Avoiding EFS Encryption Disasters in Windows
Our data is becoming more and more important to us as we're keeping ever more of our lives on our PCs, tablets, smartphones and in the cloud.Â Currently there are precious few ways to encrypt this data in a way that's guaranteed to be trouble-free.Â Two of the most obvious being hard disks with encryption built-in and Windows BitLocker.Â Even these have their problems however with the former still being very expensive and the latter requiring a TPM (Trusted Platform Module) chip in your computer to operate effectively.
Not many PCs have TPM chips in them though, they tend to be found mostly in high-end business laptops so we need to turn to other solutions.Â There are third-party soutions like Laplink's PC Lock and that old favourite TrueCrypt.Â For many people though a good alternative is EFS (Encrypted File System) which has been a part of Windows since Windows 2000.
This is an excellent cryptography utility, able to encrypt and decrypt on the fly.Â You can set folders to be automatically encrypted, including all their sub-folders and files.Â If you then pair this with a password on your copy of Windows it makes the files pretty impregnable, even if they are stored on a different physical hard disk to your copy of Windows.
There are problems however, people can still see the full file names of the files, and the folder structure, but there's no way they can be opened.
You might also find that there's no way for you to open them either unless you back up your encryption key.Â You can do this by typing the word encrypt into the Start Menu search box and selecting Manage file encryption certificates from the results that appear.
You can use this wizard to back up your encryption key for EFS.Â It's helpful too and will talk you through the procedure.Â You should always keep your EFS key in a safe unencrypted location.Â Personally I store mine in the cloud as not only do I then know it's unencrypted, but I also know it's a long way from my PC should anybody steal the machine.
There are problems with EFS Encrypted files though and I thought I'd deal with one of the biggest ones here, and something that you might not know is even affecting you.Â Many people these days like to keep backsups of their data on either USB attached hard disks or Network Attached Storage (NAS) drives.
You'd assume that because these drives aren't a physical part of your own computer, and because they're external to the PC that anything you store there will be unencrypted and you can then, not only read the files on another PC, but also restore them in the event of a disaster and you lose your EFS key.Â You might find though that when time comes to read the files that you can't!
EFS is only supported on NTFS formatted drives, which is the default disk format option for Windows. If you try and copy an encrypted file to a disk that's not formatted this way, such as a USB Pen Drive, then Windows will ask you if you want to copy the file without encryption. A problem arises though because EFS can't tell the difference between internal and external NTFS formatted disks. If you have a USB hard disk or a NAS drive that's formatted with NTFS (and with many NAS drives you may have been given no indication by the configuration software what file format type it's used) then the encryption will also be copied with the file.
Thus if you lose your encryption key, or if something else goes wrong, then you'll not only lose access to the files on your hard drive, but you'll also lose access to your backup copy too.
It's a warning that EFS doesn't tell you about and it's a mistake I've seen too many people make, including myself once which just goes to show how easy it is for a problem to occur. If you want to guarantee that you always have access to your files using EFS, make certain that you always keep an up to date copy of your encryption key in a safe place, and then all should always be well.Advertisement
Just a caveat: EFS is not available on Home versions of Windows
Thanks for pointing this out.
I lost some data under EFS years ago when I didn’t make a backup key disk and had to do a system rebuild. Big oops!
Yeah this can be really problematic, depending on the data of course ;)
Truecrypt has never failed me, and their whole disk encryption is surprisingly easy to use.
I also use Truecrypt, since 2009, at least, and has never failed me either. but EFS and Truecrypt/Bitlocker are 2 very different technologies.