Encrypt your Thumb Drive at Work and Use it at Home -- PART TWO

In PART ONE of this two-part article, we covered how to setup a thumb drive so that it will contain an encrypted folder. In this section, PART TWO, we'll walk through the steps needed to make that data readable on a different computer.

How to Make the Drive Readable At Home
When you plug in the USB drive at work, you will be able to access the Private Data folder. But if you take it home, or try to use it on any other computer, the contents of that folder cannot be used. Windows has created an Encryption Key that is linked to your Windows User Name and stored that key in a Certificate that is in your Personal Certificate Store. Take a look:

1. Find and Verify the Certificate

In Internet Explorer (not Windows Explorer) Select the Tools/Internet Options menu item.
Click the Content tab.
Click the Certificates button.

You will see the certificate in the list. Its "intended purpose" is "Encrypting File System."

2. Export the Certificate

Click to select the new certificate. Click the Export button. This starts the Certificate Export Wizard

In the Export Private Key step, select the Yes, Export private key radio button.
Click [Next].

In the Export File Format step, leave the defaults (PFX file type and "Enable strong Encryption").
Click [Next].

In Password think up a password for this certificate. This password will probably be needed only once -- when you install the cert at home. See the notes at the end of this article for some related possibilities.
Click [Next]

In File To Export, click the [Browse...] button. And locate your thumb drive -- something like: My Computer (G:). Don't select the "Private Data" folder! Make sure you are looking at the root directory. Set the file name to, for instance,
G:\MyEFScertKey
Click [Save]
Verify the filename (G:\MyEFScertKey.pfx) and click [Next].
Click [Finish]

3. Import the Certificate At Home

Your thumb drive now has a root directory with two items: the "Private Data" folder and the .PFX file. Call it a day and go home.

At home, plug in the thumb drive. Try to access the data in the "Private Data" folder. You'll see that the data is protected. Only a computer with the correct certificate in the Personal certificate store can access that data. So proceed to install the cert in that store:

Double-click the MyEFScertKey.pfx file that you created earlier. This starts the Certificate Import Wizard. Click Next twice.

In the Password step, enter the password that you thought up for the certificate in step 2.

Leave the other checkboxes blank.
Click Next.

In the Certificate Store step, choose Automatically select the certificate store based on the type of certificate.
Click Next.
Click Finish.

Now that your home computer has the private decryption key in your Personal certificate store, Windows will be able to access everything in the "Private Data" folder (and subfolders) on your thumb drive. You can modify files, add new files, whatever... while at home and when you take the drive back to work, you can also access them there. But nobody else can! Ever!

Notes:

We left the PFX file in the root directory of the thumb drive. You can delete it if you want -- the certificate is already installed on your home system and on the system at work. However, if you think you'll ever need to access the encrypted data while using yet another computer -- say when you are on the road -- then you'll need that PFX file.

Keeping it in the root of the thumb drive is one way to do that. It's safe because of the import password... but it's only as secure as that password. If you want to keep the PFX file on the thumb drive, be sure to use a strong password that's not easy to guess. You can set the PFX file's attributes to "Hidden" if that makes you feel safer.

To remove a cert. If you ever install a private-key certificate on a "foreign" computer, you should remove it before leaving the site. Use Internet Explorer/Tools/Internet Options/Content/Certificates to locate the private-key certificate (the one with your Windows User Name) and hit the [Remove] button.

It's possible to create two levels of privacy. Well, actually, to create a directory encrypted by a different key. In your "Private Data" folder, create a new folder (say, "UltraPrivate Data"). In Properties/Attributes/Advanced, disable encryption on that folder. Now log on to Windows using a different username and password. Get to that folder and set its attributes back to "Encrypted" -- it will create a new certificate-with-key in the Personal Certificate Store for that user. Only that user can access the data in that subfolder.

There is another way (other than using Internet Explorer) to get to the cert store(s). It's more steps, but worth knowing, in case you need to install a cert for a System Service or something:

1) Start/Run... MMC (launch "Microsoft Management Console")
2) File / Add/Remove Snap-in...
3) Click [Add...]
4) Select "Certificates" then click [Finish]
5) Choose the store type then click [Close]
6) Click [OK]
7) Browse through the stores and right-click to take actions such as export/remove, etc.

