File Encryption 

0:00-0:38

In this lesson, we're going to look at encrypting data at the file and the folder level using the
Encrypting File System (EFS). EFS provides you with the ability to encrypt either individual files
or entire folders using a public encryption key that's tied to a specific user account.

This is very important. Because the files are encrypted using a specific user's public key, those
encrypted files can be decrypted and read using only the associated private key. Using EFS,
only the user who initially encrypted the file can subsequently decrypt and read the file.

EFS Support 0:39-0:58

EFS is supported on Windows 7, Windows 8 and Windows 10. It is supported on the

Professional, Ultimate, and Enterprise editions. However, it is not available on Home editions of
Windows. It's also supported only by the NTFS file system. If you have a disk partition that is
formatted with FAT32, you can't use EFS to encrypt the data on that partition.

EFS Facts 0:59-1:47

EFS provides file system level encryption. This means you can encrypt data on a file-by-
file basis or on a directory-by-directory basis. This is an important distinction because EFS is not
the same as BitLocker. BitLocker encrypts the entire disk. You use EFS to selectively encrypt
individual files or folders in the file system.

EFS adds a layer of security that is independent of NTFS permissions. This means that you
can't use NTFS permissions to grant user access to an EFS encrypted file. You can use
permissions to grant access to the file itself, but you can't use NTFS permissions to allow a user
to unencrypt a file and view its contents. The only way you can access an EFS encrypted file is
if you originally encrypted the file or the user who originally encrypted the file gave you access.

Public Key Encryption 1:48-2:57

EFS uses public key encryption to encrypt the file. In public key encryption, a user has two
keys. The public key is stored within a certificate and can be used to encrypt data. As its name
implies, the public key is public, meaning that it can be freely distributed to other users to
encrypt data. However, the data cannot be decrypted using the public key. Only the private key
can be used to decrypt data that was encrypted with the public key.

Unlike the public key, the private key is kept confidential. It's kept in a private certificate store. It
can be used only by the user who owns the key pair. Only the private key can be used to
decrypt a file that's been encrypted with the associated public key.

You cannot use your private key to decrypt a file that was encrypted with another user's public
key. Only the private key in the key pair associated with the given user account can be used to
decrypt that file.

If your user account doesn't have a key pair already, the first time you try to encrypt a file,
Windows will automatically create a public key, called the EFS certificate, and its associated
private key.
Data Encryption 2:58-4:24

You can encrypt either an individual file or you can encrypt an entire folder. If you encrypt an
entire folder with EFS, then any files within that folder will automatically be encrypted, including
any files in subfolders. In addition, any files that you copy into that folder will be automatically
encrypted.

Any new files you create in that folder will also be automatically encrypted. Encrypting folders
provides more security than encrypting individual files. If a single file is encrypted, then the
authorized user is able to decrypt it to edit in an associated application.

For example, if you encrypt a Word doc, you can open up that encrypted file in Microsoft Word
and edit the file. The decryption and re-encryption is all done transparently. You don't have to
manually decrypt the file before you open it in the word processor.

The problem is that many word processing applications generate a temporary file while the file
is open and being worked on. That temporary file contains the unencrypted contents of that
original encrypted file. Some applications may leave these temporary files unencrypted in the
file system once you're done working on the file.

This is a security issue. These files are not encrypted and anyone with NTFS permissions to
that file can read it, thereby exposing the contents of the encrypted file. If you encrypt an entire
folder, on the other hand, all files within that folder, including temporary files, will always be
encrypted.

Copied Data 4:23-5:04

There's another issue to keep in mind. If you have an encrypted file on an NTFS volume,
it remains encrypted as long as it stays on that volume. However, it's possible for that encrypted
file to be decrypted without your knowledge or permission. The most common way this happens
is when an encrypted file or folder is copied from an NTFS volume to a device formatted using
FAT32, such as a USB drive. EFS is a feature of that NTFS file system. It doesn't work on
FAT32 or eFAT, which is what most USB flash drives are formatted with.

Therefore if you decide to copy an encrypted file from your NTFS volume to a USB flash
drive, be aware that it will no longer be encrypted.

Summary 5:05-5:14

In this lesson, we introduced you to the encrypting file system, EFS. We first talked about what
EFS is and what it does. Then we introduced you to the process by which EFS encrypts and
decrypts files using a user's public key and private key.