Cifrar o Descifrar Una Carpeta o Un Archivo
-
Upload
jaime-roberto-hernandez-gallardo -
Category
Documents
-
view
230 -
download
0
Transcript of Cifrar o Descifrar Una Carpeta o Un Archivo
-
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
1/26
Cifrar o descifrar una carpeta o un archivo
EL cifrado de carpetas y archivos es una forma de protegerlos frente a un acceso no deseado. El
sistema de cifrado de archivos (EFS) es una caracterstica de Windows que permite almacenar
informacin en el disco duro en formato cifrado. El cifrado es la proteccin de mayor nivel que
proporciona Windows para ayudarle a mantener la informacin a salvo.
Para cifrar una carpeta o un archivo
1.Haga clic con el botn secundario en la carpeta o el archivo que desee cifrar, y, a continuacin,
haga clic en Propiedades.
2.Haga clic en la pestaa General y, despus, en Avanzadas.
3.Active la casilla Cifrar contenido para proteger datos y, a continuacin, haga clic en Aceptar.
Nota: La primera vez que cifre una carpeta o un archivo, debe hacer una copia de seguridad del
certificado de cifrado. Si el certificado y la clave se pierden o se daan y no hizo una copia deseguridad, no podr usar los archivos que haya cifrado.
Para descifrar una carpeta o un archivo
1.Haga clic con el botn secundario en la carpeta o el archivo que desee descifrar, y, a
continuacin, haga clic en Propiedades.
2.Haga clic en la pestaa General y, despus, en Avanzadas.
3.Desactive la casilla Cifrar contenido para proteger datos y, a continuacin, haga clic en Aceptar.
http://windows.microsoft.com/es-mx/windows-vista/encrypt-or-decrypt-a-folder-or-file
Sistema de Cifrado de Archivos (EFS).
Escrito por Fernando Muoz on 25 Agosto 2011.
1 Tweet Compartir efs efssvc
Descripcin del servicio:
En Windows 7 este servicio es el que nos da el soporte para poder almacenar archivos cifrados
bajo EFS en un sistema de archivos NTFS. EFS es una tecnologa para el cifrado de informacin
que apareci con Windows 2000 y que ha seguido vigente en todas las ediciones posteriores de
Windows.
El proceso para llevar a cabo la encriptacin de un archivo o carpeta es muy sencillo, basta con
hacer clic con el botn derecho del ratn sobre la carpeta o archivo que queremos cifrar,
seleccionar propiedades, hacer clic en el botn opciones avanzadas y seleccionar la casilla cifrar
http://windows.microsoft.com/es-mx/windows-vista/encrypt-or-decrypt-a-folder-or-filehttp://windows.microsoft.com/es-mx/windows-vista/encrypt-or-decrypt-a-folder-or-filehttp://windows.microsoft.com/es-mx/windows-vista/encrypt-or-decrypt-a-folder-or-file -
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
2/26
contenido para proteger datos. Al terminar el proceso de encriptacin el nombre de la carpeta o
archivo cifrado pasar a ser de color verde y tambin nos saldr un asistente para poder hacer una
copia de seguridad del certificado y de la clave de cifrado de archivos. Estos elementos son
imprescindibles ya que si la clave de cifrado se pierde o queda daada sera imposible acceder a
la informacin cifrada.
Tanto en Windows 7 como en Windows Vista es posible deshabilitar por completo el sistema de
cifrado de archivos mediante el comando fsutil behavior set disableencryption 1. Este comando,
bsicamente, modifica el valor NtfsDisableEncryption, ubicado en la rama
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem, dndole valor 1 (uno).
Para volver a habiltarlo basta con teclear el comando fsutil behavior set disableencryption 0, o
editar dicha clave directamente en el registro dndole valor 0 (cero).
Ruta del ejecutable: :\Windows\System32\lsass.exe
Nombre en ingls: Encrypting File System
Nombre de Windows: EFS
Archivos asociados: \windows\system32\efssvc.dll
Establece una conexin o escucha tras algn puerto?: No
Estado: Manual en Windows 7 en todas sus versiones. El tipo de inicio de este servicio pasa a
estado automtico si es iniciado.
