Hello, friends! In this article, we will deal with the data encryption system. EFS and how you can use it to produce file encryption... Data is usually encrypted to restrict access to it by third parties. And, specifically for this, Microsoft has developed the EFS data encryption system. Since Windows 2000 and all later versions of operating systems, there is a data encryption system. Unlike BitLocker, EFS can encrypt individual files and folders. To take full advantage of its benefits, you need an operating system with the rank of Professional or higher. EFS is an add-on to the NTFS file system. EFS will not work on other file systems. When copying encrypted data to a disk with a file system other than NTFS, all information is automatically decrypted.
EFS encryption system encrypts information transparently to the user. That is, the user said - "Encrypt folder" and all information in it will be encrypted automatically. When accessing encrypted files, they are automatically decrypted. This is one of the advantages of EFS over creating a password archive.
No, the archive is, of course, convenient. But not as versatile. The archive must be unpacked, worked with the files and do not forget to re-pack. + in addition, when you delete files from which you created an archive with a password, they are not physically deleted. And this is a gap in the defense.
EFS works as follows. When it is necessary to encrypt a file, the system generates a random key called FEK - File Encryption Key... The file is encrypted with this key using a symmetric encryption algorithm. Symmetric means the file is encrypted and decrypted with one key - FEK.
Whenever you need to encrypt information, Windows creates two keys user: open and closed... The FEK is encrypted using an asymmetric algorithm using the user's public key. An asymmetric encryption algorithm means that the file is encrypted with one key (in our case, open), and decrypted with another (closed). The encrypted FEK is written next to the encrypted file.
The private key is encrypted using the user's password. Therefore, the security of your information directly depends on the complexity of your password. Therefore, it is recommended to set it from more than 8 characters, including letters in lower and upper case, numbers and special characters.
To decrypt the data, you must log in with the user account that encrypted the files. In this case, the private key is decrypted automatically when the correct password is entered. With the help of the latter, FEK is decrypted - File Encryption Key, which decrypts the desired file.
File encryption
You can encrypt the file as follows. With the right mouse button on the file, call the context menu and select Properties... On the General tab in the Attributes section, click Other…
In the window that opens, put a check mark. And ok
Click Apply or OK in the document properties window. A warning is displayed during encryption, where it is recommended to encrypt the folder along with the file... Choose the recommended option and click OK
The same window explains why it is necessary to encrypt the folder along with the file - since programs create temporary files when editing, which will not be encrypted. Usually, temporary files are deleted, but the program may crash or the power supply to the computer may fail, and you may not. In this case, the temporary file will remain and it will not be encrypted, which is another security hole. Therefore, it is recommended to encrypt the file along with the folder containing it, or encrypt the entire folder with all its contents.
Encrypted files are usually marked in green if specified in the settings
You can check this as follows. In the explorer on the toolbar, click Arrange and choose Folder and search options
In the Folder Options window, go to the tab View and check the box
It is worth noting that in Windows operating systems it is possible to either encrypt a file or compress it to save space. I doubt that anyone will save money in the era of 3, 4 and 5 terabyte hard drives.
Decrypt file you can copy it to an unencrypted folder and uncheck the corresponding checkbox in the Other attributes box.
For the convenience of encrypting and de-encrypting files, you can enable the corresponding item in the context menu
This is done by editing the registry. Call the regedit utility from the Start Menu Search
Go to the section
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced
and create a parameter
"EncryptionContextMenu" = dword: 00000001
In order to create a parameter, right-click on an empty space and select New> DWORD Parameter (32 bit)
It works for me despite the fact that Windows 7 is 64-bit.
Now you have the appropriate items in your menu and encryption will become even easier.
Certificates
When you encrypt something for the first time, two keys are created: a public and a private one. The open key encrypts the FEK, and the private one de-encrypts it. Both of these keys (public and private) are placed in the certificate. Accordingly, these certificates can be exported to decrypt data on another computer.
This is done as follows.
If you have a simpler explanation of how EFS encryption works, please share it in the comments.