- Community Pick
- Experts Exchange Approved
In PART ONE of this two-part article, we covered how to setup a thumb drive so that it will contain an encrypted folder. In this section, PART TWO, we'll walk through the steps needed to make that data readable on a different computer.
How to Make the Drive Readable At Home
When you plug in the USB drive at work, you will be able to access the Private Data folder. But if you take it home, or try to use it on any other computer, the contents of that folder cannot be used. Windows has created an Encryption Key that is linked to your Windows User Name and stored that key in a Certificate that is in your Personal Certificate Store. Take a look:
- 1
Find and Verify the Certificate
In Internet Explorer (not Windows Explorer) Select the Tools/Internet Options menu item.
Click the Content tab.
Click the Certificates button.
You will see the certificate in the list. Its "intended purpose" is "Encrypting File System."
- 2
Export the Certificate
Click to select the new certificate. Click the Export button. This starts the Certificate Export Wizard
In the Export Private Key step, select the Yes, Export private key radio button.
Click [Next].
In the Export File Format step, leave the defaults (PFX file type and "Enable strong Encryption").
Click [Next].
In Password think up a password for this certificate. This password will probably be needed only once -- when you install the cert at home. See the notes at the end of this article for some related possibilities.
Click [Next]
In File To Export, click the [Browse...] button. And locate your thumb drive -- something like: My Computer (G:). Don't select the "Private Data" folder! Make sure you are looking at the root directory. Set the file name to, for instance,
G:\MyEFScertKey
Click [Save]
Verify the filename (G:\MyEFScertKey.pfx) and click [Next].
Click [Finish]
- 3
Import the Certificate At Home
Your thumb drive now has a root directory with two items: the "Private Data" folder and the .PFX file. Call it a day and go home.
At home, plug in the thumb drive. Try to access the data in the "Private Data" folder. You'll see that the data is protected. Only a computer with the correct certificate in the Personal certificate store can access that data. So proceed to install the cert in that store:
Double-click the MyEFScertKey.pfx file that you created earlier. This starts the Certificate Import Wizard. Click Next twice.
In the Password step, enter the password that you thought up for the certificate in step 2.Leave the other checkboxes blank.
Click Next.
In the Certificate Store step, choose Automatically select the certificate store based on the type of certificate.
Click Next.
Click Finish.
Now that your home computer has the private decryption key in your Personal certificate store, Windows will be able to access everything in the "Private Data" folder (and subfolders) on your thumb drive. You can modify files, add new files, whatever... while at home and when you take the drive back to work, you can also access them there. But nobody else can! Ever!
Notes:
- We left the PFX file in the root directory of the thumb drive. You can delete it if you want -- the certificate is already installed on your home system and on the system at work. However, if you think you'll ever need to access the encrypted data while using yet another computer -- say when you are on the road -- then you'll need that PFX file.
Keeping it in the root of the thumb drive is one way to do that. It's safe because of the import password... but it's only as secure as that password. If you want to keep the PFX file on the thumb drive, be sure to use a strong password that's not easy to guess. You can set the PFX file's attributes to "Hidden" if that makes you feel safer.
- To remove a cert. If you ever install a private-key certificate on a "foreign" computer, you should remove it before leaving the site. Use Internet Explorer/Tools/Internet Options/Content/Certificat
es to locate the private-key certificate (the one with your Windows User Name) and hit the [Remove] button.
- It's possible to create two levels of privacy. Well, actually, to create a directory encrypted by a different key. In your "Private Data" folder, create a new folder (say, "UltraPrivate Data"). In Properties/Attributes/Adva
nced, disable encryption on that folder. Now log on to Windows using a different username and password. Get to that folder and set its attributes back to "Encrypted" -- it will create a new certificate-with-key in the Personal Certificate Store for that user. Only that user can access the data in that subfolder.
- There is another way (other than using Internet Explorer) to get to the cert store(s). It's more steps, but worth knowing, in case you need to install a cert for a System Service or something:
1) Start/Run... MMC (launch "Microsoft Management Console")
2) File / Add/Remove Snap-in...
3) Click [Add...]
4) Select "Certificates" then click [Finish]
5) Choose the store type then click [Close]
6) Click [OK]
7) Browse through the stores and right-click to take actions such as export/remove, etc.
- In PART ONE, you may recall that we changed the "Policy" setting for the drive in order to enable the use of NTFS. Be aware that a thumb drive formatted that way should NOT be just yanked out of the USB socket at any whim. You need to remember to use the Safely Remove Hardware icon in the System Tray (bottom right corner of your desktop), otherwise critical data may not get flushed to the drive.
- Certificates (and thus, encrypted data) are only as secure as your computer. If you leave your computer logged-in when you take a coffee break, someone could slip in and export a certificate and use it to impersonate you. In the scenario I've painted here (losing a thumb drive at an airport or somewhere), that's not your big worry. But in other situations, it is.
- If you encrypt data and then somehow lose the certificate/key -- say, through a hard disk crash with no cert store backup -- then don't call me. I can't help you. I'm not at all sure that anyone can!
- Many employers have strict policies about copying data from corporate sources -- with or without an encrypted transport mechanism. I suggest that you check your company's policies before taking any data from an office computer and putting it onto a portable device.
=-=-=-=-=-=-=-=-=-=-=-=-=-
If you liked this article and want to see more from this author, please click the Yes button near the:
Was this article helpful?
label that is just below and to the right of this text. Thanks!
=-=-=-=-=-=-=-=-=-=-=-=-=-
by: aikimark on 2009-08-10 at 08:03:08ID: 2631
@Dan
It would seem that TrueCrypt is simpler because it doesn't require certificate Export/Import.
I do have a concern with your reliance on certificate deletion. Unless the disk space associated with the certificate is overwritten, then the deletion wouldn't protect the certificate from being stolen.
=================
How does this compare with a rar or 7z compressed file encrypted at AES-128 strength?
What is the earliest Windows OS that supports the steps in these two articles?