CAUTIONS

  • Be sure to backup your data before encrypting any of it during the pilot.  We expect that we will encounter some problems where a misplaced certificate or lost password will result in the data be lost forever.  The goal of the pilot is to evaluate the products and processes, not protect or destroy your data.
  • Be sure to use to use a key escrow in case you forget the password.  We are looking at ways in which IS&T can create and store an escrow key that you would use the public version of to setup EFS combined with your private key that would enable data recovery in the event of a lost password.  Your opinions on how reasonable or feasible this approach is are strongly requested.
  • Allow plenty of time the first time.  Encrypting large pieces of data will take time.  As it depends on your hardware and data size, we don't have any guidelines as of yet.  By the end of the first phase, we hope to have general guidelines for how long the initial setup takes.
  • Remember that an Encrypted File System does not protect data shared across the network or from network based attacks.  Be sure to use secure methods to transfer files, like SFTP.
  • Disable System Restore before encrypting files to ensure they are not restorable unencrypted.  Re-enable after encryption is completed. (MS best practices in Help File)
  • Do not have a blank password.  A blank password provides very little (i.e. no) security in terms of threat of someone exploiting data on your system if they steal the hardware.
  • Require a password when recovery from sleep.  Most laptops are rarely powered off completely, but live in a suspended or hibernated state. 

Steps to enable EFS

  1. Select the File or Folder you want to encrypt from the Windows Explorer.
  2. Right click and select Properties.
  3. Click the Advanced button.
  4. Check the Encrypt contents to secure data box in the Compress or Encrypt attributes section at the bottom of the Advanced Attributes dialog.
  5. Click OK.
  6. Click OK again.
  7. Select the desired behavior, most likely, Apply changes to this folder, subfolders and files.
  8. Click OK.
  9. After some time, the folder name (or file) should be green indicating that it is encrypted.

To add a Data Recovery Agent:

  1. Open the Local Security Settings control panel as an Administrator.
  2. Expand Public Key Policies
  3. Select Encrypting File System
  4. Right click in the blank window on the right and select Add Data Recovery Agent.
  5. need .cer file for users... (need to figure this out)
  6. To be continued (Jon will work with Jeff on creating a recovery agent certificate to test with after Jeff returns from IETF)
  • No labels