File Level Encryption

EFS: Encryption File System

Many people do a terrible job when it comes to protecting data files that are important. Although, you can put a password on your computer, windows passwords are infamously easy to get around if you share a pc with a co-worker or anyone. There is often very little done to keep co-workers from prying. So, here we introduce an easy way to help business protect their sensitive files.

For one, businesses can apply hardware level encryption solutions. These solutions are designed to keep an attacker from getting into your data when the computer gets switched on, attacker has to know the passcode to get through. Another way for whole drive encryption, is to keep attackers from just physically ripping out your drive and running away. However, there is a downside to whole drive encryption, once the attacker logs into the operating system the entire drive is widely open.
Basing on that, we introduce encrypt individual files and directories. The easiest way to do this is with Filesystem-level encryption (EFS). On windows pro edition, this is easily achievable by simply right clicking the file>properties>advance>encrypt.

To go more into detail, when a user clicks ok EFS uses standard public key cryptography to encrypt the file, generating a key called an SDK. This key itself is encrypted as well with a public key unique to the user. So when the user tries to access the file or folder, it is decrypted with users’ private key. This process is done automatically, and the user will not be prompted for keys/passwords if the user is logged into the account the encryption tied to. This will make it difficult for other users on the same computer to browse files.

EFS doesn’t mean no need for strong windows account password. If the user set a weak password, it makes it easier for an attacker to log in to account. But more importantly it weakens the encryption on the files. Cryptographic keys that windows generate to encrypt are based on the user’s password. If your business does not want all data available with a single logging, then your business might need to look for a third-party encryption tools. Usually these tools do not work as passively as EFS, but they will provide your business with another layer of security. Though these encryption tools will not be tied to user logins, but more importantly they offer options such as stronger encryption algorithms or the ability to create hidden virtual drives, so to make it harder for attackers to uncover important data.

The best method to secure individual private files is to combine EFS with hardware based whole disk encryption to frustrate multiple kinds of attacks.
Additionally, if you plan to take important files on business trips, use a encrypted USB flash drive. Some USB flash drive lock themselves after 10 wrong attempts and auto set antivirus upgrades. Encrypted USB flash drives differentiate in levels from entry level to military grade in order to meet all business needs.

STEPS TO ENCRYPT YOUR FILE SYSTEM

Right click on the folder or file you wish to encrypt. Go to properties, and click Advanced.  Select Encrypt Contents to secure data. In the new window you have two options.

  1. Apply changes to this folder only. Means only the folder itself its encrypted
  2. Apply changes to this folder, subfolders, and files. Means everything is encrypted

If your EFS is disable please follow the following steps:

Step one: Windows key + R

Step two: type in “ regedit” registry edit

Step 3: The following window should display.

Step 4: Select: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

Step 5: press arrow next to Hkey_local_machine

Step 6: Click on system folder

Step 7: Click on CurrentControlSet

Step 8: Click on Control  

Step 9: Click on FileSystem Folder

Step 10: look for NTFSDISABLEENCRYPTION.  This is usually set to 1 if the EFS is disable. The value must be set to 0 in order to work. Double Click and set value data to 0.