EFS encryption and security

xiaoxiao2021-03-06  79

With the gradual improvement of stability and reliability, Windows 2000 / XP has been used more and more people, and many people use the EFS encryption of Windows 2000 / XP to encrypt their own important data encryption. Although EFS is easy to use, it is difficult to solve it after a problem, for example, if you do not do any preparation, reload the operating system, which is likely to cause the previous encrypted data that cannot be decrypted. In recent time, we can already see the help of friends in more and more forums and newsgroups, are similar to this problem, which can't be opened, and the loss is heavy. In order to avoid more people suffer, I will write an emission item using EFS encryption, I hope to help everyone. Note that Windows XP below refers to the Professional version, and the Windows XP Home is not supported EFS encryption. What is EFS encryption EFS (Encrypting File System, Encrypted File System) is a utility feature unique to Windows 2000 / XP. For files and data on NTFS volumes, they can be directly encrypted directly by operating system, which is largely improved. The security of the data. EFS encryption is based on public key policies. When using an EFS encrypts a file or folder, the system first generates a FEK (File Encryption Key, File Encryption Key) consisting of pseudo-random numbers, and then creates encrypted files using the FEK and data extension standard X algorithm, and Store it onto your hard drive while deleting undated raw files. The system then uses your public key encrypted FEK and stores the encrypted FEK in the same encrypted file. When accessing the encrypted file, the system first uses the current user's private key to decrypt the FEK, and then decrypt the file with FEK. When using EFS for the first time, if the user has no public key / private key pair (collectively referred to as a key), the key is first generated, and then the data is encrypted. If you log in to the domain environment, the generation of keys depends on the domain controller, otherwise it relies on the local machine. What is the benefits of EFS encryption First, EFS encryption mechanisms and operating systems are closely integrated, so we do not have to install additional software for encrypted data, which saves our cost. Second, the EFS encryption system is transparent to the user. This means that if you encrypt some data, then your access to these data will be fully allowed and will not be restricted. Other unauthorized users attempt to access the encrypted data, they will receive an "Access Reject" error message. The EFS encrypted user verification process is performed when logging in to Windows, as long as logging in to Windows, you can open any of the authorized encrypted files. How to use EFS encryption to use EFS encryption, first ensure your operating system meets the requirements. The Windows operating system currently supporting EFS encryption is mainly Windows 2000 all versions and Windows XP Professional. As for the newly released WINDOWS SERVER 2003 and the development of the development code for Longhorn, this encryption mechanism is currently supported. Second, EFS encryption is only valid for data on NTFS5 partition (note that this is NTFS5 partition, which refers to NTFS partitions formatted by Windows 2000 / XP; and NTFS partitions formatted by Windows NT4 are NTFS4 formats Although it is also an NTFS file system, it does not support EFS encryption), you cannot encrypt data saved on the FAT and FAT32 partitions.

For files or folders you want to encrypt, just right click, then select "Properties", click the "Advanced" button under the General tab, then select "Encrypted content to protect data" in the pop-up window, then click OK, wait for a moment of data to encrypt. If you encrypt a folder, the system will ask you, applying this encrypted property to folders or folders and all subfolders within the interior. Operation according to your actual situation. Decrypting data is also very simple, and it is also possible to eliminate the hook prior to "encrypting content in protecting data" according to the above method.

If you don't like the operation of the graphical interface, you can also use the "custom" command to complete the encryption and decryption operation of the data in command line mode. As for the "Cipher" command, however, can be used in the command, "Cipher) /? "And enter the return. Note: These files will be automatically encrypted if the unencrypted file is copied to a folder with encrypted properties. If the encrypted data is removed, if the data is moved on the NTFS partition, the data remains encrypted; if you move to the FAT partition, the data will be automatically decrypted. Data encrypted by EFS cannot be shared directly in Windows. If EFS-encrypted data is transmitted over the network, these data will be transmitted in the form of a clear text. The data saved on the NTFS partition can also be compressed, but a file cannot be compressed and encrypted simultaneously. The last point, Windows system files and system folders cannot be encrypted. There is also a trick here, encrypt the file with a traditional method, you must open the layer menu and confirm it in turn, it is very troublesome, but just modify the registry, you can add "encryption" and "decrypt" option to the right-click menu of the mouse. . Enter "regedit" and enter, open the registry editor, locate the registry editor, locate your hkey_local_machine / software / expedition / advanced, click "New -Dword Value" on the Edit menu, enter "EncryptionContextMenu "As the key name, and set the key value to" 1 ". Now exit the Registry Editor, open the Explorer, arbitrarily select the file or folder on a NTFS partition, then click the right mouse button, you can find the appropriate option in the Right-click menu, you can complete the encrypted decryption. If you want to set a file that is disabled, you can create a file called "Desktop.ini" in this folder, then open with Notepad, and add the following: [encryption] Disable = 1 Save and close This file. In this way, the error message will be received when you want to encrypt this folder unless this file is deleted. And if you want to completely disable EFS encryption on this machine, you can implement it by modifying the registry. Enter "regedit" and enter, open the registry editor, locate the registry editor, locate your hkey_local_machine / currentversion / EFS, click "New -Dword Value" on the Edit menu, enter "EFSConfiguration" As the key name, and set the key value to "1", so that the EFS encryption of this unit is disabled. And if you want to use the key value to "0" when you want to use. How to ensure the security and reliability of EFS encryption, we have learned that in the EFS encryption system, the data is encrypted by FEK, and the Fek will be encrypted with the user's public key; when the decryption is just the opposite, first private Key solution dense FEK and decrypt data with FEK. It can be seen that the user's key has played a lot in EFS encryption. How is the key come? In Windows 2000 / XP, each user has a SID (Security Identifier, security marker) to distinguish the identity, each of which is different, and there is uniqueness. It can be understood this way: put the SID imagine adult fingerprint, although there are already billions of people in the world (there are also many names of surname), but there is no two fingerprints that have nothing to do in theory.

