Home
Home Students Faculty and Staff IT Security Community
Protect Your Computer
and Data
Report an IT Security
Incident
Services
Sensitive Data Guide
Digital Copyright
Compliance
Training
IT Security Events
F.A.Q.
About IIA
Help
left navigation bottom border

Home arrow Protect Your Computer and Data arrow Security Shorts

How to Encrypt Documents with EFS on Your Vista Computer

ESTIMATED TIME TO COMPLETE: 5 MINS

What do you carry around on your laptop? Does it include things like your resume, transcripts, school or internship applications, or financial records? If you are using a laptop for your job, maybe you have files like human resources records, student applications, transcripts, human subject research data or payroll information.
These documents likely include some form of SENSITIVE DATA, which is data whose unauthorized disclosure may have serious adverse effect on the University's reputation, resources, services or individuals. If your laptop falls outside of your physical control due to loss or theft, you'll want the data inside to be electronically inaccessible.

Encryption is the standard technology used to protect sensitive data from unauthorized disclosure. Microsoft's latest operating system, Vista, makes encryption easy by providing built-in tools: the Encrypting File System (EFS) and Bitlocker. EFS provides encryption for specific folders, while BitLocker provides full-drive encryption.

Bitlocker is the recommended method for securing your information because:

  • you don't have to worry about getting documents in the encrypted folders,
  • you don't have to worry about unencrypted sensitive data left over in temp files, page files, hibernation files etc.

Use EFS only if:

  • you want to encrypt just a few selected folders rather than your whole hard drive--for example, if you share a computer and just want to encrypt your own files.
  • your hardware or software versions prevent you from using full-drive encryption (i.e. you don't have the Enterprise or Ultimate version of Vista).


BEFORE YOU PROCEED:

These Security Shorts are intended for non-technical users who manage their own computers. If your laptop is managed by an IT department, do not proceed. Contact your IT administrator for further assistance.

Please note that in order to complete this process, you will need a new back-up thumb drive that can't be used for other purposes.

Keep in mind:

  • Disk encryption technologies such as EFS can protect your data from unauthorized access, but it does nothing to protect data that is transmitted over the network or via e-mail.
  • EFS does not protect your data when you log in and visit a malicious Web site or open a malicious e-mail.
  • Back up your data and encryption keys, or risk losing your data irretrievably.

 

Step 0: Password Protect Your Account

If you haven't already, you need to build the first level of defense for your data, which is password protection. Consider using a pass-phrase, which is a more complex combination of letters than a typical password.

  1. Press CTRL+ALT+DEL
  2. Click Change a password...
  3. Enter your old password
  4. Create a strong password or pass-phrase by choosing a long but easily remembered phrase.

Here are some things to keep in mind when you create your new password:

  • Select a unique password - not one you are using or have used elsewhere. Do not use a PIN number or a password used for other computing accounts like AOL or hotmail.
  • Use at least nine characters containing a mix of upper- (capital) and lower-case letters, numbers, and common punctuation. However, do not use a forward slash (/) or a space bar.
  • The best passwords are made up. (Of course, don't use any examples shown here.)
    • Use the first letter of words in a phrase and include numbers and punctuation; for example, "Do you know the way to San Jose on US-12?" becomes "DyktwtSJoUS-12?"
    • Use an entire phrase, like Rudolph Is My Favorite Reindeer.

Step 1: Encrypt Your Desktop and Documents Folder

  1. Quit any application you may have open.
  2. From the Start menu, click your user account name to open your home directory:

    3. From the Start Menu, click on your user account name to open your home directory

  3. Click the Documents folder
  4. While the Documents folder is selected, press the Control key and click the Desktop folder
    • Both the Desktop folder and the Documents folder should now be selected as shown in the screenshot below
  5. Right-click the Documents folder and select Properties from the context menu
  6. Click the Advanced button on the Properties dialog
  7. Check the option that says Encrypt contents to secure data, and click OK

    8. Check the option that says Encrypt contents to secure data, and click OK

     

    Note: If the option to encrypt cannot be selected, contact the systems administrator or IT specialist in your department and ask them for the recommended way to encrypt your sensitive documents.