Inicia en alguna cuenta?: Se ejecuta en la Cuenta de Servicio Local (ver esto).
Depende de: Llamada a Procedimiento Remoto (RPC)
Servicios que dependen de este servicio: Sin dependencias.
Ubicacin en el registro de Windows
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\EFS
Protecting Data by Using EFS to EncryptHard Drives
20 out of 23 rated this helpful -Rate this topic
On This Page
http://technet.microsoft.com/en-us/library/cc875821.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc875821.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc875821.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc875821.aspx#feedback -
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
3/26
Introduction
Before You Begin
Generating and Backing Up a Recovery Key
Creating a Domain-Based Recovery AgentCreating a Local Recovery Agent
Using EFSEnabling the Encrypt/Decrypt Options on the Windows Explorer MenuEnabling EFS File Sharing
Exporting and Importing Data Recovery Keys
Recovering DataBest Practices
Related Information
Introduction
In many businesses, users share desktop computers. Some users travel with portable
computers that they use outside the physical protection of the business, in customerfacilities, airports, hotels, and at home. This means that valuable data is often beyond thecontrol of the business. An unauthorized user might try to read data stored on a desktop
computer. A portable computer can be stolen. In all of these scenarios, malevolent parties
can gain access to sensitive company data.
One solution to help reduce the potential for stolen data is to encrypt sensitive files byusing Encrypting File System (EFS) to increase the security of your data. Encryption is the
application of a mathematical algorithm to make data unreadable except to those users who
have the required key. EFS is a Microsoft technology that lets you encrypt data on your
computer, and control who can decrypt, or recover, the data. When files are encrypted, user
data cannot be read even if an attacker has physical access to the computer's data storage.To use EFS, all users must have Encrypting File System certificates-digital documents that
allow their holders to encrypt and decrypt data using EFS. EFS users must also have NTFSpermission to modify the files.
Two types of certificates play a role in EFS:
Encrypting File System certificates. This type of certificate allows the holder touse EFS to encrypt and decrypt data, and is often called simply an EFS certificate.Ordinary EFS users get this type of certificate. The Enhanced Key Usage field for
this type of certificate (visible in the Certificates Microsoft Management Console
snap-in) has the value Encrypting File System (1.3.6.1.4.1.311.10.3.4). File Recovery certificates. This type of certificate allows the holder to recover
encrypted files and folders throughout a domain or other scope, no matter who
encrypted them. Only domain admins or very trusted designated persons called data
recovery agents should get this. The Enhanced Key Usage field for this type ofcertificate (visible in the Certificates Microsoft Management Console snap-in) has
the value File Recovery (1.3.6.1.4.1.311.10.3.4.1). These are often called EFS DRA
certificates.
http://technet.microsoft.com/en-us/library/cc875821.aspx#EMAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EMAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#ELAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#ELAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EKAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EKAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EJAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EJAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EIAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EIAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EHAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EHAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EGAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EGAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EFAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EFAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EEAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EEAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EDAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EDAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#ECAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#ECAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EBAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EBAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EBAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#ECAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EDAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EEAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EFAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EGAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EHAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EIAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EJAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EKAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#ELAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EMAA -
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
4/26
To enable another authorized person to read your encrypted data, you can give them your
private key, or you can make them a data recovery agent. A data recovery agent can decrypt
all EFS-encrypted files in the domain or organizational unit in his or her scope. This
document provides step-by-step instructions for the main EFS-related tasks in a small-to-medium business, and also lists several important best practices for using EFS.
The procedures in this document guide you through the following tasks:
Create and safeguard a recovery key to ensure that encrypted data can be safelyrecovered when the original user cannot do so.
Create recovery agents who can recover encrypted files when the original usercannot do so.
Set up EFS in your business. Configure Windows Explorer to conveniently use EFS. Configure file sharing to work with EFS. Export and import data recovery keys to enable the safe recovery of encrypted files
and folders.
Recover data when the original user cannot do so.By following the procedures in this document, you will make the following system-wide
changes:
Create a backup data recovery key. Create a recovery agent. Enable EFS for encrypting data on a computer hard drive. Configure Windows Explorer to include EFS options.