Therefore, this has a unique SID that ensures absolute security and reliability of EFS encryption. Because theoretically there is no SID, the user's key will never be the same. When the data is first encrypted, the operating system generates the user's key according to the encrypse of the encrypse, and saves the public key and the private key to encrypt and decrypt data. All of this guarantees the reliability of the EFS mechanism. Second, the EFS mechanism takes into account the production of a variety of bursts, so in the EFS encryption system, there is a recovery agent (Recovery Agent). For example, a employee of the company's finance department encrypts the report of financial data, and the employee resigned in a day, and you will directly delete the account of this employee. Until one day I need to use the financial statements created by the employee to find that these reports are encrypted, and the user account has been deleted, and these files cannot be opened. However, the existence of restoration agents solves these issues. Because the files encrypted by EFS, there is also a recovery agent in addition to the encrypted person. For Windows 2000, in a stand-alone and workgroup environment, the default recovery agent is Administrator; Windows XP does not have a default recovery agent in a stand-alone and workgroup environments. In the domain environment, it is completely different. All Windows 2000 / XP computers that join the domain are all dominated by the domain administrator. All of this guarantees the security of encrypted data. How to avoid accidentally use the losses brought by EFS encryption If you are also with me, because you don't understand the EFS encryption, it is not discouraged, and you will buy a lesson. After all, you can learn a lot through this matter. That is: backup key! Set effective recovery agents! For the situation mentioned above 1. The backup key can avoid this tragedy. Enter "CertMgr.msc" in the run and enter the cargo, open the certificate manager. The export and import of the key will be performed here. After you encrypt the file or folder, open the certificate manager, in the "Current User" - "Personal" - "Certificate" path, you should be able to see a certificate named named your username (if you haven't encrypted yet yet Any data, there is no certificate here). Right click on this certificate and click "Export" in "All Tasks". After that, a certificate export guide will pop up, one step in the wizard will ask you if you export private key, here you want to "Export Project", and other options are set by default, click Continue, and finally enter the user's password and want The saved path is confirmed that the export work is complete. The derived certificate will be a file that PFX is a suffix.

After reinstalling the operating system, find the previously exported PFX file, right click, and select "Install PFX", then there will be an import wizard, follow the prompts of the import wizard, complete the operation (note, if you have selected the certificate when you export your certificate Password protection certificate, then import this certificate, you need to provide the correct password, otherwise you will continue), and the previously encrypted data will all be opened correctly. For the case 2, we will explain the two cases of Windows XP and Windows 2000. Since Windows XP does not have a default recovery agent, we'd better specify a default recovery agent before encrypted data (it is recommended to set the administrator to restore the agent, although this account is not displayed on the welcome screen, but it does exist). This setting: First, you must get the user key that can be imported as a recovery agent. If you want the Administrator to become a resume agent, you must use the Administrator account to log in to the system. Press Ctrl Alt Del on the welcome screen to open the login dialog, enter the Administrator, enter the Administrator, enter the Administrator password set when you install the system when you install the system, and log in. First build a temporary file on a convenient place on the hard disk, the file type is not limited. Here we use a 1.TXT text file file in the C drive as an example. After establishing it, enter "CMD" in the run and enter the service, open the command prompt window, and enter "Cipher / R after the command prompt" Cipher / R: C: /1.txt ", the system will also ask if you use a password to protect the certificate, you can decide on your situation, if you don't need password protection, press Enter. After completing, we can find 1.txt.cer and 1.txt.pfx in the root of the C drive (for display, I set up the extension of all file types in the folder option, so we can More clearly understand which files have been generated). The restore agent will then be set. For 1.txt.pfx file, you can also use the mouse to right click, and then follow the prompts of the wizard. 1.TXT.CER is somewhat different, enter "gpedit.msc" in the run and enter the Group Policy Editor. Under the "Computer Configuration -Windows Settings - Security Settings - Public Key Policy - Encrypted File System" menu, click on the mouse button in the blank of the right window and select "Add Data Recovery Agent", and then "Add Fault Recovery Proxy Wizard "Open 1.Txt.cer according to this wizard, if everything can be seen, you can see the interface of Figure 5, this shows that we have set this machine's Administrator to a fault recovery agent.

If you are willing, you can also set other users to restore the agent. It should be noted that the 1.pfx and 1.txt.pfx and 1.txt.cer in which you import the certificate are generated after logging in, then the recovery agent set up after the import certificate is the user. After setting an effective recovery agent, you can directly decrypt the file with the resume agent login system. But if you encrypt data before setting the recovery agent, then these data recovery agents are still unable to open. For Windows 2000, the Windows 2000 has a recovery agent, so you can decrypt the file as long as the recovery agent (the default is the administrator) account login system. How to share the files encrypted by an EFS encrypted on this machine only if the encrypted person and the recovery agent can open, what should I do if you want to share an encrypted file with other users of this machine? This is not working in Windows 2000, but you can do it in Windows XP. Select a new encrypted file you want to share (note that you can only be a file, but you can't be a folder), right-click on the file, and select "Properties", then click on the "General" tab of the Properties dialog box " Advanced "button, then click" Details ", then you can see the window similar to Figure 6, where you can decide who can open this encrypted file and the recovery agent of the viewing file is specifically who.

转载请注明原文地址:https://www.9cbs.com/read-108731.html

New Post(0)