Explain the EFS data encryption function of Windows system

Today we will talk about the EFS data encryption technology in Windows system in detail. EFS data encryption technology can only be used on NTFS format partitions. When you use encryption software to encrypt a folder, you usually use a pop-up password box to encrypt the password. The EFS encryption used by Windows does not require a password. Its encryption method is a key method and is combined with a user account. Once you log in through your account, the files encrypted by the account can be viewed directly. If you log in with a different account, these files will not be viewable.

What is the Windows system EFS technology?

EFS technology is used to protect confidential data of computer users. It is used in Windows 2000 and later operating systems (some versions are not supported, such as basic version, home version, etc.) ) and used on partitions in NTFS format. EFS encryption is based on a public key policy. When encrypting a file or folder using EFS, the system first generates a FEK (File Encryption Key) composed of pseudo-random numbers, and then creates an encrypted file using FEK and Data Extension Standard X algorithm. Store it on your hard drive and delete the unencrypted original files.

The system then uses your public key to encrypt the FEK and store the encrypted FEK in the same encrypted file. When accessing the encrypted file, the system first decrypts the FEK with the current user's private key, and then uses FEK to decrypt the file. EFS encryption is a fairly secure form of public key encryption that cannot be accessed as long as someone else does not have your private key.

How to encrypt a folder using Windows system EFS technology

On the folder, right click and enter the property menu. Select the Advanced option on the General page, then tick “Encrypt content to protect data” (Figure 1). Then click OK and there will be a pop-up menu confirming the property change. It is best to select “Apply changes to this folder, subfolders and files” (Figure 2) to ensure that the contents of the entire folder are protected. . After the above modifications, the names of files and folders protected by encryption will turn green.
Figure 1
Figure 2

Compared with other encryption software, the biggest advantage of EFS is that it is tightly integrated with the system. When authorizing users to access these files, you do not need to enter a password, just log in to the operating system. When entering the login password, there is no inconvenience, and the unauthorized user will have a prompt to refuse access when reading these files.

Tips for using EFS

Every time you want to encrypt a folder, you need to enter the menu to set it up, which is more troublesome. We also have an easy way to add EFS encryption to the context menu, which only needs to be changed in the registry. In the run, type "regedit", run the registry editor, open "HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/explorer/Advanced", and then click the right mouse button menu to create a new Dword value. Change the name of the new Dword key to "EncryptionContextMenu" and modify the key value to "1". After setting this up, we added the encryption option by clicking the right-click menu on the folder of the NTFS partition hard disk.

What if you don't want to encrypt a folder in the entire encrypted folder? You can create a file called "Desktop.ini" in this folder, then open it with Notepad and add the following content:

[Encryption] Disable=1

Come, when setting the encryption property of this folder, you will receive an error message to avoid encryption.

Preventing accidents, backing up certificates

Under normal circumstances, the EFS encrypted folder does not have any password input process during use. ,More convenient. However, once the system is reinstalled due to a system crash, etc., the original EPS encrypted file cannot be opened. Even if you install the system, you cannot access the encrypted file with the same username and password as before, because the system will generate different SIDs (security identifiers). Therefore, the encryption certificate and private key must be backed up to prevent accidents.

Click “Start” in the Start & rdquo; menu item to run “certmgr.msc” in the dialog box that appears, double-click in the "Certificate" dialog box that appears. “Certificate - Current User & Rarr; Personal & Rarr; Certificate & rdquo; Options, a certificate with the name of your username will appear in the right column (Figure 3). Select the certificate, click the right mouse button, select “All Tasks → Export & rdquo; command, open the "Certificate Export Wizard" dialog box.
Fig. 3

In the process of the wizard, when “Whether to export the private key with the certificate”, select ““Yes, export private key” option, then A dialog box prompting for a password is displayed. For security reasons, you can set a secure password for the certificate. After selecting the saved file name and file path, click the “Complete” button to successfully export the certificate and generate a file with the extension PFX.

After other users or reinstall the system, just right click on the certificate and select “Install PFX” to enter the “Certificate Import Wizard” dialog box and enter the correct password to complete the certificate import. You can open the encrypted file smoothly.