  8. Click OK again on the Properties dialog
  9. Turn on the button for Apply changes to this folder, subfolders and files. Click OK a third time to indicate that you want to encrypt all subfolders and files.

    10. Turn on the button for Apply changes to this folder, subfolders and files

    A progress dialog indicates the contents of your Documents folder are being encrypted:

    A progress dialog indicates the contents of your Documents folder are being encrypted

Step 2: Back up Your File Encryption Key

After Vista has finished encrypting your Desktop and Documents folders, you should see a notification to "Back up your file encryption key." This step is absolutely critical because if you forget your password or your on-disk key gets corrupted, there is no way to recover your data. If there were, the encryption process would be broken.

Note: If this notification doesn't appear, you can still click the Notification Icon (the lock and key) in the lower left corner of your screen to get started.

  1. Click the Notification Icon to back up your file encryption key

    2. Click the Notification Icon to back up your file encryption key

  2. Click the option to Back up now (recommended) which will launch the Certificate Export Wizard:

    3. Click the option to Back up now (recommended) which will launch the Certificate Export Wizard

  3. On the Welcome page of the Certificate Export Wizard, click Next
  4. On the Export File Format page, make sure the Personal Information Exchange - PKCS#12 (.PFX) format is selected and click Next

    5. On the Export File Format page, make sure the Personal Information Exchange - PKCS#12 (.PFX) format is selected and click Next

  5. On the Password page, type a strong password or pass-phrase, confirm it store it, and press Next
  6. On the File to Export page

    a. Insert a USB flash drive into your computer
    b. An AutoPlay dialog window appears - note the drive letter assigned to your flash drive (G: in the picture below). Close the dialog window.
    d. Type in the drive letter of your flash drive followed by a backslash then a filename. In this example, G:\EFSFileEncryptionKey
    e. Click Next

    7. Note the drive letter assigned to your flash drive

  7. On the Completion page, click Finish
  8. A Certificate Export Wizard dialog appears, noting that "The export was successful." Click OK

    9. The export was successful

  9. Eject the flash drive then store it in a safe place. For example, you may want to give it to your key admin to be locked in a safe. Don't use the flash drive for other purposes.
  10. Record the password that you entered in step 2.5 and store it in a safe place. If you do write down your password, store it separately from the flash drive, or be sure that your flash drive is physically secured in a way that an untrustworthy individual cannot access both the flash drive and your encrypted files.

Step 3: Store and Access Encrypted Documents

Store any and all sensitive data files on your Desktop or in the Documents folder since these were the two folders encrypted above. When you save a file in an encrypted folder, the file will automatically be encrypted. You can tell that a file (or folder) is encrypted if the name of the file or folder is green:

You can tell that a file (or folder) is encrypted if the name of the file or folder is green

Access and work with your encrypted documents just like you did before. You don't have to do anything special since the computer automatically encrypts and decrypts the data for you.

If you move or copy a file out of an encrypted folder, the filename may turn black, indicating that it is no longer encrypted.

Step 4: Backing Up Your EFS-Encrypted Documents

This security short is primarily about encrypting data on laptop computers to prevent unauthorized access to sensitive data when the laptop is lost, stolen, confiscated, or otherwise physically compromised. With that in mind, we support creating clear-text (unencrypted) back-ups of sensitive data as long as those clear-text back-ups are physically secured away from the mobile laptop in a safe, vault, locked cabinet, server room etc. Creating clear-text back-ups has the added advantage of providing access to your data in the event that the key recovery process (also described in this document) fails for some reason (such as forgetting your recovery key password).

To back up your EFS-encrypted documents in clear-text, simply copy them from your encrypted folder to a network server, external hard drive, CD ROM, USB flash drive, etc. When you perform that copy operation, Vista will inform you that your back-up copy will be unencrypted. Click Yes.

