mtbcpa said:
I bring a backup drive home from my small business server and I
realize that I need to encrypt it to protect client data. I have a
couple of questions I could not find answers to that I am hoping
someone can help with:
I am using XP's encryption and have used the revoery keys to recover it
from a disk failure so I believe I can anwer your quesions. You will
also find this same information on the MS web site and also in XP's Help
and Support are under "encryption"
1. In windows small business server, if I encrypt a folder on an
external drive, and select to have it encrypt all files and
subfolders, will all new files dropped into that folder be
automatically encrypted?
Yes. Go ahead and experiment with it; create a folder and a couple
dummy files, encrypt it, and copy another dummy file to it. You'lll
know it's encrypted by the Attribute if you're showing that column in
windows Explorer.
In other words, is this a one time thing I
need to go through, or do I need to right click the folder and encrypt
it each time I am taking it offsite?
No, if the folder and all its contents are encrypted, anything copied
into it will also be encrypted.
2. Do I understand correctly, that basically the encryption will not
allow the files to be accessed unless the user that was logged in when
the files were encrypted, is logged in when the files are being
accessed?
Yes, and then some.
If the original "encrypting" computer is destroyed and I
need to access these encrypted back up files, do I just create a user
with the same name and password on the new computer, and it will allow
me to access my files?
NO! This is where many people get into trouble with encryption on XP,
and windows has done a very poor job of documenting it. The kind of
security you described would not be very secure, would it?
If you have to chang a disk out, or reformat a disk, or reinstall the
OS, there is only ONE way to access your encrypted data; with the
exported encyption keys made when you set up the encryption folder/s.
When you set up your folders for encryption, IMMEDIATELY turn around and
export your encryption keys. With those, you can access the encrypted
files on another computer, disk drive, etc.. They're small and will fit
on a floppy or thumb or whatever. It goes without saying that wherever
the copy is kept needs to be secure and preferably not labeled as to it
contents so only you or your IT will know what they are.
It's a simple process and Help & Support covers it off nicely on how
to do the exports and how to import after a catastrophe, etc.. Just be
certain to have that information available, or do not use XP's
encryption. It's real, it works, and it's very secure.
The alternative is to have a dedicated recovery agent (someone else
who handles the exported data, etc. and is authoized to decrypt the
contents.
---------------------
To back up default recovery keys to a floppy disk
1.. Click Start, click Run, type mmc, and then click OK.
2.. On the File menu, click Add/Remove Snap-in, and then click Add.
3.. Under Add Standalone Snap-in, click Certificates, and then click
Add.
4.. Click My user account, and then click Finish.
5.. Click Close, and then click OK.
6.. Double-click Certificates - Current User, double-click Personal,
and then double-click Certificates.
7.. Click the certificate that displays the words File Recovery in the
Intended Purposes column.
8.. Right-click the certificate, point to All Tasks, and then click
Export.
9.. Follow the instructions in the Certificate Export Wizard to export
the certificate and associated private key to a .pfx file format.
Notes
a.. This operation must be performed by the recovery agent account
that has the recovery certificate and private key in their private
store.
b.. Before making any changes to the default recovery policy, be sure
to secure the default recovery private key. The default recovery keys in
a domain are stored on the first domain controller for the domain. The
domain administrator is the default recovery agent.
c.. For more information about using Certificates in MMC, see Related
Topics.
Related Topics
------------------------------
From Help and Support:
To encrypt a file or folder
1.. Open Windows Explorer.
2.. Right-click the file or folder that you want to encrypt, and then
click Properties.
3.. On the General tab, click Advanced.
4.. Select the Encrypt contents to secure data check box.
To recover an encrypted file or folder if you are a designated recovery
agent
1.. Use Backup or another backup tool to restore a user's backup
version of the encrypted file or folder to the computer where your file
recovery certificate and recovery key are located.
2.. Open Windows Explorer.
3.. Right-click the file or folder and then click Properties.
4.. On the General tab, click Advanced.
5.. Clear the Encrypt contents to secure data check box.
6.. Make a backup version of the decrypted file or folder and return
the backup version to the user.
To recover an encrypted file or folder without the file encryption
certificate
1.. Open Backup.
2.. Use Backup to make a copy of the file in case of loss or damage.
3.. Send the original encrypted file to the designated recovery agent.
4.. Have the recovery agent use their recovery certificate and private
key to decrypt the file.
5.. Have the recovery agent send the decrypted file back to you, using
any file transfer method that is desired.
HERE'S THE ONE YOU PROBABLY WANT:
To back up default recovery keys to a floppy disk
1.. Click Start, click Run, type mmc, and then click OK.
2.. On the File menu, click Add/Remove Snap-in, and then click Add.
3.. Under Add Standalone Snap-in, click Certificates, and then click
Add.
4.. Click My user account, and then click Finish.
5.. Click Close, and then click OK.
6.. Double-click Certificates - Current User, double-click Personal,
and then double-click Certificates.
7.. Click the certificate that displays the words File Recovery in the
Intended Purposes column.
8.. Right-click the certificate, point to All Tasks, and then click
Export.
9.. Follow the instructions in the Certificate Export Wizard to export
the certificate and associated private key to a .pfx file format.
Notes
a.. This operation must be performed by the recovery agent account
that has the recovery certificate and private key in their private
store.
b.. Before making any changes to the default recovery policy, be sure
to secure the default recovery private key. The default recovery keys in
a domain are stored on the first domain controller for the domain. The
domain administrator is the default recovery agent.
c.. For more information about using Certificates in MMC, see Related
Topics.
Related Topics
Pls read Help & Support on a search for Encryption .
HTH,
Twayne`
