Encrypting Information
Windows 7 provides the following encryption tools for preventing the loss of confidential data:
- Encrypting File System (EFS) encodes your files so that even if someone is able to obtain the files, he or she won't be able to read them. The files are readable only when you log on to the computer using your user account (which, presumably, you have protected with a strong password). In fact, even someone else logging on to your computer won't have access to your encrypted files, a feature that provides protection on systems that are shared by more than one user.
- BitLocker Drive Encryption, introduced with Windows Vista, provides another layer of protection by encrypting entire hard-disk volumes. By linking this encryption to a key stored in a Trusted Platform Module (TPM) or USB flash drive, BitLocker reduces the risk of data being lost when a computer is stolen, or when a hard drive is stolen and placed in another computer. A thief's standard approach in these situations is to boot into an alternate operating system and then try to retrieve data from the stolen computer or drive. With BitLocker Drive Encryption, that type of offline attack is effectively neutered.
- BitLocker To Go, new in Windows 7, extends BitLocker encryption to removable media, such as USB flash drives.
EFS is available on systems running Windows 7 Professional or Ultimate/Enterprise. Encrypting a drive using BitLocker or BitLocker To Go requires Ultimate/Enterprise edition. You can use a flash drive encrypted with BitLocker To Go in any edition of Windows 7.
Using the Encrypting File System
The Encrypting File System (EFS) provides a secure way to store your sensitive data. Windows creates a randomly generated file encryption key (FEK) and then transparently encrypts the data, using this FEK, as it is being written to disk. Windows then encrypts the FEK using your public key. (Windows creates a personal encryption certificate with a public/private key pair for you the first time you use EFS.) The FEK, and therefore the data it encrypts, can be decrypted only with your certificate and its associated private key, which are available only when you log on with your user name and password. (Designated data recovery agents can also decrypt your data.) Other users who attempt to use your encrypted files receive an "access denied" message. Even administrators and others who have permission to take ownership of files are unable to open your encrypted files. EFS, which uses Advanced Encryption Standard (AES) with a 256-bit key as its default encryption algorithm, provides extremely strong protection against attackers.
You can encrypt individual files, folders, or entire drives. (You cannot encrypt the boot volume- the one with the Windows operating system files-using EFS, however. For that, you must use BitLocker Drive Encryption.) We recommend that you encrypt folders or drives instead of individual files. When you encrypt a folder or drive, the existing files it contains are encrypted, and new files that you create in that folder or drive are also encrypted automatically. This includes temporary files that your applications create in the folder or drive. (For example, Microsoft Office Word creates a copy of a document when you open it for editing. If the document's folder isn't encrypted, the temporary copy isn't encrypted-giving prying eyes a potential opportunity to view your data.) For this reason, you should consider encrypting your %Temp% and %Tmp% folders, which many applications use to store temporary copies of documents that are open for editing, in addition to encrypting the folders where your sensitive documents are stored.
To encrypt a folder, follow these steps:
- In Windows Explorer, right-click the folder, choose Properties, click the General tab, and then click Advanced, which displays the dialog box. (If the properties dialog box doesn't have an Advanced button, the folder is not on an NTFS-formatted volume and you can't use EFS.)
- Select Encrypt Contents To Secure Data. (Note that you can't encrypt compressed files. If the files are already compressed, Windows clears the Compressed attribute.
- Click OK twice. If the folder contains any files or subfolders, Windows then displays a confirmation message.
Note:
If you select Apply Changes To This Folder Only, Windows doesn't encrypt any of the files currently in the folder. Any new files that you create in the folder, however, including files that you copy or move to the folder, will be encrypted.
After a file or folder has been encrypted, Windows Explorer displays its name in green. This minor cosmetic detail is the only change you are likely to notice. Windows will decrypt your files on the fly as you use them and re-encrypt them when you save.
