Windows system >> Windows tutorial synthesis >> About windows

How to use Windows EFS (how to encrypt folders) for file encryption

and Windows
BitLocker, Encrypting File System (EFS, Encrypted File System) is a set of built-in public based on Windows
The key encryption mechanism encrypts files and folders on the NTFS partition and encrypts the data on the disk in real time and transparently.
Encryption Operation
Encryption method The user is transparent. After the file is encrypted, it is not necessary to manually decrypt it. The user can automatically open the encrypted file, while other users cannot open the encrypted file.
The encryption method is very simple. Under any NTFS partition directory or file, right click on the file or folder to be encrypted; then click “property", on the “General” tab, single Click the “Advanced” button; in the pop-up window, check the “Encrypt content to protect data” checkbox; click “OK" to be able to encrypt the file when the file is closed.

By default, files or folders encrypted by EFS are displayed in the Explorer as green, which means that the file or folder has been encrypted by EFS.
If you no longer want to encrypt a file, clear the checkbox in the file's properties.
Backup Key
ESF encryption operation is simple, but if the user reinstalls the system, the EFS encrypted file (folder) cannot be opened even with the original username and password, so the user should back up the key in time. In this way, even if the system is reinstalled, the encrypted file can be opened.
After the encryption operation, the Windows system status bar will automatically prompt the user to perform the backup encryption key. After clicking, the dialog box of “Backup file encryption certificate and key” will appear, select “Now backup”. The Certificate Export Wizard will appear.

Click Next in the Export File Format option and select the default "Personal Information Exchange".

Then enter the password in the next step. This password is the password to be used to restore the certificate. Then click Next, select the save address, and then the certificate file can be successfully exported.

If the user does not have a picture of the status bar to instantly back up the key, it does not matter, you can also use the manual backup method to backup the key by clicking the menu <;Start”-“Run ”, type certmgr.msc to open the certificate manager, click <; personal & rdquo; - & ldquo; certificate & rdquo;, as long as the previous encryption operation, the right window will have a certificate with the same name, if there are multiple certificates, choose “The intended purpose" is "Encrypted File System"; right click "Certificate", select "All Tasks" in the menu <;&" Export”.

After that, a "Certificate Export Wizard" window will pop up, select "Export Private Key" in the window, and follow the wizard's requirements, enter the password to protect the exported private key, and select the directory to save the certificate. Finally, the export of the certificate file is completed.

Advantages of Encryption
EFS encryption is based on a public key encryption strategy that uses a fast symmetric encryption algorithm with a randomly generated file encryption key (FEK) for files or folders. Encryption, the keys used to encrypt different files or folders are also different.
The EFS encrypted user authentication process is performed when logging in to Windows. Any login to Windows can open any authorized encrypted file. So this is why EFS encrypts the folder or file, and the user can hardly feel the encryption effect.
From the convenience of operation, since the EFS password is integrated with the user's login Windows password, it is convenient to decrypt the file without entering a password.
The disadvantages of encryption
However, compared to Bitlocker, EFS encryption has several major drawbacks.
First of all, if there is no backup encryption certificate before reinstalling the system, the files in the EFS encrypted folder will not be opened after reinstalling the system. Even if the user logs in with the original password, the file cannot be decrypted.
Secondly, for the case where multiple users operate the same computer
, another user can not see the encrypted file content, but can still see the encrypted folder name and file name, thus obtaining some Information, in addition, if the default permissions are used when encrypting, other users can also delete EFS encrypted files and folders. Therefore, when users use EFS encryption, they need to be in “Attributes” and “Security”. Set the access permissions of files or folders in the options to prevent others from viewing or deleting them.
There is also an interesting case for multiple users to use the same computer. If multiple users have administrator rights, modify the password of another user and log in to the system as the user. The file, because the user password is modified by others, but if the user changes the password himself (you need to change the way to enter the old password), then the user can still open the file encrypted by EFS.
For EFS encrypted files without access rights, the prerequisite for decryption is: know the login password of the user account, the configuration file of the deleted account must exist because of the encrypted private key and master key (including The certificate and the public key are saved in the configuration file. If the above two conditions are met, the SID of the deleted account is obtained from the old configuration file (in the configuration file directory \\Application Data\\Microsoft\\Crypto\\RSA) A folder named after the SID of the account, and then create a new user, use the newsid tool to change the SID to the same as before, then log in with the new user, encrypt a file, log out, and overwrite the old profile with the new user. The configuration file, you can use the new user to log in and you can decrypt other files.
Bitlocker and EFS comparison
Bitlocker is mainly used to encrypt the entire drive, external hard disk, U disk, etc. EFS is mainly used to encrypt a single file. Or folder.
Bitlocker does not depend on the user account, the same state (open or closed) for all users, EFS encryption depends on the user account, if the computer has multiple users, each Users can encrypt their own files independently.
Bitlocker user must be an administrator to use, EFS does not require administrator privileges to use.