cifrar o descifrar una carpeta o un archivo

8/13/2019 Cifrar o Descifrar Una Carpeta o Un Archivo

1/26

Cifrar o descifrar una carpeta o un archivo

EL cifrado de carpetas y archivos es una forma de protegerlos frente a un acceso no deseado. El

sistema de cifrado de archivos (EFS) es una caracterstica de Windows que permite almacenar

informacin en el disco duro en formato cifrado. El cifrado es la proteccin de mayor nivel que

proporciona Windows para ayudarle a mantener la informacin a salvo.

Para cifrar una carpeta o un archivo

1.Haga clic con el botn secundario en la carpeta o el archivo que desee cifrar, y, a continuacin,

haga clic en Propiedades.

2.Haga clic en la pestaa General y, despus, en Avanzadas.

3.Active la casilla Cifrar contenido para proteger datos y, a continuacin, haga clic en Aceptar.

Nota: La primera vez que cifre una carpeta o un archivo, debe hacer una copia de seguridad del

certificado de cifrado. Si el certificado y la clave se pierden o se daan y no hizo una copia deseguridad, no podr usar los archivos que haya cifrado.

Para descifrar una carpeta o un archivo

1.Haga clic con el botn secundario en la carpeta o el archivo que desee descifrar, y, a

continuacin, haga clic en Propiedades.

2.Haga clic en la pestaa General y, despus, en Avanzadas.

3.Desactive la casilla Cifrar contenido para proteger datos y, a continuacin, haga clic en Aceptar.

http://windows.microsoft.com/es-mx/windows-vista/encrypt-or-decrypt-a-folder-or-file

Sistema de Cifrado de Archivos (EFS).

Escrito por Fernando Muoz on 25 Agosto 2011.

1 Tweet Compartir efs efssvc

Descripcin del servicio:

En Windows 7 este servicio es el que nos da el soporte para poder almacenar archivos cifrados

bajo EFS en un sistema de archivos NTFS. EFS es una tecnologa para el cifrado de informacin

que apareci con Windows 2000 y que ha seguido vigente en todas las ediciones posteriores de

Windows.

El proceso para llevar a cabo la encriptacin de un archivo o carpeta es muy sencillo, basta con

hacer clic con el botn derecho del ratn sobre la carpeta o archivo que queremos cifrar,

seleccionar propiedades, hacer clic en el botn opciones avanzadas y seleccionar la casilla cifrar
http://windows.microsoft.com/es-mx/windows-vista/encrypt-or-decrypt-a-folder-or-filehttp://windows.microsoft.com/es-mx/windows-vista/encrypt-or-decrypt-a-folder-or-filehttp://windows.microsoft.com/es-mx/windows-vista/encrypt-or-decrypt-a-folder-or-file


2/26

contenido para proteger datos. Al terminar el proceso de encriptacin el nombre de la carpeta o

archivo cifrado pasar a ser de color verde y tambin nos saldr un asistente para poder hacer una

copia de seguridad del certificado y de la clave de cifrado de archivos. Estos elementos son

imprescindibles ya que si la clave de cifrado se pierde o queda daada sera imposible acceder a

la informacin cifrada.

Tanto en Windows 7 como en Windows Vista es posible deshabilitar por completo el sistema de

cifrado de archivos mediante el comando fsutil behavior set disableencryption 1. Este comando,

bsicamente, modifica el valor NtfsDisableEncryption, ubicado en la rama

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem, dndole valor 1 (uno).

Para volver a habiltarlo basta con teclear el comando fsutil behavior set disableencryption 0, o

editar dicha clave directamente en el registro dndole valor 0 (cero).

Ruta del ejecutable: :\Windows\System32\lsass.exe

Nombre en ingls: Encrypting File System

Nombre de Windows: EFS

Archivos asociados: \windows\system32\efssvc.dll

Establece una conexin o escucha tras algn puerto?: No

Estado: Manual en Windows 7 en todas sus versiones. El tipo de inicio de este servicio pasa a

estado automtico si es iniciado.

Inicia en alguna cuenta?: Se ejecuta en la Cuenta de Servicio Local (ver esto).

