Please enable javascript to view this page in its intended format.

Queen's University
 

Windows XP Encrypting File System (EFS)

 

Important: Support for Windows XP has ended. Please read this announcement for details.

 

Activate Encrypting File System (EFS)

 

The first step in implementing EFS on your Windows XP computer is to choose the folder(s) that you would like to encrypt. Next, follow these steps to turn on EFS encryption:

  1. Right-click the folder you want to encrypt and choose Properties.
  2. On the General tab, click the Advanced button.
  3. In the Advanced Attributes window, check the box that says Encrypt contents to secure data.
  4. Click OK, then click OK again.
  5. A prompt will come up asking you to Confirm Attribute Changes. Make sure Apply changes to this folder, subfolder and files is chosen, and click OK.
  6. Windows will now encrypt all files and folders inside the folder you chose. Once Windows is finished encrypting, the files and folders will appear green.
  7. Now that your files are encrypted, they can only be viewed and edited from your computer or by someone that you give your personal security key/certificate to.

 

*NOTE*

It is very important that you back up your personal security certificate/key. Without this, your data is not recoverable!

 

Back up your personal security certificate/key:

 

  1. Click Start > Control Panel > Internet Options
  2. Choose the Content tab and click the Certificates... button.
  3. In the Certificates windows, make sure you are on the Personal tab.
  4. You should see one certificate listed issued to the username you use to log into Windows.
  5. To make sure this is the proper certificate, select it and look at the bottom of the window. Under the Certificate intended purposes section, it should say Encrypting File System.
  6. Once you have found the proper certificate, highlight it and click the Export... button.
  7. This will launch the Certificate Export Wizard. Click Next.
  8. This step is VERY IMPORTANT. Make sure you choose Yes, export the private key. If you do not choose to export the private key, your certificate will be useless when you try to decrypt your data. Click Next.
  9. For the Export File format screen, click Next to accept the defaults. (You want to save it as a .pfx and enable strong protection.)
  10. Enter a password to secure your certificate/key. IMPORTANT - If you lose this password, you will not be able use this certificate/key to decrypt your data. Click Next.
  11. Specify a name and location where you would like to export your .pfx file. You should export it to a directory that you will remember. NOTE - For this process, export the key to an accessible location on your computer, BUT do NOT store it there permanently. After this process is complete, save the key to an encrypted USB device or any other secure location and DELETE it from your computer. Click Next and then Finish.
  12. You should receive a dialog box informing you that the export was successful.
  13. You can now close the Certificates and Internet Properties boxes.
  14. As per step 11, you should now save your .pfx file that was just created in a safe and secure location and delete it from your computer.

To restore your personal security certificate/key:

 

  1. Copy the .pfx file that you originally exported and stored in a safe place to the new computer that needs access to the encrypted files.
  2. Double-click the .pfx file to launch the Certificate Import Wizard and click Next.
  3. The File to Import screen should already be populated with the .pfx file that you are intending to import. If not, browse to the .pfx file that you want to import. Click Next.
  4. Enter the password that you set for your key during step 10 of the backup process, and click Next. (Don't choose "Mark this key as exportable." This will ensure that you still have the only copy of the private key.)
  5. On the Certificate Store screen, click Next to automatically select the certificate store, then click Finish.
  6. You should receive a dialog box informing you that the import was successful.
  7. You should now be able to view any encrypted files from the original computer.

Kingston, Ontario, Canada K7L 3N6 613.533.2000