Overview

• Security Policies
• Awareness & Education Topics
• Tools & Instructions

Incident Response

• What Is a Security Incident?
• Incident Response Protocol
• Data Breach Notification
• Copyright Complaint
• Harassment

Help & Support

• Technical Support
• Contact Information
• Technical Listservs
• Learning Opportunities

About Us

• Charter

Office of Information Technology (OIT) > Security Information for IT Professionals > Awareness and Education Topics > Windows Encypting File System (EFS)

Windows Encrypting File System (EFS)

Windows has an option to use the built in 128-bit encryption, called Encrypting File System (EFS). EFS can be manually applied to files and folders stored on the hard disk.

Read Microsoft's documentation and best practices before using EFS. In addition to Microsoft's recommendations, below are some implementation recommendations specific to the University.

Implementation Recommendations

1. Consult with your local technical support staff.
2. Before using the Windows built-in encryption software, be sure to apply the Basic and Enhanced security settings in University Policy Securing Private Data, Computers and Other Electronic Devices.
3. Recommend encrypting "My Documents" folder and encrypting folders rather than individual files. Applications work on files in various ways; for example, some applications create temporary files in the same folder during editing. These temporary files might or might not be encrypted, and some applications substitute them for the original when the edit is saved.
4. Backup (export) the encryption keys to a removable media such as CD or floppy. Label the media and lock it up.
5. For maximum protection, keep the private encryption key on a USB, floppy, or CD and remove the private key from the hard drive, or use a centralized windows domain system.

Notes

• NTFS hard drive file system is required. Windows XP and later is supported. See the Microsoft web site to determine which versions of each operating system support EFS.
• The user password and the Basic and Enhanced security settings in University Policy Securing Private Data, Computers and Other Electronic Devices are important to protecting the data.
• Use a screen saver with password; otherwise anyone can open your encrypted data.
• Data is unencrypted automatically when you open a file. Therefore files saved to external media or emailed are NOT encrypted.
• File names may be visible on encrypted files, so name accordingly. For example, do not use a person's name or Social Security number in the file name.
• Microsoft web site has instructions on how to encrypt/decrypt files and folders using Windows 7 or using Windows Vista.