be useless unless the hacker could figure out a way to decrypt each file. In this article, I'll show you how to encrypt and decrypt files. I'll then go on to explain how to recover encrypted files, should something go wrong.

Encrypting files and folders

Encrypting local files is one of the easiest Windows 2000 tasks. However, you need to keep a few things in mind before you get started. First, you may only encrypt files that reside on an NTFS version 5 partition. Second, you can't encrypt some types of files--for example, you won't be able to encrypt system files or compressed files. Finally, you can't encrypt the root directory on any partition.

With that said, you can encrypt files by following these steps:

  1. Open an NTFS version 5 partition and select the folder you want to encrypt. Right-click on the folder and select Properties from the resulting context menu.

  2. When you see the folder's properties sheet, navigate to the General tab and click the Advanced button.

  3. In the resulting dialog box, select the Encrypt Contents To Secure Data check box and click OK twice.

  4. You'll see a dialog box that asks if you want to encrypt only the folder that you've selected or the folder, all subfolders, and the files that they contain. Whichever option you choose, remember that any files added to encrypted folders will be encrypted.

Working with encrypted files

Once files have been encrypted, you should know a few things about working with them. For starters, when you encrypt files, the encryption is done with a combination of your public and private keys. This means that no other user can decrypt the files. Therefore, if you need to share files with others, you'll have to use some other security mechanism to protect them.

You also need to know that every time you work with an encrypted file, the file is temporarily decrypted. As you might guess, for the decryption to occur the computer must contain a copy of your keys. If you transfer the encrypted files to another computer, you must also export a copy of your security keys to that computer or you won't be able to use the files.

Finally, you can work with encrypted files just like you would any other file. You can move, rename, and even delete them (assuming you have the appropriate rights). Simply encrypting a file doesn't protect it from being deleted. As you manipulate files, keep in mind that if you move an encrypted file, then depending where you move it to, the file may become permanently decrypted. For example, moving encrypted files or folders to any partition other than one formatted as NTFS version 5 will cause the files to lose their encryption. When you're simply renaming, moving, or copying an encrypted file within an NTFS version 5 partition, the file will retain its encrypted status.


The process of permanently decrypting files differs little from encrypting them:

  1. Right-click on an encrypted folder and select the Properties command from the resulting context menu.

  2. When you see the folder's properties sheet, navigate to the General tab and click the Advanced button.

  3. In the resulting dialog box, remove the check from the Encrypt Contents To Secure Data check box and click OK twice.

  4. You'll see a dialog box that asks if you want to apply the change to all subfolders and files, or just to the folder that you've selected. Make your selection and click OK.

Recovering encrypted files

Earlier, I mentioned that only the user who encrypts the files may use them because the files require the users keys. You may wonder what happens if the keys are accidentally deleted, or if the user leaves the company without decrypting the files first. Although this presents a difficult situation, you can recover the files. The encrypting file system uses a combination of public key and symmetric key encryption. The file itself is encrypted using a symmetric key algorithm. The symmetric key itself is then encrypted using public key technology. The catch here is that the symmetric key is actually encrypted twice--first using the user's public key, and then into a separate file using a public key that belongs to something called the recovery agent.

To recover an encrypted folder, the administrator must acquire a recovery agent certificate. Once the administrator has such a certificate, he must add the certificate to the Active Directory's recovery policy. This can be done through the Add Recovery Agent Wizard found in the Group Policy snap-in for Microsoft Management Console.

An alternative recovery method is to use a command-line tool called CIPHER. To recover an encrypted file, simply log onto the recovery computer as the recovery account and use the CIPHER command. For the CIPHER command to work, the recovery computer must contain the recovery account, the certificate and the private key. //

Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved