Data encryption with EFS and BitLocker, step by step

Data encryption is a necessary security measure for organisations with many mobile users. Learn how to protect data using EFS and BitLocker, step by step.

Over the years, I have done consulting work for a number of different companies. This has allowed me to see how these various companies run their IT departments. While every organisation has a different way of doing things, one thing that's consistent for most of them is that mobile users pose one of the biggest threats to accidental data disclosure.

Unfortunately, there is no getting around the risks that are created by mobile users. Some users are required to travel as a part of their job, and the user's laptop is an essential tool when travelling. Furthermore, they often have to store data on a laptop's hard drive so it will be available for them regardless of whether a connection to the corporate network is available or not. And, frequently, this data is sensitive and needs to be protected.

A lot of administrators like to use Encrypted File System (EFS) encryption as a way of protecting the data on the hard drive against disclosure in the event that a laptop is stolen. Encrypting data with EFS will protect the data to a point, but it is far from being a foolproof security solution. After all, the encryption keys are typically located within the user's profile. Anyone who knows how to extract these keys can easily decrypt the data.

An ideal solution to this problem is to use Windows Vista's BitLocker in conjunction with EFS. You can use BitLocker to encrypt the system drive on a laptop that is equipped with a TPM chip. However, this is the only drive that can be encrypted with BitLocker. Assuming that your data files are stored on a second drive, the data will still need to be encrypted with EFS. BitLocker is an ideal solution because the EFS encryption keys are stored on the system drive, and BitLocker encryption can keep these keys safe.

The problem with BitLocker data encryption is that is only available in Windows Vista. If you are using Windows XP, you'll need to use another technique to keep the encryption keys safe. If you're using Windows XP, I recommend that you do not store the encryption keys on the system. Windows XP makes it possible to export the encryption keys to an external storage device, such as a USB flash drive. When you need to access encrypted files, you can import the encryption keys and then remove them from your system when you are done. This method ensures that if your laptop is ever stolen, the encrypted data is a lot less likely to be compromised.

Before I show you how to import and export EFS encryption keys, I want to mention that you should not store the media containing the encryption keys in your laptop bag. Otherwise you have defeated the purpose of removing the encryption keys from the laptop. I also strongly recommend that you create a backup copy of your encryption keys and keep it in a safe place in case you ever lose the media containing the encryption keys.

With that said, you can export the encryption keys by following these steps:

  1. Logon to the workstation using either a local or a domain account, depending on whether or not the workstation is a domain member.
  2. Enter the MMC command at the Run prompt.
  3. choose the Add/Remove Snap-in option from the console's File menu.
  4. Choose the Certificates option from the list of available snap-ins, and click Add.
  5. When prompted, choose the My User Account option, and then click Finish.
  6. Click Close, followed by OK.
  7. Navigate through the console tree to Certificates | Current User | Personal | Certificates.
  8. Look for the certificate that has the Intended Purposes column set to File Recovery.
  9. Right click on the certificate and choose the All Tasks | Export commands from the resulting shortcut menus.
  10. When the Certificate Export Wizard starts, click Next.
  11. Choose the Yes, Export the Private Key option and click Next.
  12. Choose the Personal Information Exchange -- PKCS #12 (.PFX) option, and choose Enable Strong Protection.
  13. Make sure the option to delete the private key is selected. Remember, our goal is to isolate the encryption keys from the workstation.
  14. Click Next.
  15. Provide a password and click Next.
  16. Specify a file name and path for the exported certificate and private key and click Next.
  17. Click Finish to complete the wizard.

When you need to gain access to the encrypted data, you can import the encryption keys using the following steps:

  1. Log onto the workstation.
  2. Enter the GPEDIT.MSC command at the Run prompt.
  3. Navigate through the Group Policy Object Editor tree to Local Computer Policy | Computer Configuration | Windows Settings | Security Settings | Public Key Policies.
  4. Right click on the Encrypting File System container, and choose the Add Data Recovery Agent command from the shortcut menu.
  5. When the wizard starts, click Next, and then choose the Browse Folders option.
  6. Locate the file that you created earlier, and click Open.
  7. Click Next, followed by Finish.

When you are finished, you will have to follow the export procedure again to remove the keys from the workstation.

Although the procedure that I've shown you works well, it isn't foolproof. There are still a few different ways that a determined hacker can gain access to the data. For instance, a hacker could do a search for deleted files in an effort to locate the remnants of the encryption key.

Another way that a hacker may try to gain access to encrypted data is by analysing the pagefile. Because of the way Windows is designed, the pagefile will never contain a copy of the encryption key. It may, however, contain unencrypted copies of any files that you have used recently. Fortunately, you can configure Windows to automatically purge the pagefile when you log off. This helps to prevent hackers from extracting data from the pagefile.

Follow these steps to configure Windows to purge the pagefile at shutdown:

  1. Use the Group Policy Object Editor to open the machine's local security policy.
  2. Navigate through the console tree to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options.
  3. Double-click on the Shutdown: Clear Virtual Memory Pagefile option.
  4. Click Enable.
  5. Click OK.


Read more on Security policy and user awareness