4. Click OK to close the Properties dialog box for the folder.
The folder is now marked for encryption, and all files placed in the folder are
encrypted. Folders that are marked for encryption are not actually encrypted; only the
files within the folder are encrypted.
!
Exam Tip Compressed files cannot be encrypted, and encrypted files cannot be com-
pressed with NTFS compression.
After you encrypt the folder, when you save a file in that folder, the file is encrypted
using file encryption keys, which are fast symmetric keys designed for bulk encryption.
The file is encrypted in blocks, with a different file encryption key for each block. All
the file encryption keys are stored and encrypted in the Data Decryption field (DDF)
and the Data Recovery field (DRF) in the file header.
Caution If an administrator removes the password on a user account, the user account will
lose all EFS-encrypted files, personal certificates, and stored passwords for Web sites or net-
work resources. Each user should make a password reset disk to avoid this situation. To cre-
ate a password floppy disk, open User Accounts and, under Related Tasks, click Prevent A
Forgotten Password. The Forgotten Password Wizard steps you through creating the password
reset disk.
How to Decrypt a Folder
Decrypting a folder or file refers to clearing the Encrypt Contents To Secure Data check
box in a folder’s or file’s Advanced Attributes dialog box, which you access from the
folder’s or file’s Properties dialog box. Once decrypted, the file remains decrypted until
you select the Encrypt Contents To Secure Data check box. The only reason you might
want to decrypt a file is if other people need access to the folder or file—for example,
if you want to share the folder or make the file available across the network.
How to Control Encryption From the Command Line by Using the Cipher
Command
The Cipher command provides the capability to encrypt and decrypt files and folders
from a command prompt. The following example shows the available switches for the
Cipher command, which are described in Table 10-5:
cipher [/e | /d] [/s:folder_name] [/a] [/i] [/f] [/q] [/h] [/k] [file_name [...]]Table 10-5 Cipher Command Switches
Switch Description
/e Encrypts the specified folders. Folders are marked so any files that are added later
are encrypted.
/d Decrypts the specified folders. Folders are marked so any files that are added later
are not encrypted.
/s Performs the specified operation on files in the given folder and all subfolders.
/a Performs the specified operation on files as well as folders. Encrypted files could
be decrypted when modified if the parent folder is not encrypted. Encrypt the file
and the parent folder to avoid problems.
/i Continues performing the specified operation even after errors have occurred. By
default, Cipher stops when an error is encountered.
/f Forces the encryption operation on all specified files, even those that are already
encrypted. Files that are already encrypted are skipped by default.
/q Reports only the most essential information.
/h Displays files with the hidden or system attributes, which are not shown by
default.
/k Creates a new file encryption key for the user running the Cipher command. Using
this option causes the Cipher command to ignore all other options.
file_name Specifies a pattern, file, or folder.
If you run the Cipher command without parameters, it displays the encryption state of
the current folder and any files that it contains. You can specify multiple file names and
use wildcards. You must put spaces between multiple parameters.
How to Create an EFS Recovery Agent
If you lose your file encryption certificate and associated private key through disk fail-
ure or for any other reason, a user account designated as the recovery agent can open
the file using his or her own certificate and associated private key. If the recovery agent
is on another computer in the network, send the file to the recovery agent.
Bạn đang xem 4. - MICROSOFT PRESS MCSA MCSE SELF PACED TRAINING KIT EXAM 70 270 PHẦN 5 PPT