Windows Encrypting File System (EFS)

Windows XP has an option to use the built in 128-bit encryption, called Encrypting File System (EFS). EFS can be manually applied to files and folders stored on the hard disk.

Read Microsoft's documentation and best practices before using EFS. In addition to Microsoft's recommendations, below are some implementation recommendations specific to the University.

Implementation Recommendations:

1. Consult with your local technical support staff.
2. Before using the Windows built-in encryption software, be sure to apply the security settings in QuickStart Basic and Level-2 to remove the vulnerable (LANMAN) storage of passwords and apply other required security settings.
3. Recommend encrypting "My Documents" folder and encrypting folders rather than individual files. Applications work on files in various ways; for example, some applications create temporary files in the same folder during editing. These temporary files might or might not be encrypted, and some applications substitute them for the original when the edit is saved.
4. Backup (export) the encryption keys to a removable media such as CD or floppy. Label the media and lock it up.
5. For maximum protection, keep the private encryption key on a USB, floppy, or CD and remove the private key from the hard drive, or use a centralized windows domain system.

Notes:

• NTFS hard drive file system is required. Windows XP and later is supported. Windows XP Home Edition is not supported.
• The user password and QuickStart Basic and Level-2 Security settings are important to protecting the data.
• Use a screen saver with password; otherwise anyone can open your encrypted data.
• Data is unencrypted automatically when you open a file. Therefore files saved to external media or emailed are NOT encrypted.
• File names may be visible on encrypted files, so name accordingly. For example, do not use a person's name or Social Security number in the file name.