Hands on: Tales from the crypt

Encryption is an effective way to protect confidential data – but handle with care

Recently we looked at some of the advanced features of NTFS and here, as promised, is a guide to encryption.

First of all, it’s only for XP Pro (or Windows 2000) users. Encryption is a serious business.

If you don’t take the right steps you could end up with unrecoverable files.

Don’t use it unless you really need it – for example, if you have sensitive data on a PC that can’t be physically secured. Before you encrypt your working data, read through this column and do a practice run with some copied files.

As with compression, encryption is completely transparent. Though you can encrypt on a per-file basis, it makes more sense to encrypt a folder (for instance My Documents) and all its contents. To do this, right-click on the folder, select Properties, and on the General tab click the Advanced button, then tick the ‘Encrypt contents’ box, then OK.

OK out of the main dialogue and you’ll be asked if you want the subfolders and files encrypted. Windows will spend a little while encrypting the current contents and all new additions to the folder will be automatically encrypted.

If you have the option enabled in Folder Options, the encrypted files and folders will have green names. Note, however, that encryption and compression are mutually exclusive. Files marked with the system attribute and those in the Windows folder cannot be encrypted.

It’s good practice to encrypt the Temp folder in case this contains temporary document files that weren’t cleared at shutdown, but this may interfere with some software installation, so you may have to decrypt the folder before installing new software and re-encrypt it afterwards.

For tight security, clear the swap file at shutdown. To do this automatically, run the Group Policy Editor (gpedit.msc) and go to Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options. ‘Shutdown: Clear virtual memory pagefile’ is in the list on the right.

No-one can decrypt the files unless they log on as you. If they examine the disk under a different operating system, all they will see is scrambled files. So it’s vital to have a strong password.

Encryption keys
Encryption is done using a public and private key pair. The public key is used to encrypt the data. Decryption requires a private key, generated automatically when you first encrypt a file or folder. If the key isn’t backed up and gets damaged or deleted, it won’t be possible to decrypt the files on any partition. Changing your password will also stop you decrypting files unless you have a back up.

You should back up your private key and certificate (the code that binds your private key to your user identity) to a floppy or other removable media – Start, Run, certmgr.msc. If this doesn’t work, Start, Run, MMC will give you an empty console. From the File menu, Add/Remove snap-in then click the Add button and select Certificates from the list of standalone snap-ins, then choose ‘My user account’.