Keeping Your Documents Safe

Editor's Note: The following MVP Monday post is by Enterprise Security MVP Debra Littlejohn Shinder.

We use our computers for many purposes: to browse the web, listen to music, watch videos. One of the most important is the creation, sending/receiving and/or storage of documents. Some of these documents are fairly trivial, easy to reproduce and non-sensitive. Others – such as our financial and tax documents, personal correspondence, original fiction or non-fiction writing or our work product – represent many hours of our time, would be difficult to replace, and/or are highly confidential. Those in the latter category deserve extra effort to keep them safe from intentional or inadvertent modification, destruction or prying eyes.

Luckily, there are a number of technologies that you can use to protect your important documents, whether you’re storing them on your hard drive, storing them in the cloud, or sending them to someone else via email. You’ll find that many of these technologies are built into Microsoft’s operating systems and applications, so you don’t even have to buy or download extra software.

Encrypt documents on disk with EFS

The Encrypting File System (EFS) was introduced as part of NTFS v.3 in Windows 2000 Professional and Windows 2000 Server. It has been evolved over the years as it’s been included in the Professional/Business, Enterprise and Ultimate editions of Windows XP, Vista and Windows 7, and in Windows Server 2003/2003 R2 and Windows Server 2008/2008 R2. EFS is used to encrypt files that are stored on disk.

Note that the files to be encrypted must be on an NTFS-formatted volume and they must not be compressed. Best practice is to encrypt at the folder level rather than encrypting individual files. To encrypt a folder and its contents, do the following:

  1. Navigate in Windows Explorer to the folder you want to encrypt, right click it and select Properties.
  2. Click the Advanced button.
  3. In the Advanced Attributes dialog box, check the box labeled “Encrypt contents to secure data” as shown in Figure 1 below.

 

Figure 1

 

  1. Click OK twice to exit the dialog boxes.

 

EFS uses public/private key cryptography. It’s important to export your EFS certificates and private keys to removable storage, such as a USB key, and store it securely, because you won’t be able to decrypt your files if the key is lost. For best security, store the keys only on removable media and remove it from the computer when not in use.

For instructions on how to back up your EFS certificate, see https://windows.microsoft.com/en-US/windows-vista/Back-up-Encrypting-File-System-EFS-certificate

Encrypt a whole volume with BitLocker

BitLocker whole volume encryption was introduced in Windows Vista. In its first iteration, you could only encrypt the data stored on the volume where Windows was installed (unless you wanted to use WMI scripts). Vista Service Pack 1 added the ability to easily encrypt other volumes, so if you have a partition set up for storing your documents and other personal data, you can encrypt it with BitLocker, too. BitLocker prevents an unauthorized person from being able to access your data without booting into Windows (such as by installing a second instance of Windows or another OS). It can be used in conjunction with EFS, which protects your data from other users after they’ve booted into Windows.

BitLocker uses the AES algorithm and can be used with or without a Trusted Platform Module (TPM), which is a hardware chip built into many modern laptops. If you don’t have a TPM, you can use a PIN (user authentication mode) or removable media (USB key mode) for authentication. For better security, you can also combine the authentication methods (for example, use the TPM and USB key, or even all three together). Using BitLocker to encrypt volumes requires a number of steps. For step-by-step guidance, see https://technet.microsoft.com/en-us/library/cc766295(WS.10).aspx

Encrypt documents on removable storage with BitLocker to Go

If you have the Enterprise or Ultimate edition of Windows 7, you can use a new feature, BitLocker to Go, to encrypt your documents when they’re stored on a removable USB drive or a flash memory card. You set a password that has to be entered to read the data on the drive. You don’t have to have Windows 7 to decrypt and read the documents on another Windows computer, either. When you encrypt the removable drive, a reader application is installed on it that will prompt for the password when you connect the USB drive or memory card to an XP or Vista computer.

To encrypt a USB drive or memory card with BitLocker to Go, insert it and right click its icon in Windows Explorer. Then follow these steps:

  1. Select Turn on BitLocker. It will take a moment for BitLocker to initialize the drive.
  2. Next choose how you want to unlock the drive. You can use a password or a smart card. If you use a smart card, you’ll need to insert it and you’ll use the smart card PIN when you unlock the drive. If you select to use a password, type it in and confirm it, as shown in Figure 2.

 


Figure 2

  1. Click Next.
  2. Select how you want to store the recovery key. The recovery key can be used to access the drive if you forget the password or lose the smart card. You can save it to a file or print it. The recovery key is a 48 digit number (Example: 414260-501435-535601-423313-623887-246961-490193-040821).
  3. If you select to save the recovery key to a file, select a location and click Save. The default location is your Documents folder, but this may not be the most secure location. Remember that anyone who has the recovery key will be able to unlock the drive without knowing the password or possessing the smart card.
  4. Click Next.
  5. On the next page, click Start Encrypting. It may take a while to encrypt the drive, depending on its size. A progress bar will appear, as shown in Figure 3. You can pause the encryption process. Don’t remove the drive during the encryption process without pausing, or the files could be damaged.


