CompTIA A_ Certification All-In-One Exam Guide, Seventh Edition - Michael Meyers [273]
Encrypting File System
The professional versions of Windows offer a feature called the Encrypting File System (EFS), an encryption scheme that any user can use to encrypt individual files or folders on a computer. The home versions of Windows do not enable encryption through the built-in tools, though you have the option to use third-party encryption methods, such as TrueCrypt, to lock down data.
To encrypt a file or folder takes but a moment. You right-click the file or folder you want to encrypt and select Properties. In the Properties for that object, General tab, click the Advanced button (Figure 16-38) to open the Advanced Attributes dialog box. Click the check box next to Encrypt contents to secure data (Figure 16-39). Click OK to close the Advanced Attributes dialog box and then click OK again on the Properties dialog box, and you’ve locked that file or folder from any user account aside from your own.
As long as you maintain the integrity of your password, any data you encrypt by using EFS is secure from prying. That security comes at a potential price, though, and your password is the key. The Windows security database stores the password (securely, not plain text, so no worries there), but that means access to your encrypted files is based on that specific installation of Windows. If you lose your password or an administrator resets your password, you’re locked out of your encrypted files permanently. There’s no recovery. Also, if the computer dies and you try to retrieve your data by installing the hard drive in another system, you’re likewise out of luck. Even if you have an identical user name on the new system, the security ID that defines that user account will differ from what you had on the old system. You’re out of luck.
Figure 16-38 Click the Advanced button on the Properties, General tab
Figure 16-39 Selecting encryption
Remember the password reset disk we discussed earlier in the chapter? If you use EFS, you simply must have a valid password reset disk in the event of some horrible catastrophe.
And one last caveat. If you copy an encrypted file to a disk formatted as anything but NTFS, you’ll get a prompt saying that the copied file will not be encrypted. If you copy to a disk with NTFS, the encryption stays. The encrypted file—even if on a removable disk—will only be readable on your system with your login.
BitLocker Drive Encryption
Windows Vista Ultimate and Enterprise editions offer full drive encryption through BitLocker Drive Encryption. BitLocker does the whole drive, including every user’s files, so it’s not dependent on any one account. The beauty of BitLocker is that if your hard drive is stolen, such as in the case of a stolen portable computer, all of the data on the hard drive is safe. The thief can’t get access, even if you have a user on that laptop that failed to secure his or her data through EFS.
BitLocker requires a special Trusted Platform Module (TPM) chip on the motherboard to function. The TPM chip validates on boot that the Vista computer hasn’t changed, that you still have the same operating system installed, for example, and that the computer wasn’t hacked by some malevolent program. The TPM also works in cases where you move the BitLocker drive from one system to another.
If you have a legitimate BitLocker failure (rather than a theft) because of tampering or moving the drive to another system, you need to have a properly created and accessible recovery key or recovery password. The key or password is generally created at the time you enable BitLocker and should be kept somewhere secure, such as a printed copy in a safe or