Avoid Windows Encryption

Belialxyn asked the Answer Line forum how to retrieve encrypted files after reinstalling Windows.

Unfortunately, I can't offer Belialxyn much help. I found a program that might recover encrypted files--ElcomSoft's Advanced EFS Data Recovery. It didn't recover Belialxyn's files and it didn't recover mine, either. But since there's a free demo, you can see if it will recover yours at no cost. Should the demo find your files recoverable, the price is a steep $150 for the standard edition. It's worth a try; just don't be too optimistic.

But I can offer some advice about avoiding this disaster in the first place:

Windows' Encrypting File System, which is part of NTFS, builds its encryption around the logon. A special software key unlocks it when you log on as yourself, giving you completely transparent access to your encrypted data. But if you reinstall Windows and create a new logon--even if it has the same name and password--it doesn't have the key and you can't access the files.

This makes sense in an office environment, where the IS department knows how to back up the key (and an extra certificate) and the users don't even have to know that some of their data is encrypted. And if IS has to reinstall Windows on a PC, they have the key.

That's probably why EFS is disabled in the Home versions of XP and Vista.

If you're going to use EFS, back up that key and certificate. This is pretty easy in Vista. In fact, the first time you encrypt a file or folder, a pop up warns you to back up what you'll need to decrypt them. You can follow its instructions, or launch Control Panel, type certificate, and click Manage file encryption certificates. Click here for the more complicated XP instructions.

Better yet, avoid EFS and use TrueCrypt. With this free, open-source utility, you can create encrypted volumes where you store your sensitive files. When you open a volume with your password, it appears to Windows as another drive--you can save files to it, open them, edit them, and so on. When you close it, it's a single file filled with gobbledygook. For a user taking charge of his or her own encryption, this makes a lot more sense.

See the original forum discussion at http://forums.pcworld.com/message/243867.

Add your comments to this article below. If you have other tech questions, email them to me at answer@pcworld.com, or post them to a community of helpful folks on the PCW Answer Line forum.

Subscribe to the Security Watch Newsletter

Comments