Depende de: Llamada a Procedimiento Remoto (RPC)

Servicios que dependen de este servicio: Sin dependencias.

Ubicacin en el registro de Windows

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\EFS

Protecting Data by Using EFS to EncryptHard Drives

20 out of 23 rated this helpful -Rate this topic

On This Page
http://technet.microsoft.com/en-us/library/cc875821.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc875821.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc875821.aspx#feedbackhttp://technet.microsoft.com/en-us/library/cc875821.aspx#feedback


3/26

Introduction

Before You Begin

Generating and Backing Up a Recovery Key

Creating a Domain-Based Recovery AgentCreating a Local Recovery Agent

Using EFSEnabling the Encrypt/Decrypt Options on the Windows Explorer MenuEnabling EFS File Sharing

Exporting and Importing Data Recovery Keys

Recovering DataBest Practices

Related Information

Introduction

In many businesses, users share desktop computers. Some users travel with portable

computers that they use outside the physical protection of the business, in customerfacilities, airports, hotels, and at home. This means that valuable data is often beyond thecontrol of the business. An unauthorized user might try to read data stored on a desktop

computer. A portable computer can be stolen. In all of these scenarios, malevolent parties

can gain access to sensitive company data.

One solution to help reduce the potential for stolen data is to encrypt sensitive files byusing Encrypting File System (EFS) to increase the security of your data. Encryption is the

application of a mathematical algorithm to make data unreadable except to those users who

have the required key. EFS is a Microsoft technology that lets you encrypt data on your

computer, and control who can decrypt, or recover, the data. When files are encrypted, user

data cannot be read even if an attacker has physical access to the computer's data storage.To use EFS, all users must have Encrypting File System certificates-digital documents that

allow their holders to encrypt and decrypt data using EFS. EFS users must also have NTFSpermission to modify the files.

Two types of certificates play a role in EFS:

Encrypting File System certificates. This type of certificate allows the holder touse EFS to encrypt and decrypt data, and is often called simply an EFS certificate.Ordinary EFS users get this type of certificate. The Enhanced Key Usage field for

this type of certificate (visible in the Certificates Microsoft Management Console

snap-in) has the value Encrypting File System (1.3.6.1.4.1.311.10.3.4). File Recovery certificates. This type of certificate allows the holder to recover

encrypted files and folders throughout a domain or other scope, no matter who

encrypted them. Only domain admins or very trusted designated persons called data

recovery agents should get this. The Enhanced Key Usage field for this type ofcertificate (visible in the Certificates Microsoft Management Console snap-in) has

the value File Recovery (1.3.6.1.4.1.311.10.3.4.1). These are often called EFS DRA

certificates.
http://technet.microsoft.com/en-us/library/cc875821.aspx#EMAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EMAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#ELAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#ELAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EKAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EKAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EJAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EJAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EIAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EIAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EHAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EHAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EGAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EGAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EFAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EFAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EEAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EEAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EDAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EDAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#ECAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#ECAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EBAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EBAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EBAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#ECAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EDAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EEAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EFAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EGAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EHAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EIAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EJAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EKAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#ELAAhttp://technet.microsoft.com/en-us/library/cc875821.aspx#EMAA


4/26

To enable another authorized person to read your encrypted data, you can give them your

private key, or you can make them a data recovery agent. A data recovery agent can decrypt

all EFS-encrypted files in the domain or organizational unit in his or her scope. This

document provides step-by-step instructions for the main EFS-related tasks in a small-to-medium business, and also lists several important best practices for using EFS.

The procedures in this document guide you through the following tasks:

Create and safeguard a recovery key to ensure that encrypted data can be safelyrecovered when the original user cannot do so.

Create recovery agents who can recover encrypted files when the original usercannot do so.

Set up EFS in your business. Configure Windows Explorer to conveniently use EFS. Configure file sharing to work with EFS. Export and import data recovery keys to enable the safe recovery of encrypted files

and folders.

Recover data when the original user cannot do so.By following the procedures in this document, you will make the following system-wide

changes:

Create a backup data recovery key. Create a recovery agent. Enable EFS for encrypting data on a computer hard drive. Configure Windows Explorer to include EFS options.