These procedures also enable you to implement the following changes or precautions:
Provide shared access to selected encrypted data. Manage data recovery keys for use in recovering encrypted data. Recover encrypted data when necessary.
Top Of Page
Before You Begin
The procedures in this document help you configure your computers to use EFS and
illustrate how to use EFS to protect data on the computer hard drives in your business.Before you begin to carry out these procedures, you should work with your legal counsel to
ensure that your planned encryption policies and procedures adhere to relevant legal laws
and regulations. In particular, if your organization has offices outside the United States, youneed to be familiar with export control laws related to encryption software. You should also
be familiar with some basic requirements and conditions for using EFS:
http://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSection -
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
5/26
You can encrypt files and folders only on NTFS file system volumes. Consequently,you cannot use EFS to protect data on hard drives that use the FAT or FAT32 file
system. Unless you have a specific reason to continue using the FAT file system, it
is recommended that you convert these volumes to use NTFS. The Windows 95,Windows 98, and Windows Millennium Edition operating systems do not support
NTFS or EFS. Windows XP Home Edition supports NTFS, but not EFS. Files or folders that are compressed cannot also be encrypted. If you encrypt a
compressed file or folder, that file or folder will be uncompressed.
Files marked with the System attribute cannot be encrypted, nor can you encryptfiles in thesystemroot folder.
Options that you select from a pop-up dialog box when you first encrypt files orfolders determine how encryption operates in the future:
o If you choose to encrypt the parent folder when you encrypt a single file, allfiles and subfolders that are added to the folder in the future will be
encrypted when they are added.o If you choose to encrypt all files and subfolders when you encrypt a folder,
all files and subfolders currently in the folder are encrypted, as well as any
files and subfolders that are added to the folder in the future.o If you choose to encrypt the folder only when you encrypt a folder, all files
and subfolders currently in the folder are not encrypted. However, any files
and subfolders that are added to the folder in the future are encrypted whenthey are added.
Unless otherwise specified, in the procedures described in this document, server computersare running the Windows Server 2003 operating system, and client computers are running
Windows XP Professional.
In an Active Directory environment, users are assumed to have roaming user profiles.Please note that screenshots in this document reflect a test environment and the information
might differ from the information displayed on your computer.
All of the step-by-step instructions in this document were developed using the Start menu
that appears by default when you install your operating system. If you have modified yourStart menu, the steps might differ slightly.
Top Of Page
Generating and Backing Up a Recovery Key
Not having a backed-up recovery key can result in irrevocable loss of encrypted data.
Backing up a recovery key helps ensure that encrypted data can be recovered in the eventthat the user holding the EFS encryption certificate is not able to decrypt the data.
Requirements
http://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSection -
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
6/26
-
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
7/26
account for a domain is a recovery agent; in that case you do not need to create a recovery
agent.
Requirements
Credentials: Administrator of the domain.
Tools: the Active Directory Users and Computers snap-in to MMC. To create a domain-based recovery agent
1. Click Start, click Control Panel, double-click Administrative Tools, andthen double-click Active Directory Users and Computers.
2. Right-click the domain whose recovery policy you want to change, and thenclick Properties.
3. Click the Group Policy tab.
4. Right-click the recovery policy you want to change, and then click Edit.
-
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
8/26
5. In the console tree (on the left), click Encrypting File System. This can befound at Computer Configuration\Windows Settings\Security
Settings\Public Key Policies\Encrypting File System.
6. In the details pane (on the right), right-click, and then click Create DataRecovery Agent.
Note: The Create Recovery Agent Wizard prompts you to add a user as arecovery agent either from a file or from Active Directory. When you add a
recovery agent from a file, the user is identified as USER_UNKNOWN.
This is because the user name is not stored in the file.
In order to add a recovery agent from Active Directory, EFS recovery agent
certificates (file recovery certificates) must be published in Active Directory.
However, because the default EFS file recovery certificate template does notpublish these certificates, you need to create a template that does so. To do
this, in the Certificate Templates snap-in, copy the default EFS file recovery
certificate template to create a new template, right click the new template,choose Properties, and, on the General tab of the Properties dialog box for
the copied certificate, and select the Publish certificate in Active Directory
check box.