Vista will inform you that your back-up copy will be unencrypted

Note: If you click No then the file will not be copied at all in either format!

If you currently use a back-up program (rather than manually copying your files) there are three ways that back-up product will interact with EFS-encrypted documents. Specifically, your current back-up solution will either:

    • Fail when it attempts to back up your EFS-encrypted documents
    • Back-up your EFS-encrypted documents in clear-text format
    • Back-up your EFS-encrypted documents and keep them encrypted

You should test your back-up solution and verify that it minimally will make a clear-text back-up of your EFS-encrypted documents. If it fails to back-up your EFS-encrypted documents, you should contact the vendor to identify their EFS support plans. In the meantime, you can manually back-up the encrypted files as described above by copying them yourself.

Note: Technically advanced users who want to back-up up their EFS-encrypted documents while preserving the encryption without paying for a third-party back-up solution have a built-in option. Windows Vista includes a command line tool called robocopy.exe that has an /EFSRAW switch which will preserve the encryption of copied files.

To UnEncrypt an Individual File

  1. In Windows Explorer, right-click the file you want to decrypt, and then click Properties
  2. Click the Advanced button in the General tab on the Properties sheet
  3. Clear the Encrypt contents to secure data check box, and then click OK
  4. Click OK again on the Properties sheet

To UnEncrypt a Folder and All Files in it

  1. In Windows Explorer, right-click the folder you want to decrypt, and then click Properties
  2. Click the Advanced button in the General tab on the Properties sheet
  3. Clear the Encrypt contents to secure data check box, and then click OK
  4. Click OK again on the Properties sheet
  5. On the Confirm Attribute Changes dialog, select the option to Apply changes to this folder, subfolders, and files, then click OK

If you lose your thumb drive...

  1. Open Certificate Manager by clicking Start, typing certmgr.msc into the Search box, and then pressing Enter
  2. Click the arrow next to the Personal folder to expand it
  3. Click Certificates
  4. Click the certificate that lists Encrypting File System under Intended Purposes (You might need to scroll to the right to see this)
  5. If there is more than one EFS certificate, you should back up all of them
  6. Click the Action menu, point to All Tasks, then click Export
  7. In the Certificate Export wizard, click Next, click Yes, export the private key, then click Next
  8. Click Personal Information Exchange, then click Next
  9. Type the password you want to use, confirm it, then click Next
  10. The export process will create a file to store the certificate
  11. Enter a name for the file and the location (include the whole path) or click Browse and navigate to the location, and then enter the file name
  12. Click Finish

To Recover an Encrypted File or Folder

If you can see the file or folder, but are unable to decrypt it for some reason, follow these steps:

Note: This information will not help recover a file from your back-up tape if your hard disk has crashed.

  1. Insert the USB flash drive that contains your backed-up EFS certificate
    • You backed up your EFS certificate and stored it in a safe place in Step 2 along with a written copy of your password
  2. From the AutoPlay dialog, Open folder to view files
    • If AutoPlay is disabled and no dialog pops up when you insert your flash drive, then navigate to the flash drive using Windows Explorer
  3. Double click the (.pfx) file that contains your backed-up certificate
    • In Step 2.6, the file was named EFSFileEncryptionKey
    • This opens the Certificate Import wizard
  4. On the Welcome page, click Next.
  5. On the File to Import page, click Next
    • The filename should already be entered since you launched the Import wizard by clicking on the filename
  6. Type the password, select the Mark this key as exportable check box, and click Next
    • You entered a password in Step 2.5
    • You optionally recorded the password in Step 2.10
    • Do not enable strong private key protection
  7. On the Certificate Store page,
    • Select the option to Place all certificates in the following store
    • Click the Browse button and select the Personal store then click OK
    • Click Next
  8. On the Completion page, click Finish

After the certificate is imported, you should have access to the encrypted files.
Last modified January 17, 2013