These procedures also enable you to implement the following changes or precautions:

Provide shared access to selected encrypted data. Manage data recovery keys for use in recovering encrypted data. Recover encrypted data when necessary.

Top Of Page

Before You Begin

The procedures in this document help you configure your computers to use EFS and

illustrate how to use EFS to protect data on the computer hard drives in your business.Before you begin to carry out these procedures, you should work with your legal counsel to

ensure that your planned encryption policies and procedures adhere to relevant legal laws

and regulations. In particular, if your organization has offices outside the United States, youneed to be familiar with export control laws related to encryption software. You should also

be familiar with some basic requirements and conditions for using EFS:
http://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSection


5/26

You can encrypt files and folders only on NTFS file system volumes. Consequently,you cannot use EFS to protect data on hard drives that use the FAT or FAT32 file

system. Unless you have a specific reason to continue using the FAT file system, it

is recommended that you convert these volumes to use NTFS. The Windows 95,Windows 98, and Windows Millennium Edition operating systems do not support

NTFS or EFS. Windows XP Home Edition supports NTFS, but not EFS. Files or folders that are compressed cannot also be encrypted. If you encrypt a

compressed file or folder, that file or folder will be uncompressed.

Files marked with the System attribute cannot be encrypted, nor can you encryptfiles in thesystemroot folder.

Options that you select from a pop-up dialog box when you first encrypt files orfolders determine how encryption operates in the future:

o If you choose to encrypt the parent folder when you encrypt a single file, allfiles and subfolders that are added to the folder in the future will be

encrypted when they are added.o If you choose to encrypt all files and subfolders when you encrypt a folder,

all files and subfolders currently in the folder are encrypted, as well as any

files and subfolders that are added to the folder in the future.o If you choose to encrypt the folder only when you encrypt a folder, all files

and subfolders currently in the folder are not encrypted. However, any files

and subfolders that are added to the folder in the future are encrypted whenthey are added.

Unless otherwise specified, in the procedures described in this document, server computersare running the Windows Server 2003 operating system, and client computers are running

Windows XP Professional.

In an Active Directory environment, users are assumed to have roaming user profiles.Please note that screenshots in this document reflect a test environment and the information

might differ from the information displayed on your computer.

All of the step-by-step instructions in this document were developed using the Start menu

that appears by default when you install your operating system. If you have modified yourStart menu, the steps might differ slightly.

Top Of Page

Generating and Backing Up a Recovery Key

Not having a backed-up recovery key can result in irrevocable loss of encrypted data.

Backing up a recovery key helps ensure that encrypted data can be recovered in the eventthat the user holding the EFS encryption certificate is not able to decrypt the data.

Requirements


6/26


7/26

account for a domain is a recovery agent; in that case you do not need to create a recovery

agent.

Requirements

Credentials: Administrator of the domain.

Tools: the Active Directory Users and Computers snap-in to MMC. To create a domain-based recovery agent

1. Click Start, click Control Panel, double-click Administrative Tools, andthen double-click Active Directory Users and Computers.

2. Right-click the domain whose recovery policy you want to change, and thenclick Properties.

3. Click the Group Policy tab.

4. Right-click the recovery policy you want to change, and then click Edit.


8/26

5. In the console tree (on the left), click Encrypting File System. This can befound at Computer Configuration\Windows Settings\Security

Settings\Public Key Policies\Encrypting File System.

6. In the details pane (on the right), right-click, and then click Create DataRecovery Agent.

Note: The Create Recovery Agent Wizard prompts you to add a user as arecovery agent either from a file or from Active Directory. When you add a

recovery agent from a file, the user is identified as USER_UNKNOWN.

This is because the user name is not stored in the file.

In order to add a recovery agent from Active Directory, EFS recovery agent

certificates (file recovery certificates) must be published in Active Directory.

However, because the default EFS file recovery certificate template does notpublish these certificates, you need to create a template that does so. To do

this, in the Certificate Templates snap-in, copy the default EFS file recovery

certificate template to create a new template, right click the new template,choose Properties, and, on the General tab of the Properties dialog box for

the copied certificate, and select the Publish certificate in Active Directory

check box.