7. Follow the instructions in the Create Recovery Agent Wizard to finishcreating a domain-based recovery agent.
Top Of Page
Creating a Local Recovery Agent
http://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSection -
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
9/26
In a non-domain environment, such as on a standalone computer or in a workgroup, you
can create a local recovery agent. Creating a local recovery agent might be helpful if the
computer is shared by multiple users. On a single-user computer, it is easier for the user to
simply back up the recovery key to a removable media.
Requirements
Credentials: Administrator of the local computer. Tools: Group Policy Object Editor. To create a local recovery agent
1. Click Start, click Run, type mmc, and then click OK.2. On the File menu, click Add/Remove Snap-in, and then click Add.3. Under Add Standalone Snap-in, click Group Policy Object Editor, and
then click Add.
4. Under Group Policy Object, make sure that Local Computer is displayed,and then click
Finish.
5. Click Close, and then click OK.6. In Local Computer Policy, navigate to the Local\Computer
Policy\Computer Configuration\Windows Settings\Security Settings\Public
Key Policies folder.
7. In the details pane, right-click Encrypting File System, and then click AddData Recovery Agent or Create Data Recovery Agent.
Note: The Wizard prompts you for a user name for a recovery agent. You
can supply the wizard with the name of a user with a published file recoverycertificate, or you can browse for file recovery certificates (.cer files) that
contain information about the recovery agent you want to add. File recovery
certificates can be obtained from Certification Authorities. To identify a filerecovery certificate, in the Certificates snap-in, in the details pane, in the
Enhanced Key Usage field, look for the value File Recovery(1.3.6.1.4.1.311.10.3.4.1). File recovery certificates are stored as .cer files in
the local computer file system or in Active Directory.
-
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
10/26
When you add a recovery agent from a file, the user is identified as
USER_UNKNOWN because the user name is not stored in the file.
8. Follow the instructions in the wizard to complete the process.Top Of Page
Using EFS
Once you have finished creating a recovery agent and have generated and backed up arecovery key, you are ready to begin using EFS to help protect files and folders from
unauthorized access. This section provides instructions on enabling EFS.
Requirements
Credentials: You must be a user with an EFS certificate and NTFS permission tomodify the file or folder.
Tools: Windows Explorer. To encrypt a file or folder by using EFS
1. Open Windows Explorer.
2. Right-click the file or folder that you want to encrypt, and then clickProperties.
3. On the General tab, click Advanced.
http://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSection -
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
11/26
4. Select the Encrypt contents to secure data check box, and then click OK.
5. In the Properties dialog box, click OK, and then do one of the following: To encrypt a file and the parent folder, in the Encryption Warning
dialog box, click Encrypt the file and the parent folder. To encrypt a file only, in the Encryption Warning dialog box, click
Encrypt the file only.
To encrypt a folder only, in the Confirm Attribute Changes dialogbox, click Apply changes to this folder only.
To encrypt a folder and its subfolders and files, in the ConfirmAttribute Changes dialog box, click Apply changes to this folder,
subfolders and files.
-
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
12/26
6. Click OK to accept and apply your encryption choices.Top Of Page
Enabling the Encrypt/Decrypt Options on the Windows Explorer Menu
Some businesses might find it easier to implement EFS by configuring Windows Explorer
to display "Encrypt" and "Decrypt" on the shortcut menu when a user right-clicks a file. Toenable this, you need to edit the Windows registry to create a new registry value which
does not exist by default.
CAUTION: Incorrectly editing the registry might severely damage your system. Before
making changes to the registry, you should back up any valued data on the computer.
Requirements
Credentials: An administrator with experience editing the registry and anunderstanding of the dangers of editing the registry. Tools: the Registry Editor. To enable Encrypt/Decrypt options on the Windows Explorer menu
1. Open the Registry Editor and navigate to the following registry path:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer
sion\Explorer\Advanced\
2. In the details pane (on the right), right click, click New, and then clickDWORD value.
http://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSection -
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
13/26
3. Type EncryptionContextMenu for the name of the DWORD value, andthen press Enter.
4. Right click the DWORD value you just created and click Modify.5. In the Edit DWORD Valuedialog box, in the Value Databox, enter a
value of 1, and then click OK.