In PART ONE, you may recall that we changed the "Policy" setting for the drive in order to enable the use of NTFS. Be aware that a thumb drive formatted that way should NOT be just yanked out of the USB socket at any whim. You need to remember to use the Safely Remove Hardware icon in the System Tray (bottom right corner of your desktop), otherwise critical data may not get flushed to the drive.

Certificates (and thus, encrypted data) are only as secure as your computer. If you leave your computer logged-in when you take a coffee break, someone could slip in and export a certificate and use it to impersonate you. In the scenario I've painted here (losing a thumb drive at an airport or somewhere), that's not your big worry. But in other situations, it is.

If you encrypt data and then somehow lose the certificate/key -- say, through a hard disk crash with no cert store backup -- then don't call me. I can't help you. I'm not at all sure that anyone can!

Many employers have strict policies about copying data from corporate sources -- with or without an encrypted transport mechanism. I suggest that you check your company's policies before taking any data from an office computer and putting it onto a portable device.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
If you liked this article and want to see more from this author, please click the Yes button near the:
Was this article helpful?
label that is just below and to the right of this text. Thanks!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Comments (13)

Paranormastic

Cryptographic Engineer

CERTIFIED EXPERT

Commented: 2009-12-21

"you can also access them there. But nobody else can! Ever!"
- Not quite accurate, given the possibility of the DRA (Data Recovery Agent) existing on the work system, so your company can still get to encrypted files for SOX, etc., reasons. If encrypted at home, the DRA will not be configured (normally) so then it would be an accurate statement, but when you "touch" that file (open it, modify, etc.) then it will update that with the existing DRA.

Also, for those more worried about leaving their system for a minute and giving up access to their cached logon for the EFS cert, you can enable Strong Private Key Protection option - this is more annoying than its worth for many, however, because you will need to enter your PIN each time you open an EFS file, but it is more secure against undesired access. Of course, if the file is open, all bets are off.

A nice article, though, nonetheless.

TrueCrypt is nice and all, but it requires software to be installed which for many non-IT users is not a valid option. In many environments it is easier to install a user cert to the user's certificate store and remove it later than it is to install 3rd party software. If you have admin rights and policy allows - good for you, for the rest of us EFS is sometimes the best choice due to it being native. Encrypted ZIPs may also be an option, using winzip (native to xp and newer, if memory serves), but you need to be careful to not use a vulnerable 9.x version with AES.

smcpartlin

Commented: 2010-12-17

Can I use a cert from a CA like go daddy tO encrypt something?

Akash Bansal

IT Professional

Commented: 2010-12-18

Is there any way I can enforce that step 2 can not be implemented.

i mean I do not want that employee of the company can read data from company USB drives at their home.

DanRollins

Author of the Year 2009

Author

I don't know the answer to that. I suggest that you ask a question at Experts-Exchange.com :-)

Rich Rumble

Security Samurai

Top Expert 2006

Commented: 2015-01-02

EFS is a bit dated, and I've had no real trouble recovering data using modern software like PassWare and ElcomSoft AEFSDR. I don't recover 100% of the EFS data I've tried, but I recover 90%, even when they can't remember their passwords, I do make sure their passwords are "close" to what they remember them being before devulging the data to the client. If you use EFS out of the box, recovery for an attacker is easy if they can get on the machine itself. EFS is not as easy to recover if you simply find a USB drive someone dropped, that is when a FOLDER is being used. EFS applied to files directly, you can "undelete" the plain-text copy to this day.
https://www.experts-exchange.com/Security/Encryption/A_12132-Microsoft-EFS-Recovery.html
Whenever I suggest people encrypt their data, I also recommend they back that data up in a secure fashion as well. Encrypting data should effectively be looked at no recovery is possible unless the correct keys are used. With EFS, don't bother, send it to me and I'll get it back for you :) Just kidding, you should have a backup too, but recovery is almost guaranteed.