On Windows 10 and 11, you can easily protect access to your data (files and folders) thanks to the EFS system present natively on Windows.
EFS (Encrypting File System) is a system for encrypting files to make them unreadable without the associated key.
Indeed, when you have a laptop computer in a company, it may happen that you take it outside (to a client, to a coffee shop, ...).
In the event of theft or unauthorized access to your laptop, an unauthorized user will therefore not be able to access these data (read their content).
With EFS, you can encrypt data so that it's readable only by one or more specific users without having to disclose the key that was used by the 1st user so that the 2nd user can access it.
For a user to use EFS, the user must have a personal certificate (which contains a public key) and an associated private key.
These public and private keys will allow him to encrypt and decrypt the data he wishes to protect.
Note that this certificate and its associated private key will be generated automatically by Windows when the user wishes to encrypt a file for the first time.
EFS uses 2 types of certificates :
To find out more about data encryption, refer to our article: What is encryption and how does it work ?
When you encrypt data using EFS, Windows transparently generates a random symmetric key (also called FEK for File Encryption Key) and encrypts the contents of the file using it.
The advantage of this symmetric key is that data encryption and decryption is much faster for large amounts of data than using asymmetric encryption.
If the user doesn't yet have a personal certificate, Windows automatically generates an EFS certificate for him with a combination : public key / private key.
Then, Windows encrypts the symmetric key used with the user's public key so that he can decrypt it later with his private key.
Indeed, with asymmetric encryption, data encrypted with the public key (which everyone can know) can only be decrypted with the private key.
Finally, this encrypted symmetric key (FEK) is stored in an encrypted header.
To decrypt a file, Windows will use the user's private key to decrypt the file header to obtain the symmetric key (FEK) that was used to encrypt the data.
As the file was encrypted with a symmetric cipher, the recovered FEK key is also used to decrypt the data (the contents of the file).
Of course, since the encryption and decryption of the file at the level of your computer's file system, the user doesn't see this whole process.
On the other hand, if another user tries to access your encrypted file, he will simply see an "Access Denied" message.
To manage certificates on Windows, you will need to use an "mmc" console.
To do this, open the start menu and type "mmc".
In the "mmc" console that appears, go to : File -> Add/Remove Snap-in.
Select the "Certificates" component and click "Add".
If you have an "Administrator" type Windows user account, a window will ask you to choose between :
Select "My user account" and click Finish.
If you have a "Standard" type Windows user account, this window will not appear and the choice "My user account" will be used automatically.
As you can see, the "Certificates" component will be added for the current user.
If you wish, you can also add it for the local computer.
However, you will see that no certificate will be created for it when using EFS.
To do this, select the "Certificates" component again and click on "Add".
Select "Computer account" and click Next.
Reminder : this is only possible if you have administrator rights on your computer.
Select "Local computer..." and click Finish.
As you can see, the "Certificates" component will be added for the current user, as well as for the local computer.
The "Certificates - Current User" and "Certificates (Local Computer)" components appear in the "mmc" console.
As you can see in the "Personal" section of "Certificates - Current User", you don't yet have a personal user certificate.
In the "Personal" section of "Certificates (Local Computer)", you will be able to see that there is also no certificate associated with your computer.
Save the settings of this "mmc" console to be able to reopen it as it is in the future.
To do this, go to : File -> Save As.
Save the console under any name you want.
For example : certificate management.
Then, close this "mmc" console and click "Yes" to save the settings.
Note that the "mmc" console will also remember which item is currently selected here.
® InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.