6.
Click File, and then click Exit to close the Registry Editor.
Note:In Windows Server 2003, you can also add the Encryption Detailsbutton to the
Explorer menu by creating a registry batch file (*.reg) with the following information and
running the registry batch file for each user:
[HKEY_CLASSES_ROOT\*\Shell\Encrypt To User...\Command]
@="rundll32 efsadu.dll,AddUserToObject %1"
Top Of Page
Enabling EFS File Sharing
Businesses commonly want to use encryption to help safeguard sensitive data, but alsoneed to allow multiple users access to that data. With EFS, one user can encrypt a file, and
then give additional users the ability to access the encrypted data. To allow several users to
access an encrypted file, the user who encrypts the file designates the file as shared, andthen enables shared access by adding the EFS encryption certificates of each additional user
to the encrypted file. In this way, businesses can help improve security without impairing
the availability of data.
You should be aware of certain requirements and limitations related to sharing encrypteddata:
You cannot add groups of users to encrypted files, nor can you add users toencrypted folders.
All users that are added to an encrypted file must have an EFS encryption certificateon the computer where the file is located. Typically, a certification authority such as
Verisign issues certificates. Also, if a user has logged on to the computer andencrypted any file, that user will have an EFS encryption certificate on the
computer. To import certificates, seeTo import a certificateon the Microsoft
TechNet Web site athttp://go.microsoft.com/fwlink/?LinkId=22846.
All users that can decrypt the file must also have access to read the file. NTFSpermissions must be set properly to allow this access. If a user is denied access
because of insufficient NTFS permissions, the user cannot read the encrypted fileand cannot decrypt the data. To set permissions on files, seeTo set, view, change, or
remove permissions on files and folderson the Microsoft TechNet Web site athttp://go.microsoft.com/fwlink/?LinkId=22847.
Requirements
http://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://go.microsoft.com/fwlink/?LinkId=22846http://go.microsoft.com/fwlink/?LinkId=22846http://go.microsoft.com/fwlink/?LinkId=22846http://go.microsoft.com/fwlink/?LinkId=22846http://go.microsoft.com/fwlink/?LinkId=22846http://go.microsoft.com/fwlink/?LinkId=22846http://go.microsoft.com/fwlink/?LinkId=22847http://go.microsoft.com/fwlink/?LinkId=22847http://go.microsoft.com/fwlink/?LinkId=22847http://go.microsoft.com/fwlink/?LinkId=22847http://go.microsoft.com/fwlink/?LinkId=22847http://go.microsoft.com/fwlink/?LinkId=22847http://go.microsoft.com/fwlink/?LinkId=22847http://go.microsoft.com/fwlink/?LinkId=22847http://go.microsoft.com/fwlink/?LinkId=22847http://go.microsoft.com/fwlink/?LinkId=22846http://go.microsoft.com/fwlink/?LinkId=22846http://technet.microsoft.com/en-us/library/cc875821.aspx#mainSection -
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
14/26
Credentials: An EFS certificate, and ownership of the file, are required. Tools: Windows Explorer.
All users that are added to the file must have a certificate located on the computer.
To allow a user to encrypt or decrypt a file1. Open Windows Explorer.
2. Right-click the encrypted file that you want to change, and then clickProperties.
3. On the General tab, click Advanced.4. In Advanced Attributes, click Details.5. To add a user to this file, click Add, and then do one of the following:
To add a user whose EFS encryption certificate is on this computer,click the certificate and then click OK.
To view a certificate on this computer before adding it to the file,click the certificate and then click View Certificate.
To add a user from Active Directory, click Find User, then locatethe user in the list and click OK.
To remove a user from this file, click the user name and then clickRemove.
Note:When a user is added to a file and the user's EFS encryption certificate is imported,the certificate is validated to a trusted root certification authority (CA). The certificate is
then stored in the Other People certificate store for that user.