Figure 3

When encryption is complete, close the dialog box and your files will be protected. If you remove and reinsert the USB drive or memory card, and click on it in Windows Explorer, you’ll get the message shown in Figure 4, that the drive is not accessible and access is denied.

Figure 4

 

To unlock the drive, you must right click it and select Unlock Drive … . This will display the dialog box that asks you for your password (or smart card and PIN). If you want the drive to be locked when used on other computers, but don’t want to have to go through the unlock process every time you use it on this computer, you can check the box that says Automatically unlock on this computer from now on.

If you forget your password or don’t have your smart card, select the I forgot my password link and you can either type in the recovery key or get it from a USB flash drive (if you’ve stored it there).

After you’ve unlocked the drive, you can manage BitLocker options by right clicking the drive name in Explorer and selecting Manage BitLocker… .This provides you with the ability to change the password, remove the password, add a smart card, save or print your recovery key again, or set the drive to automatically lock on this computer, as shown in Figure 5.

Figure 5

You can only remove the password if you first add a smart card to unlock the drive.

Things work a little differently if you insert the BitLocker-protected drive in a Windows XP or Windows Vista computer. In that case, you get a dialog box that gives you the option to install or run the BitLocker to Go Reader program. After you do that, you’ll see the prompt to enter your password. You won’t have the option to automatically unlock the drive on this computer.

The BitLocker to Go Reader interface displays the files on the drive like Windows Explorer, but you can’t open them here. You’ll be asked if you want to copy them to your desktop. You can drag and drop them from the Reader window. You can’t save or change files on the protected drive when it’s in a non-Windows 7 computer.

Other ways to protect your documents

There are several other mechanisms in Microsoft operating systems and applications by which you can protect the confidentiality, integrity and authenticity of your documents, including the following:

Password protect documents in Office applications

You can set passwords on Word documents, Excel workbooks and PowerPoint presentations using the encryption feature in Office applications. Find out how to do that here:

https://office.microsoft.com/en-us/word-help/password-protect-documents-workbooks-and-presentations-HA010148333.aspx

Digitally sign your documents

You can protect your documents’ contents by adding a digital signature, so that if someone makes changes to the document after you sign it, you (and recipients of the document) will know that it has been changed. Find out how to add digital signatures here:

https://office.microsoft.com/en-us/word-help/add-or-remove-a-digital-signature-in-office-documents-HA010099768.aspx?CTT=1

Encrypt email messages in Outlook

If you send your document in the body of an email message, using Outlook, you can encrypt the message contents using your private key so that it can be read only by others with whom you have shared your public key certificate. Find out how to send encrypted messages with Outlook here:

https://office.microsoft.com/en-us/outlook-help/encrypt-e-mail-messages-HP001230536.aspx?CTT=1

Encrypt data sent between Outlook and an Exchange server

If you have an Exchange account, you can select to encrypt the data that is sent to and from the Exchange server from Outlook to protect it while in transmission. Find out how to do that here:

https://office.microsoft.com/en-us/outlook-help/encrypt-data-between-outlook-and-exchange-server-HP001003055.aspx?CTT=1

Document protection on a business network

On a company network, there are additional protective mechanisms that can be employed to keep documents safe, such as IPsec encryption to protect data as it travels across the network and Rights Management Services/Information Rights Management to prevent legitimate recipients from forwarding, copying or printing your documents.

 

Author's Bio

DEBRA LITTLEJOHN SHINDER, MCSE, MVP is a technology consultant, trainer, writer and analyst who has authored, edited or contributed to over 25 books on computer operating systems, networking, and security. She edits GFI Software’s weekly WinNews newsletter and writes a weekly column called Microsoft InSights for TechRepublic/CNET, as well as a monthly column on Cybercrime and twice-monthly blogs on smart phone and mobile technology. She is lead author for ISAServer.org, and Windowsecurity.com. Her articles on various tech issues are regularly published in online and print magazines. She has spoken at various technology conferences and presented web-based talks on various security and technology topics. Deb currently specializes in security issues and Microsoft products.

 

MVP Mondays

The MVP Monday Series is created by Melissa Travers. In this series we work to provide readers with a guest post from an MVP every Monday. Melissa is a Community Program Manager for Dynamics, Excel, Office 365, Platforms and SharePoint in the United States. She has been working with MVPs since her early days as Microsoft Exchange Support Engineer when MVPs would answer all the questions in the old newsgroups before she could get to them