Encrypted File System

Introduction

One of the improvements introduced with Windows XP is the latest version of the NTFS file system. NTFS historically has been superior to the FAT based file systems that Win9x and WinME used. NTFS is a journaled file system.

One reason NTFS is better than FAT32 is because NTFS has a strong focus on security which when coupled with WinXP can lock down the contents of your disk. FAT systems didn't have any security in mind.

This article explains the Encrypted File System (EFS) feature of the NTFS system on Windows XP. The same technology perhaps with improvements will be available with Windows Vista (Longhorn) when it becomes publicly available.

Create your own account, add a password, encrypt your files!

EFS allows you to seamlessly encrypt your data. You save and access this data as you normally would. When it's written to the disk the data is then encrypted. Data is encrypted on the fly as you save it. To make use of this feature you must use Windows XP and your partition must formatted using the NTFS file system.

To make use of EFS you have to make use of "users" on Windows XP. Each user that accesses the computer should have their own user account and it should be password protected. When a user encrypts their data, it is accessible only from their account. Other users have no access to this data as it is encrypted. It's important to emphasize that when Person A is logged in then person A has access to their encrypted data just like they have access to any other file on their system. Therefore when you are away from your system it is extremely important that you "lock" your workstation. Failing to do so means anyone has access to your data.  This is why you should password your account which stops others from logging in and accessing your data. EFS is useless without a password protected account.

Back up your encryption certificate

So you've read the Windows help file and this site. Your data is nicely encrypted and is seemlessly available just for you. Then (imagine this) -- your system crashes or is just slow and you decide to format and reinstall Windows XP. Let's assume that C:\ holds your Windows and you had another partition E:\ which had some of your encrypted files. If you didn't back up your certificate then you are in deep trouble for you won't be able to access those encrypted files.

This is a trap that many fall into is that they re-format their system and re-install WindowsXP whilst having encrypted data on another partition . They didn't know they had to back up their encryption certificate. Now they don't have access to their encrypted data. What do you do? There's not much you can do (unless you set up a recovery agent and if you did then you'd know about it).

Before you do anthing BACK UP YOUR CERTIFICATE! This is very important

It's an easy task to backup your certificates

1. Click Start, then click Run and type "mmc"
   
2. Microsoft Management Console opens up. Click File, then click "Add/Remove Snap-in..."
   
3. Under the "Standalone" tab click ADD
   
4. Select Certificates, then click add, then close, then OK.
   
5. Double-click Certificates - Current User, double-click Personal, and then double-click Certificates.
   
6. Click the certificate that displays the words File Recovery in the Intended Purposes column. Right-click the certificate, point to All Tasks, and then click Export.

Now when you format or if your keys get damaged all you have to do is double click on the exported key, follow the wizard and you should have access to your files.