Use File and Folder Encryption
The actual process of encrypting a file or folder is very easy; you simply turn on the Encrypted attribute. Given that there is a certificated recovery agent administrator and that the user turning on the encryption has an EFS certificate, there is very little else to do. Look at the full process, including the certification, in the next sections.
Create EFS Certificates
Earlier in this tutorial, under "Certificate Authentication," there is a discussion of setting up AD CS and requesting a certificate. The following steps show specifically how to request an EFS Recovery Agent certificate:
- While logged on as the administrator who will be the recovery agent, open the MMC by opening the Start menu, clicking Run, typing mmc, and clicking OK.
- In the Console, click the File menu, click Open, and double-click your Certificates console. In the left pane, open Console Root | Certificates - Current User | Personal | Certificates.
- Click the Action menu and click All Tasks | Request New Certificate. The Certificate Enrollment wizard opens. Click Next.
- Select EFS Recovery Agent as the certificate template as shown next, click Enroll, and click Finish.
Encrypt a File and a Folder
Encryption of either files or folders can be done from Windows Explorer or from the command prompt.
NOTE: The encrypted files and folders are displayed in green in Windows Explorer.
Encrypt a File from Windows Explorer Here are the steps to encrypt a file from Windows Explorer:
- Click Start | Computer. In the folders tree on the left, open the drive and folders necessary to display on the right the file you want to encrypt.
- Right-click the file and click Properties. In the General tab, click Advanced. The Advanced Attributes dialog box opens.
- Click Encrypt Contents To Secure Data.
- Click OK twice. You get an Encryption Warning that the file is not in an encrypted folder, which means that when you edit the file, temporary or backup files might be created that are not encrypted.
- Make the choice that is correct for you. If you don't want to see this warning in the future, click Always Encrypt Only The File. Click OK.
TIP: To unencrypt a file or a folder, simply follow the same steps used to encrypt it and remove the check mark in front of Encrypt Contents To Secure Data. You, of course, must be either the person who originally encrypted the file or folder, or a recovery agent.
Encrypt a Folder from Windows Explorer Encrypting a folder from Windows Explorer is very similar, as you can see in these steps:
- Open Windows Explorer and display in the right pane the folder you want to encrypt.
- Right-click the folder and click Properties. In the General tab, click Advanced. The Advanced Attributes dialog box opens.
- Click Encrypt Contents To Secure Data and click OK twice. The Confirm Attribute Changes dialog box opens.
- You are asked whether you want to apply the encryption to this folder only or to the folder, its files, and its subfolders. If you choose This Folder Only, existing files and folders in the folder being encrypted will not be encrypted, while files and folders created or copied to the encrypted folder after the fact will be encrypted. If you choose This Folder, Subfolders And Files, existing files and folders, as well as those created or copied in the future, will be encrypted.
- Choose the settings that are correct for you and click OK.
CAUTION: If you choose Apply Changes To This Folder, Subfolders And Files for a shared folder that has files or subfolders belonging to others, you will encrypt those files and subfolders with your key, and the owners will not be able to use their property.
Test File Encryption
So what happens when someone tries to access an encrypted file? Try it yourself. Log off and log back on as a different user and then try to open the file. It looks as if it's going to open, and then a little message appears:
The actual message varies depending on the application you are using to try to open the file. If access is appropriate, the recovery agent administrator can solve the problem.
Okay, what about copying the file to a non-Windows Server 2008 NTFS file system, such as a Windows 98 FAT32 machine on the network? The file is no longer encrypted when you do that, correct? Again try it, first while logged on as the one who encrypted the file. Everything will work as it is supposed to-the file will be copied and will no longer be encrypted. Then log off and log back on again as someone else and try copying the file. Once more it looks as if it's going to work, and then another little message appears.
In this tutorial:
- Windows Server 2008 Security
- Authenticate the User
- Network User Authentication
- Replacements for Passwords
- Certificate Authentication
- Control Access
- Groups
- Permissions
- Add New Permissions
- Share Permission
- Secure Stored Data
- Use File and Folder Encryption
- Drive Encryption with BitLocker
- Use a Computer with BitLocker
- Understand Private/Public Key Encryption
- Secure Data Transmission
- Implement Secure LAN Transmission