<

Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

Encrypt your Thumb Drive at Work and Use it at Home -- PART TWO

Published on
20,479 Points
8,279 Views
27 Endorsements
Last Modified:
Awarded
In PART ONE of this two-part article, we covered how to setup a thumb drive so that it will contain an encrypted folder.  In this section, PART TWO, we'll walk through the steps needed to make that data readable on a different computer.

How to Make the Drive Readable At Home
When you plug in the USB drive at work, you will be able to access the Private Data folder.  But if you take it home, or try to use it on any other computer, the contents of that folder cannot be used.  Windows has created an Encryption Key that is linked to your Windows User Name and stored that key in a Certificate that is in your Personal Certificate Store.  Take a look:

1. Find and Verify the Certificate

In Internet Explorer (not Windows Explorer) Select the Tools/Internet Options menu item.  
Click the Content tab.
Click the Certificates button.
 Export your private-key certificateYou will see the certificate in the list.  Its "intended purpose" is "Encrypting File System."

2. Export the Certificate

Click to select the new certificate.  Click the Export button.  This starts the Certificate Export Wizard

In the Export Private Key step, select the Yes, Export private key radio button.
Click [Next].

In the Export File Format step, leave the defaults (PFX file type and "Enable strong Encryption").
Click [Next].

In Password think up a password for this certificate.  This password will probably be needed only once -- when you install the cert at home.  See the notes at the end of this article for some related possibilities.
Click [Next]

In File To Export, click the [Browse...] button. And locate your thumb drive -- something like: My Computer (G:).  Don't select the "Private Data" folder!  Make sure you are looking at the root directory.  Set the file name to, for instance,
    G:\MyEFScertKey
Click [Save]
Verify the filename (G:\MyEFScertKey.pfx) and click [Next].
Click [Finish]

3. Import the Certificate At Home

Your thumb drive now has a root directory with two items: the "Private Data" folder and the .PFX file.  Call it a day and go home.

At home, plug in the thumb drive.  Try to access the data in the "Private Data" folder.  You'll see that the data is protected.  Only a computer with the correct certificate in the Personal certificate store can access that data.  So proceed to install the cert in that store:

Double-click the MyEFScertKey.pfx file that you created earlier.  This starts the Certificate Import Wizard.  Click Next twice.

In the Password step, enter the password that you thought up for the certificate in step 2. Enter password when importing the certLeave the other checkboxes blank.  
Click Next.

In the Certificate Store step, choose Automatically select the certificate store based on the type of certificate.
Click Next.
Click Finish.

Now that your home computer has the private decryption key in your Personal certificate store, Windows will be able to access everything in the "Private Data" folder (and subfolders) on your thumb drive.  You can modify files, add new files, whatever... while at home and when you take the drive back to work, you can also access them there.  But nobody else can!  Ever!

Notes:
We left the PFX file in the root directory of the thumb drive.  You can delete it if you want -- the certificate is already installed on your home system and on the system at work.  However, if you think you'll ever need to access the encrypted data while using yet another computer -- say when you are on the road -- then you'll need that PFX file.  

Keeping it in the root of the thumb drive is one way to do that.  It's safe because of the import password... but it's only as secure as that password.  If you want to keep the PFX file on the thumb drive, be sure to use a strong password that's not easy to guess.  You can set the PFX file's attributes to "Hidden" if that makes you feel safer.
To remove a cert.  If you ever install a private-key certificate on a "foreign" computer, you should remove it before leaving the site.  Use Internet Explorer/Tools/Internet Options/Content/Certificates to locate the private-key certificate (the one with your Windows User Name) and hit the [Remove] button.
It's possible to create two levels of privacy.  Well, actually, to create a directory encrypted by a different key.  In your "Private Data" folder, create a new folder (say, "UltraPrivate Data").  In Properties/Attributes/Advanced, disable encryption on that folder.  Now log on to Windows using a different username and password.  Get to that folder and set its attributes back to "Encrypted" -- it will create a new certificate-with-key in the Personal Certificate Store for that user.  Only that user can access the data in that subfolder.
There is another way (other than using Internet Explorer) to get to the cert store(s).  It's more steps, but worth knowing, in case you need to install a cert for a System Service or something:

    1) Start/Run... MMC  (launch "Microsoft Management Console")
    2) File / Add/Remove Snap-in...
    3) Click [Add...]
    4) Select "Certificates" then click [Finish]
    5) Choose the store type then click [Close]
    6) Click [OK]
    7) Browse through the stores and right-click to take actions such as export/remove, etc.
In PART ONE, you may recall that we changed the "Policy" setting for the drive in order to enable the use of NTFS.  Be aware that a thumb drive formatted that way should NOT be just yanked out of the USB socket at any whim.  You need to remember to use the Safely Remove Hardware icon in the System Tray (bottom right corner of your desktop), otherwise critical data may not get flushed to the drive.
Certificates (and thus, encrypted data) are only as secure as your computer.  If you leave your computer logged-in when you take a coffee break, someone could slip in and export a certificate and use it to impersonate you.  In the scenario I've painted here (losing a thumb drive at an airport or somewhere), that's not your big worry.  But in other situations, it is.
If you encrypt data and then somehow lose the certificate/key -- say, through a hard disk crash with no cert store backup -- then don't call me.  I can't help you.  I'm not at all sure that anyone can!
Many employers have strict policies about copying data from corporate sources -- with or without an encrypted transport mechanism.  I suggest that you check your company's policies before taking any data from an office computer and putting it onto a portable device.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
If you liked this article and want to see more from this author,  please click the Yes button near the:
      Was this article helpful?
label that is just below and to the right of this text.   Thanks!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
27
Comment
Author:DanRollins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 46

Expert Comment

by:aikimark
@Dan

It would seem that TrueCrypt is simpler because it doesn't require certificate Export/Import.

