Encrypted folders

[Richard Grossman]

We are considering having laptop users encrypt their MyDocuments folder
(right-click on folder, properties, choose encrypt, include sub-folders).

These issues have been raised:

1 - When a single file from an encrypted folder is copied by a user to
the network, is the file on the network now decrypted?

2 - When a backup program backs up a file from an encrypted folder using
admin credentials (not the users logon), is the file on the backup media
still encrypted?

3 - If the user forgets their logon password, we can reset it for them,
but will the encrypted files still be inaccessible?

4 - If the laptop is stolen, and the possessor resets the local admin
password, can the possessor then get access to the user's encrypted
folders and files?

I'd appreciate both answers and links to further info. Thanks in advance.

 

[Carey Frisch [MVP]]

Before you encrypt anything important, you should back up your
personal encryption certificate (with its associated private key)
and the recovery agent certificate to a floppy disk and store it in
a secure location. If you ever lose your original certificate
(because of a hard disk failure, for example), you can restore
the backup copy and regain access to your files. If you lose all
copies of your certificate (and no recovery agent certificates exist),
you won't be able to use your encrypted files. No back door exists,
nor is there any practical way to hack these files.
(If there were, it wouldn't be very good encryption.)

Without a backup of the original Encryption Certificate Key, encrypted files
are unrecoverable as they will stay encrypted forever. There is no recovery
method since the encryption algorithm is now completely different with a
reinstall of Windows XP.

Best Practices for the Encrypting File System
http://support.microsoft.com/default.aspx?scid=kb;en-us;223316

Encrypting File System in Windows XP
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

EFS Files Appear Corrupted When You Open Them
http://support.microsoft.com/default.aspx?scid=kb;en-us;329741

HOW TO: Remove File Encryption in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308993

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

---------------------------------------------------------------------------------------------------------


| We are considering having laptop users encrypt their MyDocuments folder
| (right-click on folder, properties, choose encrypt, include sub-folders).
|
| These issues have been raised:
|
| 1 - When a single file from an encrypted folder is copied by a user to
| the network, is the file on the network now decrypted?
|
| 2 - When a backup program backs up a file from an encrypted folder using
| admin credentials (not the users logon), is the file on the backup media
| still encrypted?
|
| 3 - If the user forgets their logon password, we can reset it for them,
| but will the encrypted files still be inaccessible?
|
| 4 - If the laptop is stolen, and the possessor resets the local admin
| password, can the possessor then get access to the user's encrypted
| folders and files?
|
| I'd appreciate both answers and links to further info. Thanks in advance.

 

[Richard Grossman]

Great info & references: exactly what I was looking for.

Thanks.