File encryption

Notice

Malfunctions

Do not encrypt the entire system partition, Windows system files or the TwinCAT folder. This can lead to malfunctions.

As a rule, an established access control is sufficient to protect sensitive files and directories against unauthorized access. If the data carrier gets lost, however, the protection of these data is no longer guaranteed and necessitates additional protection by the encryption of individual files and directories.

With EFS (Encrypted File System), Windows provides an encryption function with which individual files or entire directories can be encrypted. An additional security level and cryptographic protection is thus made available.

An important post-encryption aspect is the administration of keys and the clarification of the following questions:

In any case the data are unprotected when they are decrypted and used.

By comparison, BitLocker supports the encryption of complete data carriers. In addition, BitLocker offers maximum protection when it is used with TPM (Trusted Platform Module), as described in the TPM documentation.

Activating EFS

1. Right-click a folder or file and select Properties from the context menu that opens.
2. Open the General tab and click Advanced.
3. To encrypt the folder or file, select the Encrypt contents to secure data check box.
If this is the first data encrypted in this way, Windows automatically creates an EFS certificate in the local certificate store. Make sure the certificate is saved, because otherwise it is impossible to restore the data (see Saving the certificate).

Saving the certificate

1. Launch certmgr.msc.
2. Click Add, select My user account and click Finish.
3. Expand the "Personal" folder and click Certificates
You should see a certificate with "Encrypting File System" as the "Intended Purpose".
4. To save the certificate, right-click on the certificate and select All Tasks > Export.
5. Select Export Private Key.
6. Select Personal Information Exchange, Include all certificates… and Enable strong protection.
7. Specify a password to protect the certificate. This certificate is required later for the import.
8. Specify the path under which the certificate is to be saved. Save the certificate in another secure location.