7. Follow the instructions in the Create Recovery Agent Wizard to finishcreating a domain-based recovery agent.

Top Of Page

Creating a Local Recovery Agent


9/26

In a non-domain environment, such as on a standalone computer or in a workgroup, you

can create a local recovery agent. Creating a local recovery agent might be helpful if the

computer is shared by multiple users. On a single-user computer, it is easier for the user to

simply back up the recovery key to a removable media.

Requirements

Credentials: Administrator of the local computer. Tools: Group Policy Object Editor. To create a local recovery agent

1. Click Start, click Run, type mmc, and then click OK.2. On the File menu, click Add/Remove Snap-in, and then click Add.3. Under Add Standalone Snap-in, click Group Policy Object Editor, and

then click Add.

4. Under Group Policy Object, make sure that Local Computer is displayed,and then click

Finish.

5. Click Close, and then click OK.6. In Local Computer Policy, navigate to the Local\Computer

Policy\Computer Configuration\Windows Settings\Security Settings\Public

Key Policies folder.

7. In the details pane, right-click Encrypting File System, and then click AddData Recovery Agent or Create Data Recovery Agent.

Note: The Wizard prompts you for a user name for a recovery agent. You

can supply the wizard with the name of a user with a published file recoverycertificate, or you can browse for file recovery certificates (.cer files) that

contain information about the recovery agent you want to add. File recovery

certificates can be obtained from Certification Authorities. To identify a filerecovery certificate, in the Certificates snap-in, in the details pane, in the

Enhanced Key Usage field, look for the value File Recovery(1.3.6.1.4.1.311.10.3.4.1). File recovery certificates are stored as .cer files in

the local computer file system or in Active Directory.


10/26

When you add a recovery agent from a file, the user is identified as

USER_UNKNOWN because the user name is not stored in the file.

8. Follow the instructions in the wizard to complete the process.Top Of Page

Using EFS

Once you have finished creating a recovery agent and have generated and backed up arecovery key, you are ready to begin using EFS to help protect files and folders from

unauthorized access. This section provides instructions on enabling EFS.

Requirements

Credentials: You must be a user with an EFS certificate and NTFS permission tomodify the file or folder.

Tools: Windows Explorer. To encrypt a file or folder by using EFS

1. Open Windows Explorer.

2. Right-click the file or folder that you want to encrypt, and then clickProperties.

3. On the General tab, click Advanced.


11/26

4. Select the Encrypt contents to secure data check box, and then click OK.

5. In the Properties dialog box, click OK, and then do one of the following: To encrypt a file and the parent folder, in the Encryption Warning

dialog box, click Encrypt the file and the parent folder. To encrypt a file only, in the Encryption Warning dialog box, click

Encrypt the file only.

To encrypt a folder only, in the Confirm Attribute Changes dialogbox, click Apply changes to this folder only.

To encrypt a folder and its subfolders and files, in the ConfirmAttribute Changes dialog box, click Apply changes to this folder,

subfolders and files.


12/26

6. Click OK to accept and apply your encryption choices.Top Of Page

Enabling the Encrypt/Decrypt Options on the Windows Explorer Menu

Some businesses might find it easier to implement EFS by configuring Windows Explorer

to display "Encrypt" and "Decrypt" on the shortcut menu when a user right-clicks a file. Toenable this, you need to edit the Windows registry to create a new registry value which

does not exist by default.

CAUTION: Incorrectly editing the registry might severely damage your system. Before

making changes to the registry, you should back up any valued data on the computer.

Requirements

Credentials: An administrator with experience editing the registry and anunderstanding of the dangers of editing the registry. Tools: the Registry Editor. To enable Encrypt/Decrypt options on the Windows Explorer menu

1. Open the Registry Editor and navigate to the following registry path:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVer

sion\Explorer\Advanced\

2. In the details pane (on the right), right click, click New, and then clickDWORD value.


13/26

3. Type EncryptionContextMenu for the name of the DWORD value, andthen press Enter.

4. Right click the DWORD value you just created and click Modify.5. In the Edit DWORD Valuedialog box, in the Value Databox, enter a

value of 1, and then click OK.