Top Of Page
Exporting and Importing Data Recovery Keys
Data recovery keys (DRA keys) must be available to the Data Recovery Agent to enablethe Agent to recover encrypted data when normal recovery is not possible. Therefore, it is
important to safeguard recovery keys. A good way to guard against loss of recovery keys is
to export the Data Recovery certificates and private keys of Data Recovery Agents tosecurable removable media in .pfx format files. You can then recover lost data by importing
them.
The following procedures outline the process for exporting and importing DRA keys.
Requirements
Credentials: You must be logged on with the administrator account on the firstdomain controller in the domain.
Tools: Certificates MMC snap-in.Exporting Data Recovery Keys
http://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSection -
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
15/26
To export the certificate and private key of the default domain Data RecoveryAgent
1. Log on to the domain with the administrator account on the first domaincontroller in the domain.
2. Click Start, and then click Run.3.
Type mmc.exe and press Enter.
4. Click File, and then click Add/Remove Snap-In.5. Click Add. A list of all the registered snap-ins on the current computer
appears.6. Double-click the Certificates snap-in, click My User Account, and then
click Finish.
7. In the Add Standalone Snap-In dialog box click Close, and then in theAdd/Remove Snap-in dialog box click OK. MMC now displays the personalcertificates for Administrator account.
8. Navigate to the Certificates\Current User\Personal\Certificates folder.The details pane (on the right) displays a list of all the certificates for theadministrator account. By default, two certificates are normally present.
Locate the default domain DRA certificate.
9. Right-click the default domain DRA certificate, click All Tasks and thenclick Export to start the Certificate Export Wizard.
-
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
16/26
IMPORTANT:It is critical that you choose the correct key during theexport process, because once the export process is complete the original
private key and corresponding certificate are deleted from the computer. If
the key cannot be restored to the computer, then file recovery will not bepossible using that DRA certificate.
10.Click Yes, export the private key, and then click Next. This will cause theprivate key to be removed when the export is complete.
11.On the Export File Formatpage, click Personal Information Exchange ?PKCS #12 (.PFX), select the Enable strong protection and Delete theprivate key if the export is successful check boxes, and then click Next.
As a best practice, the private key should be deleted from the system when a
-
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
17/26
successful export is complete, and strong private key protection should be
used as an extra level of security on the private key.
When exporting a private key, the .pfx file format is used. The .pfx file
format is based on the PKCS #12 standard, a portable format for storing ortransporting user information including private keys, certificates, and
miscellaneous secrets. The .pfx file format (PKCS #12) also allows apassword to protect the private key stored in the file.
12.On the Passwordpage, in the Password and Confirm password text boxes,type a strong password and then click Next.
-
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
18/26
The last step is to save the actual .pfx file. The certificate and private key
can be exported to any writeable device, including a network drive or floppy
disk.
13.On the File to Exportpage, type or browse for a file name and path, andthen click Next.
A notification will report whether the export was successful.
If the file and associated private key are lost, it will be impossible to decrypt
any existing files that have used that specific DRA certificate as the datarecovery agent. Once the .pfx file and private key have been exported,
secure the file on stable removable media in a secure location in accordance
with the security guidelines and practices for your business. For example, abusiness might preserve the .pfx file on one or more CD-ROMs stored in a
safety deposit box or vault that has strict physical access controls.
Importing Data Recovery Keys
In the event that you need to recover encrypted data by using an exported data recoverykey, you will first need to import the key. Importing keys is simpler than exporting them.
To import a key stored as a PKCS #12 formatted file (.pfx file), just double-click the file to
open the Certificate Import Wizard, or you can start the wizard and import the key by
completing the following steps:
-
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
19/26
Requirements
Credentials: Domain Admin account on the computer. Tools: The Certificates MMC snap-in. To import a data recovery key
1. Log on to the computer with a valid account.2. Click Start and then click Run.
3. Type mmc.exe and then press Enter.4. In MMC, on the File menu, click Add/Remove Snap-In.5. Click Add. A list of all the registered snap-ins on the current computer
appears.
6. Double-click the Certificates snap-in, click My User Account and thenclick Finish.
7. In the Add Standalone Snap-In dialog box click Close, then in theAdd/Remove Snap-in dialog box click OK. MMC now contains the
personal certificate store for the Administrator account.
