December 3rd, 2004, 14:52 PM
Don't Lose Your Encrypted Data
As it is good practice to protect sensitive data, and encryption is a good way of securing that data, there are steps that should be taken to safeguard the loss of data through the security that protects them.
Whether it is business or personal data, some are to sensitive to allow others to view. It might be the next big trade secret or your monthly bank statement.
One way of securing the data on a computer is to isolate it so only the single owner of the data has access to the machine, which includes no access to the Internet. But that is not very practical in this day and age of multi user computers and the Internet.
Another way of securing sensitive data on Windows NT machines is through NTFS permissions. And the ultimate way of securing data on windows 2000 and XP systems is with EFS (Encrypted File System), which works transparently to the user on the fly.
When a user encrypts a file for the first time, Windows generates a personal encryption certificate and a private key based on the user's SID (Security Identifier). When the user opens the file or folder, windows uses these in the background to decrypt the files as the files are being used.
So with the above being said, the first important step is backing up your EFS certificate and private key. This way you will have it to restore in case you lose the certificate due to harddrive crash or an errant deletion.
The easiest way to backup a personal EFS certificate is through Internet Options. Either Start --> Control Panal --> Internet Options, or, Internet Explorer --> Tools --> Internet Options.
Under the Content tab of Internet Options, in the middle of the dialog is a button labeled Certificates, click that button. Under the Personal Tab, there should be a certificate with your username. If a certificate is not there, a file needs to be encrypted before a certificate is created.
Highlight the certificate, and at the bottom of the dialog the phrase "Encrypting File System" will be displayed. Click on the Export button to open the Certificate Export Wizard. Click Next and choose Yes, Export my Private Key. Click Next, accept defaults. Click Next again, assign a password and confirm the password (choose a strong password, but, one that you won't forget.) Click Next, and insert a filename. Click Next, double check the information in the box, and click Finish to export the .PFX file.
Next browse to the folder where the file was exported, copy the file to a removable media of some type. Delete the file from the harddisk, and store the removable media in a secure location.
Now if the certificate is lost, it can be imported through Internet Options so the encrypted files can be used.
Next I will go over DRA (Data Recovery Agents.)
DRA is a person (usually an administrator) that has a master key that can decrypt any file on the computer, or, in a domain.
In a domain environment the default DRA is the Domain Administrator.
In a workgroup or standalone PC environment, there is no DRA designated by default. But, using the cipher command a DRA can be created.
It is important to note that all files encrypted before the creation of a DRA will not be enabled for recovery. Only files encrypted after creation can be decrypted.
To create a data recovery agent you must generate a data recovery certificate and designate a user to be the data recovery agent.
Generate the certificate as follows:
1. Log on as Administrator
2. At the command prompt, type cipher /r:filename.
3. When prompted, type a password to protect the created files.
This generates a .pfx and a .cer file with the specified filename.
You can designate any user as the data recovery agent, but it should usually be a user with administrator priviledges. Do not designate the same user that encrypts the files, as that would provide little or no protection.
To designate a data recovery agent log on as the user that you wish to designate. In Certificates (Certmgr.msc), go to Certificates --> Current User\Personal. Select Action --> All Task --> Import to launch the Certificate Import Wizard. Browse to the file name of the encryption certificate, the .pfx file that was exported, and click Next.
Enter the password for the certificate and select Mark This Key As Exportable. Click Next.
Select Automatically Select The Certificate Store Based On The Type Of Certificate and click Next. Then click Finish.
Next open the Local Security Settings (Secpol.msc) and go to Security Settings\Public Key Policies\ Encrypting File System.
Select Action --> Add Data Recovery Agent and click Next.
On the Select Recovery Agents page, click Browse Folders and navagate to the .cer file that was created. Highlight the file and choose open.
On the Select Recovery Agent page the agent is shown as USER_UNKNOWN, this is normal, the username is not stored in the file.
Now just click Next and then Finish. The current user is now the DRA for all encrypted files and folders.
The data recovery files should be backed up to removable media, stored in a highly secure location, and deleted from the harddrive as the password can be bruteforced (there is no limit to the number of password tries) and anyone with the password could become a recovery agent.
I hope this article will help you understand the process of protecting sensitive data with encryption. And also help in protecting the integrity of the data that you wish to protect.