6.

Click File, and then click Exit to close the Registry Editor.

Note:In Windows Server 2003, you can also add the Encryption Detailsbutton to the

Explorer menu by creating a registry batch file (*.reg) with the following information and

running the registry batch file for each user:

[HKEY_CLASSES_ROOT\*\Shell\Encrypt To User...\Command]

@="rundll32 efsadu.dll,AddUserToObject %1"

Top Of Page

Enabling EFS File Sharing

Businesses commonly want to use encryption to help safeguard sensitive data, but alsoneed to allow multiple users access to that data. With EFS, one user can encrypt a file, and

then give additional users the ability to access the encrypted data. To allow several users to

access an encrypted file, the user who encrypts the file designates the file as shared, andthen enables shared access by adding the EFS encryption certificates of each additional user

to the encrypted file. In this way, businesses can help improve security without impairing

the availability of data.

You should be aware of certain requirements and limitations related to sharing encrypteddata:

You cannot add groups of users to encrypted files, nor can you add users toencrypted folders.

All users that are added to an encrypted file must have an EFS encryption certificateon the computer where the file is located. Typically, a certification authority such as

Verisign issues certificates. Also, if a user has logged on to the computer andencrypted any file, that user will have an EFS encryption certificate on the

computer. To import certificates, seeTo import a certificateon the Microsoft

TechNet Web site athttp://go.microsoft.com/fwlink/?LinkId=22846.

All users that can decrypt the file must also have access to read the file. NTFSpermissions must be set properly to allow this access. If a user is denied access

because of insufficient NTFS permissions, the user cannot read the encrypted fileand cannot decrypt the data. To set permissions on files, seeTo set, view, change, or

remove permissions on files and folderson the Microsoft TechNet Web site athttp://go.microsoft.com/fwlink/?LinkId=22847.

Requirements
http://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://technet.microsoft.com/en-us/library/cc875821.aspx#mainSectionhttp://go.microsoft.com/fwlink/?LinkId=22846http://go.microsoft.com/fwlink/?LinkId=22846http://go.microsoft.com/fwlink/?LinkId=22846http://go.microsoft.com/fwlink/?LinkId=22846http://go.microsoft.com/fwlink/?LinkId=22846http://go.microsoft.com/fwlink/?LinkId=22846http://go.microsoft.com/fwlink/?LinkId=22847http://go.microsoft.com/fwlink/?LinkId=22847http://go.microsoft.com/fwlink/?LinkId=22847http://go.microsoft.com/fwlink/?LinkId=22847http://go.microsoft.com/fwlink/?LinkId=22847http://go.microsoft.com/fwlink/?LinkId=22847http://go.microsoft.com/fwlink/?LinkId=22847http://go.microsoft.com/fwlink/?LinkId=22847http://go.microsoft.com/fwlink/?LinkId=22847http://go.microsoft.com/fwlink/?LinkId=22846http://go.microsoft.com/fwlink/?LinkId=22846http://technet.microsoft.com/en-us/library/cc875821.aspx#mainSection


14/26

Credentials: An EFS certificate, and ownership of the file, are required. Tools: Windows Explorer.

All users that are added to the file must have a certificate located on the computer.

To allow a user to encrypt or decrypt a file1. Open Windows Explorer.

2. Right-click the encrypted file that you want to change, and then clickProperties.

3. On the General tab, click Advanced.4. In Advanced Attributes, click Details.5. To add a user to this file, click Add, and then do one of the following:

To add a user whose EFS encryption certificate is on this computer,click the certificate and then click OK.

To view a certificate on this computer before adding it to the file,click the certificate and then click View Certificate.

To add a user from Active Directory, click Find User, then locatethe user in the list and click OK.

To remove a user from this file, click the user name and then clickRemove.

Note:When a user is added to a file and the user's EFS encryption certificate is imported,the certificate is validated to a trusted root certification authority (CA). The certificate is

then stored in the Other People certificate store for that user.