I do have a concern with your reliance on certificate deletion.  Unless the disk space associated with the certificate is overwritten, then the deletion wouldn't protect the certificate from being stolen.

=================
How does this compare with a rar or 7z compressed file encrypted at AES-128 strength?

What is the earliest Windows OS that supports the steps in these two articles?
0
 
LVL 18

Expert Comment

by:WaterStreet
I think this pair of articles addresses something important to know and does it in a way that clearly and concisely addresses the questions a user would have in mind.  In short, it takes the mystery out of something that is important to know and makes it available for general use.  And, it gives a little, but needed, extra education about certificates.  Even I understand it now.  It got my vote above.
0
 
LVL 20

Expert Comment

by:alainbryden
This is a refreshing article, things like this should be regularly taught at office seminars.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 60

Expert Comment

by:Kevin Cross
Very nice, Dan!

Voted yes above on this one also.
0
 
LVL 5

Expert Comment

by:Tuxx
Great article! I will be using this.
0
 
LVL 57

Expert Comment

by:Pete Long
Nice one Dan :) Heres another third party alternative I used to use http://www.petenetlive.com/Tech/Hardware/secureusb.htm
0
 

Expert Comment

by:PrashantT
Nice one, However while working on first part when I right click the folder and try to Encrypt content to Secure data, I get an error "Recovery policy configured for this contains invalid recovery certificate". Please can you guide me what I can do to get rid of this error?
0
 
LVL 49

Author Comment

by:DanRollins
http://www.google.com/search?hl=en&source=hp&q=Recovery+policy+configured+for+this+contains+invalid+recovery+certificate

Cause: The Encrypting File System (EFS) recovery policy that is implemented on this computer contains one or more EFS recovery agent certificates that have expired. These certificates cannot be used.

Solution: Either renew the existing certificates or generate new certificates for the EFS recovery agents and reapply the recovery agent policy with those certificates.
0
 
LVL 31

Expert Comment

by:Paranormastic
"you can also access them there.  But nobody else can!  Ever!"
- Not quite accurate, given the possibility of the DRA (Data Recovery Agent) existing on the work system, so your company can still get to encrypted files for SOX, etc., reasons.  If encrypted at home, the DRA will not be configured (normally) so then it would be an accurate statement, but when you "touch" that file (open it, modify, etc.) then it will update that with the existing DRA.

Also, for those more worried about leaving their system for a minute and giving up access to their cached logon for the EFS cert, you can enable Strong Private Key Protection option - this is more annoying than its worth for many, however,  because you will need to enter your PIN each time you open an EFS file, but it is more secure against undesired access.  Of course, if the file is open, all bets are off.

A nice article, though, nonetheless.

TrueCrypt is nice and all, but it requires software to be installed which for many non-IT users is not a valid option.  In many environments it is easier to install a user cert to the user's certificate store and remove it later than it is to install 3rd party software.  If you have admin rights and policy allows - good for you, for the rest of us EFS is sometimes the best choice due to it being native.  Encrypted ZIPs may also be an option, using winzip (native to xp and newer, if memory serves), but you need to be careful to not use a vulnerable 9.x version with AES.
0
 
LVL 1

Expert Comment

by:smcpartlin
Can I use a cert from a CA like go daddy tO encrypt something?
0
 
LVL 2

Expert Comment

by:Akash Bansal
Is there any way I can enforce that step 2 can not be implemented.

i mean I do not want that employee of the company can read data from company USB drives at their home.
0
 
LVL 49

Author Comment

by:DanRollins
I don't know the answer to that.  I suggest that you ask a question at Experts-Exchange.com :-)
0
 
LVL 38

Expert Comment

by:Rich Rumble
EFS is a bit dated, and I've had no real trouble recovering data using modern software like PassWare and ElcomSoft AEFSDR. I don't recover 100% of the EFS data I've tried, but I recover 90%, even when they can't remember their passwords, I do make sure their passwords are "close" to what they remember them being before devulging the data to the client. If you use EFS out of the box, recovery for an attacker is easy if they can get on the machine itself. EFS is not as easy to recover if you simply find a USB drive someone dropped, that is when a FOLDER is being used. EFS applied to files directly, you can "undelete" the plain-text copy to this day.
http://www.experts-exchange.com/Security/Encryption/A_12132-Microsoft-EFS-Recovery.html
Whenever I suggest people encrypt their data, I also recommend they back that data up in a secure fashion as well. Encrypting data should effectively be looked at no recovery is possible unless the correct keys are used. With EFS, don't bother, send it to me and I'll get it back for you :) Just kidding, you should have a backup too, but recovery is almost guaranteed.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Join & Write a Comment

With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month