Windows Vista - Activating Windows Encrypting File System (EFS) and Backing Up Your Security Key/Certificate
The first step in implementing EFS on your Windows computer is to choose the folder(s) that you would like to encrypt. Next, follow these steps to turn on EFS encryption:
- Right-Click the folder you want to encrypt and choose ‘Properties'.
- On the ‘General' tab, click the ‘Advanced' button.
- In the ‘Advanced Attributes' window, check the box that says ‘Encrypt contents to secure data'.
- Click OK, then click OK again.
- A prompt will come up asking you to ‘Confirm Attribute Changes'. Make sure ‘Apply changes to this folder, subfolder and files' is chosen and click OK.
- Windows will now encrypt all files and folders inside the folder you chose. Once Windows is finished encrypting, the files and folders will appear green.
- Now that your files are encrypted, they can only be viewed and edited from your computer or by someone that you give your personal security key/certificate to.
IT IS VERY IMPORTANT THAT YOU BACKUP YOUR PERSONAL SECURITY CERTIFICATE/KEY. WITHOUT THIS, YOUR DATA IS NOT RECOVERABLE!
Backup your personal security certificate/key:
- Click Start -> Control Panel -> Internet Options
- Choose the ‘Content' tab and click the ‘Certificates...' button.
- In the ‘Certificates' windows, make sure you are on the ‘Personal' tab.
- You should see one certificate listed issued to the username you are logged in to Windows with.
- To make sure this is the proper certificate, select it and look at the bottom of the window. Under the ‘Certificate intended purposes' section, it should say ‘Encrypting File System'.
- Once you have found the proper certificate, highlight it and click the ‘Export...' button.
- This will launch the Certificate Export Wizard. Click Next.
- This step is VERY IMPORTANT. Make sure you choose ‘Yes, export the private key'. If you do not choose to export the private key, your certificate will be useless when you try to decrypt your data. Click Next.
- For the Export File format screen, click Next to accept the defaults. (You want to save it as a .pfx and enable strong protection.)
- Enter a password to secure your certificate/key. IMPORTANT - If you lose this password, you will not be able use this certificate/key to decrypt your data. Click Next.
- Specify a name and location where you would like to export your .pfx file to. You should export it to a directory that you will remember. NOTE - For this process, export the key to an accessible location on your computer BUT it should NOT be stored there permanently. After this process is complete, save the key to an encrypted USB device or any other secure location and DELETE it from your computer. Click Next and then Finish.
- You should receive a dialog box informing you that the export was successful.
- You can now close the Certificates and Internet Properties boxes.
- As per step 11, you should now save your .pfx file that was just created in a safe and secure location and delete it from your computer.
Restore your personal security certificate/key
- Copy the .pfx file that you originally exported and stored in a safe place to the new computer that needs access to the encrypted files.
- Double-click the .pfx file which will launch the ‘Certificate Import Wizard' and click Next.
- The ‘File to Import' screen should already be populated with the .pfx file that you are intending to import. If not, browse to the .pfx file that you want to import. Click Next.
- Enter the password that you set for your key during step 10 of the backup process, and click Next. (Don't choose ‘Mark this key as exportable'. This makes sure that you still have the only copy of the private key.)
- On the ‘Certificate Store' screen, click Next to automatically select the certificate store, and click Finish.
- You should receive a dialog box informing you that the import was successful.
- You should now be able to view any encrypted files from the original computer.