Top Of Page

Exporting and Importing Data Recovery Keys

Data recovery keys (DRA keys) must be available to the Data Recovery Agent to enablethe Agent to recover encrypted data when normal recovery is not possible. Therefore, it is

important to safeguard recovery keys. A good way to guard against loss of recovery keys is

to export the Data Recovery certificates and private keys of Data Recovery Agents tosecurable removable media in .pfx format files. You can then recover lost data by importing

them.

The following procedures outline the process for exporting and importing DRA keys.

Requirements

Credentials: You must be logged on with the administrator account on the firstdomain controller in the domain.

Tools: Certificates MMC snap-in.Exporting Data Recovery Keys


15/26

To export the certificate and private key of the default domain Data RecoveryAgent

1. Log on to the domain with the administrator account on the first domaincontroller in the domain.

2. Click Start, and then click Run.3.

Type mmc.exe and press Enter.

4. Click File, and then click Add/Remove Snap-In.5. Click Add. A list of all the registered snap-ins on the current computer

appears.6. Double-click the Certificates snap-in, click My User Account, and then

click Finish.

7. In the Add Standalone Snap-In dialog box click Close, and then in theAdd/Remove Snap-in dialog box click OK. MMC now displays the personalcertificates for Administrator account.

8. Navigate to the Certificates\Current User\Personal\Certificates folder.The details pane (on the right) displays a list of all the certificates for theadministrator account. By default, two certificates are normally present.

Locate the default domain DRA certificate.

9. Right-click the default domain DRA certificate, click All Tasks and thenclick Export to start the Certificate Export Wizard.


16/26

IMPORTANT:It is critical that you choose the correct key during theexport process, because once the export process is complete the original

private key and corresponding certificate are deleted from the computer. If

the key cannot be restored to the computer, then file recovery will not bepossible using that DRA certificate.

10.Click Yes, export the private key, and then click Next. This will cause theprivate key to be removed when the export is complete.

11.On the Export File Formatpage, click Personal Information Exchange ?PKCS #12 (.PFX), select the Enable strong protection and Delete theprivate key if the export is successful check boxes, and then click Next.

As a best practice, the private key should be deleted from the system when a


17/26

successful export is complete, and strong private key protection should be

used as an extra level of security on the private key.

When exporting a private key, the .pfx file format is used. The .pfx file

format is based on the PKCS #12 standard, a portable format for storing ortransporting user information including private keys, certificates, and

miscellaneous secrets. The .pfx file format (PKCS #12) also allows apassword to protect the private key stored in the file.

12.On the Passwordpage, in the Password and Confirm password text boxes,type a strong password and then click Next.


18/26

The last step is to save the actual .pfx file. The certificate and private key

can be exported to any writeable device, including a network drive or floppy

disk.

13.On the File to Exportpage, type or browse for a file name and path, andthen click Next.

A notification will report whether the export was successful.

If the file and associated private key are lost, it will be impossible to decrypt

any existing files that have used that specific DRA certificate as the datarecovery agent. Once the .pfx file and private key have been exported,

secure the file on stable removable media in a secure location in accordance

with the security guidelines and practices for your business. For example, abusiness might preserve the .pfx file on one or more CD-ROMs stored in a

safety deposit box or vault that has strict physical access controls.

Importing Data Recovery Keys

In the event that you need to recover encrypted data by using an exported data recoverykey, you will first need to import the key. Importing keys is simpler than exporting them.

To import a key stored as a PKCS #12 formatted file (.pfx file), just double-click the file to

open the Certificate Import Wizard, or you can start the wizard and import the key by

completing the following steps:


19/26

Requirements

Credentials: Domain Admin account on the computer. Tools: The Certificates MMC snap-in. To import a data recovery key

1. Log on to the computer with a valid account.2. Click Start and then click Run.

3. Type mmc.exe and then press Enter.4. In MMC, on the File menu, click Add/Remove Snap-In.5. Click Add. A list of all the registered snap-ins on the current computer

appears.

6. Double-click the Certificates snap-in, click My User Account and thenclick Finish.

7. In the Add Standalone Snap-In dialog box click Close, then in theAdd/Remove Snap-in dialog box click OK. MMC now contains the

personal certificate store for the Administrator account.