CAUTION:
Before you encrypt anything important, you should back up your file recovery certificate and your personal encryption certificate (with their associated private keys), as well as the data recovery agent certificate, to a USB flash drive (UFD). Store the UFD in a secure location. If you ever lose the certificate stored on your hard drive (because of a disk failure, for example), you can restore the backup copy and regain access to your files. If you lose all copies of your certificate (and no data recovery agent certificates exist), you won't be able to use your encrypted files. No back door exists, nor is there any practical way to hack these files. (If there were, it wouldn't be very good encryption.)
To encrypt one or more files, follow the same procedure as for folders. You'll see a different confirmation message to remind you that the file's folder is not encrypted and to give you an opportunity to encrypt it. You generally don't want to encrypt individual files, because the information you intend to protect can too easily become decrypted without your knowledge. For example, with some applications, when you open a document for editing, the application creates a copy of the original document. When you save the document after editing, the application saves the copy-which is not encrypted-and deletes the original, encrypted document. Static files that you use for reference only-but never for editing-can safely be encrypted without encrypting the parent folder. Even in that situation, however, you'll probably find it simpler to encrypt the whole folder.
Encrypting with BitLocker and BitLocker To Go
BitLocker Drive Encryption can be used to encrypt entire NTFS volumes, which provides excellent protection against data theft. BitLocker can secure a drive against attacks that involve circumventing the operating system or removing the drive to another computer. BitLocker is a powerful tool that can more than ruin your day if you don't know what you are doing. Because under some circumstances it can lock you out of your own computer or data, we recommend that before you apply BitLocker to your own systems you carefully read two white papers from Microsoft: "BitLocker Drive Encryption Deployment Guide for Windows 7" (w7io.com/1004) and "BitLocker Drive Encryption Step-by-Step Guide for Windows 7" (w7io.com/1005).
BitLocker To Go, a new feature in Windows 7, allows you to encrypt the entire contents of a USB flash drive or other removable device. If it's lost or stolen, the thief will be unable to access the data without the password.
Note:
After you encrypt a removable drive using BitLocker To Go on a PC running Windows 7 Ultimate or Enterprise, you can add, delete, and change files on that volume using any edition of Windows 7. Systems running Windows XP and Windows Vista can, with proper authentication, open (but not change) files on encrypted media using a reader program that is included on the volume itself. This reader program does not work with volumes formatted using NTFS; if you intend to use a removable drive on systems running older Windows versions, be sure to format it using FAT, FAT32, or exFAT before turning on BitLocker To Go encryption.
To apply BitLocker To Go, right-click the removable device in Windows Explorer and choose Turn On BitLocker from the shortcut menu.
BitLocker To Go will ask how you want to unlock the encrypted drive-with a password, a smart card, or both. After you have made your selections and confirmed your intentions, the software will give you the opportunity to save and print your recovery key.
Your recovery key is a system-generated, 48-character, numeric backup password. If you lose the password you assign to the encrypted disk, you can recover your data with the recovery key. BitLocker To Go offers to save that key in a plain text file; you should accept the offer and store the file in a secure location.
With all preliminaries out of the way, BitLocker To Go begins encrypting your media. This takes a few minutes, even if the disk is freshly formatted. Any files currently on the disk are encrypted, as are any files subsequently added.
To read an encrypted disk, you will need to unlock it, using whatever method you have stipulated. You will also see an Automatically Unlock On This Computer From Now On check box. If your computer is secure and you're only concerned about having your data locked when it's not plugged into this computer, you can safely exercise this option.
If you're prompted for a password that you have lost or forgotten, click I Forgot My Password. You will then have the opportunity to enter your recovery key. In case you have several recovery-key text files, BitLocker To Go gives you the key's identification code.
Find the text file whose name matches the identification code, copy the recovery key from this text file to the BitLocker dialog box, and you'll be granted temporary access to the files (and the access is good until you remove the disk or restart the computer). If you are using Windows 7 Ultimate or Enterprise, the dialog box that announces your temporary access includes a Manage BitLocker button. Clicking this button gives you an opportunity to reset the password that unlocks the drive.
To remove BitLocker To Go encryption from a disk, open BitLocker Drive Encryption in the System And Security section of Control Panel and click Turn Off BitLocker. The software will decrypt the disk; allow some time for this process.