8. Navigate to the Certificates\Current User\Personal\Certificates folder, right-click the folder, click All Tasks, then click Import to start the Certificate
Import Wizard.
-
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
20/26
9. Click Next, type a file name and path for the file to import and then clickNext.
10.On the Passwordpage, in the Passwordbox, type the password for the filebeing imported if it is a PKCS #12 file.
It is a best practice to store private keys protected with a strong password.11.If you want to export the key again later from the current computer, it is
important to select the Mark this key as exportable check box. Click Next.
-
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
21/26
12.The wizard might prompt for the name of the store the certificate and privatekey should be imported into. To ensure that the private key is imported into
the personal store, do not click Automatically select the certificate store
based on the type of certificate; instead, click Place all certificates in the
following store, and then click Next.
13.Highlight the Personal store and click OK.
-
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
22/26
14.Click Next, and then click Finish to complete the import. A notification willreport whether the import was successful.
IMPORTANT: A domain-based account should always be used in association with a Data
Recovery Agent, because local accounts might be susceptible to physical offline attacks.
Top Of Page
Recovering Data
In the event that encrypted data cannot be recovered by the original user, for example,
because the user has left the company, you need a way to recover the data and make itaccessible to the company. This section tells how to recover an encrypted file or folder. To
do so, you will use Backup or another backup tool to restore the user's encrypted file or
folder to the computer where the file recovery certificate and recovery key of the Data
Recovery Agent are located.
You must be a designated recovery agent to carry out this procedure. In other words, you
must hold the private key and certificate for a DRA identified on the file or folder to berecovered.
Requirements
Credentials: Data recovery agent.
http://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSection -
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
23/26
Tools: Windows Explorer. To restore an encrypted file or folder
1. Open Windows Explorer.
2. Right-click the encrypted the file or folder that you want to recover, and thenclick Properties.
3. On the General tab, click Advanced.
4. Clear the Encrypt contents to secure data check box.
-
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
24/26
5. Make a backup version of the decrypted file or folder and return the backupversion to the user.
Note:You can return the backup version of the decrypted file or folder to
the user as an e-mail attachment or on a disk or network file share.
An alternate approach to recovering data involves physically transporting
the recovery agent's private key and certificate to the computer that has theencrypted file, importing the private key and certificate, decrypting the file
or folder, and then deleting the imported private key and certificate. This
procedure exposes the private key more than the procedure above, but doesnot require any backup or restore operations or transporting of files.
Top Of Page
Best Practices
The following best practices can help a company effectively use and manage encrypted
files and folders.
Recovery agents should back up their file recovery certificates to a secure location.If you are the recovery agent, use the Export command from Certificates in
Microsoft Management Console (MMC) to export the file recovery certificate and
private key to a floppy disk. Keep the floppy disk in a secure location. Then, if the
file recovery certificate or private key on your computer is ever damaged or deleted,you can use the Import command from Certificates in MMC to replace the
damaged or deleted certificate and private key with the ones you have backed up on
the floppy disk.
Use the Default Domain Configuration.By default, the administrator of a domain is the default DRA in a Windows 2000 or
Windows Server 2003 domain. When the administrator for a domain first logs in
with that account a self-signed certificate is generated, the private key is stored inthe profile on that computer, and the default domain Group Policy contains the
public key of that certificate as the default DRA for the domain.
http://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSection -
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
25/26
-
8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo
26/26
The Windows XP operating system supports the encryption of data in offline files.Offline files and folders that are cached locally should be encrypted when using
client-side caching policies.
Use the system key utility SYSKEY in mode 2 or mode 3 (boot floppy or bootpassword) on the mobile computer to prevent the system from being booted by
malicious users. The system key utility and its options are documented in onlinehelp for your version of Windows.
Enable Server Message Block (SMB) signing in Group Policy for servers that aretrusted for delegation and used for storing encrypted files. This setting is found in
Group Policy at this location: GPO-name\Computer Configuration\WindowsSettings\Security Settings\Local Policies\Security Options\Microsoft Network
Server: Always digitally sign communications.
Ensure unencrypted data is removed from the hard drive after encryption of filesand periodically thereafter.