8. Navigate to the Certificates\Current User\Personal\Certificates folder, right-click the folder, click All Tasks, then click Import to start the Certificate

Import Wizard.


20/26

9. Click Next, type a file name and path for the file to import and then clickNext.

10.On the Passwordpage, in the Passwordbox, type the password for the filebeing imported if it is a PKCS #12 file.

It is a best practice to store private keys protected with a strong password.11.If you want to export the key again later from the current computer, it is

important to select the Mark this key as exportable check box. Click Next.


21/26

12.The wizard might prompt for the name of the store the certificate and privatekey should be imported into. To ensure that the private key is imported into

the personal store, do not click Automatically select the certificate store

based on the type of certificate; instead, click Place all certificates in the

following store, and then click Next.

13.Highlight the Personal store and click OK.


22/26

14.Click Next, and then click Finish to complete the import. A notification willreport whether the import was successful.

IMPORTANT: A domain-based account should always be used in association with a Data

Recovery Agent, because local accounts might be susceptible to physical offline attacks.

Top Of Page

Recovering Data

In the event that encrypted data cannot be recovered by the original user, for example,

because the user has left the company, you need a way to recover the data and make itaccessible to the company. This section tells how to recover an encrypted file or folder. To

do so, you will use Backup or another backup tool to restore the user's encrypted file or

folder to the computer where the file recovery certificate and recovery key of the Data

Recovery Agent are located.

You must be a designated recovery agent to carry out this procedure. In other words, you

must hold the private key and certificate for a DRA identified on the file or folder to berecovered.

Requirements

Credentials: Data recovery agent.


23/26

Tools: Windows Explorer. To restore an encrypted file or folder

1. Open Windows Explorer.

2. Right-click the encrypted the file or folder that you want to recover, and thenclick Properties.

3. On the General tab, click Advanced.

4. Clear the Encrypt contents to secure data check box.


24/26

5. Make a backup version of the decrypted file or folder and return the backupversion to the user.

Note:You can return the backup version of the decrypted file or folder to

the user as an e-mail attachment or on a disk or network file share.

An alternate approach to recovering data involves physically transporting

the recovery agent's private key and certificate to the computer that has theencrypted file, importing the private key and certificate, decrypting the file

or folder, and then deleting the imported private key and certificate. This

procedure exposes the private key more than the procedure above, but doesnot require any backup or restore operations or transporting of files.

Top Of Page

Best Practices

The following best practices can help a company effectively use and manage encrypted

files and folders.

Recovery agents should back up their file recovery certificates to a secure location.If you are the recovery agent, use the Export command from Certificates in

Microsoft Management Console (MMC) to export the file recovery certificate and

private key to a floppy disk. Keep the floppy disk in a secure location. Then, if the

file recovery certificate or private key on your computer is ever damaged or deleted,you can use the Import command from Certificates in MMC to replace the

damaged or deleted certificate and private key with the ones you have backed up on

the floppy disk.

Use the Default Domain Configuration.By default, the administrator of a domain is the default DRA in a Windows 2000 or

Windows Server 2003 domain. When the administrator for a domain first logs in

with that account a self-signed certificate is generated, the private key is stored inthe profile on that computer, and the default domain Group Policy contains the

public key of that certificate as the default DRA for the domain.


25/26


26/26

The Windows XP operating system supports the encryption of data in offline files.Offline files and folders that are cached locally should be encrypted when using

client-side caching policies.

Use the system key utility SYSKEY in mode 2 or mode 3 (boot floppy or bootpassword) on the mobile computer to prevent the system from being booted by

malicious users. The system key utility and its options are documented in onlinehelp for your version of Windows.

Enable Server Message Block (SMB) signing in Group Policy for servers that aretrusted for delegation and used for storing encrypted files. This setting is found in

Group Policy at this location: GPO-name\Computer Configuration\WindowsSettings\Security Settings\Local Policies\Security Options\Microsoft Network

Server: Always digitally sign communications.

Ensure unencrypted data is removed from the hard drive after encryption of filesand periodically thereafter.

cifrar o descifrar una carpeta o un archivo

Documents