Microsoft introduced the EFS in Windows 2000. This feature works only for NTFS file systems. It allows users to encrypt files or entire folders. You can enable the encryption for files or folders simply by selecting a checkbox on the object’s properties page. It doesn’t require any additional input from the user. FIGURE 4-1 shows the object property page’s encryption setting.

Current versions of EFS use a symmetric key partially derived from the user’s password. The choice of a symmetric key provides faster encryption and decryption. Previous versions of Windows used Data Encryption Standard-X (DESX) or Advanced Encryption Standard (AES) as the default encryption algorithm. The latest versions of both Windows server and client operating systems use a mixed mode of AES, Secure Hash Algorithm (SHA), and Elliptic Curve Cryptography (ECC) algorithms. This allows maximum strength and flexibility. The advantage of EFS is its simplicity, transparency, and ability to limit the scope of encrypted data.

The main drawback to EFS is that it is user-based. Each user must choose to enable encryption for specific files or folders. Alternatively, administrators must define policies that require encryption. The key used to encrypt and decrypt data is based on the user’s password. Using any tool that resets passwords outside of Windows will result in your losing all encrypted data for that user.

You must also take care to avoid using single file encryption for sensitive files. When using single file encryption, the file is written in plaintext—unencrypted—to the disk and then encrypted. The plaintext file is then deleted. However, many utilities exist that make it easy to recover deleted files. If the data has not been overwritten, you can easily read the unencrypted data.

A more current encryption method included in Windows is BitLocker Drive Encryption. Windows Vista first introduced BitLocker in the Ultimate and Enterprise versions.

Unlike EFS, BitLocker only has two settings for each volume: on or off. You can’t selectively choose which files or folders you want to encrypt. Everything on the selected volume is encrypted. Since entire volumes are encrypted, only administrators can enable or disable encryption. Individual users cannot alter any BitLocker settings. BitLocker also differs from EFS in how it encrypts data. All but one of the BitLocker operation modes depend on the computer’s Trusted Platform Module (TPM) microchip to manage and protect the key used for volume encryption and decryption. Most computers manufactured within the last several years contain the required TPM hardware to support BitLocker.

BitLocker offers several authentication modes, based on input requirements for credentials. TABLE 4-1 lists the BitLocker authentications modes.

BitLocker and EFS solve similar problems, but use different approaches. Each approaches the goal of securing data at different levels, and with different requirements. TABLE 4-2 compares the major features of BitLocker and EFS.

EFS is present in the latest newly installed Windows clients and servers. BitLocker is available on Windows workstation computers, but is not enabled by default for Windows Server. If you plan to use BitLocker on Windows Server, you must enable it using the Server Manager utility. To launch Server Manager, choose Start > Server Manager. In Server Manager, select Manage > Add Roles and Features from the menu to open the Add Roles and Features Wizard. Select Next four times to open the Features selection window. Select the BitLocker Drive Encryption checkbox to add BitLocker. FIGURES 4-2 and 4-3 show the Server Manager and the Add Features Wizard window.

Before adding BitLocker, Windows will ask you to confirm that you want to continue. Select Next > Install to confirm your choice to add BitLocker. Once BitLocker has been installed, Windows will warn you that you must restart the system. When you select Close, Windows will ask if you want to restart your system now or later. Once you restart Windows, the BitLocker feature will be available for all volumes. FIGURES 4-4, 4-5, and 4-5A show the confirmation and completion windows.

Microsoft added new features to BitLocker starting with Windows 8 and Windows Server 2012. The added features make it even easier to encrypt files on a Windows computer. Here is a list of the BitLocker features added in Windows 8 and Windows Server 2012:

• BitLocker provisioning—In previous Windows versions, BitLocker could be enabled only after installing the operating system. Now, administrators can enable BitLocker as part of the Windows workstation installation process. This allows administrators to deploy Windows workstations in an encrypted state.

• Encrypt only used disk space—BitLocker now allows administrators to encrypt only blocks in a volume that are used to store data. When using this option, BitLocker will not encrypt unused blocks. This option can dramatically reduce the time required to initially encrypt an existing volume.

• Allow regular users to change BitLocker PIN or password—Regular users can change the Windows workstation BitLocker PIN or password for operating system volumes. Regular users can also change the Windows workstation BitLocker for fixed data volumes. These features make it easier for administrators to deploy BitLocker to a large number of computers without having to use only generated PINs and passwords.

• Network unlock—The current Windows Server feature allows desktop and server computers to automatically unlock operating system volumes when they boot. To use this feature, computers must be connected to a trusted wired network.

• Support for encrypted hard drives—BitLocker is a software solution that provides Full Volume Encryption (FVE). Another encryption method gaining popularity is Full Disk Encryption (FDE). In FDE, the disk controller encrypts each block. FDE is faster than FVE, since it occurs at a lower level than the operating system. BitLocker since Windows 8 and Windows Server 2012 supports encrypted hard drives that use FDE.

BitLocker To Go is an extension to BitLocker that protects removable storage devices, such as USB keys. Since removable storage devices may be used to transport sensitive data from one computer to another, it is important to ensure the data are secure as they are being transported. BitLocker To Go makes it easy to encrypt an entire device. When you turn on BitLocker To Go for a device, Windows asks whether to use a password or a smart card to encrypt the data.

Once initialized, all data on the removable device are encrypted. You’ll need to enter the same password or use your smart card to access the media’s contents on the other computer (based on which option you selected when you enabled BitLocker To Go). As long as the other computer is running Windows 7 or later, you’ll just be prompted for the password or smart card.