Download (direct link):
* In a nice advance since Windows 2000, you can now share access to a file you've encrypted via the Details tab of the Advanced Attributes dialog box.
* You can see who has encrypted a file by clicking the Details button on the Advanced Attributes dialog box.
* You can't share an encrypted folder. (That falls into the 'painfully obvious' category, but I have to be thorough here.)
* Encryption, like compression, is transparent. That is, you don't have to explicitly descramble a file before you edit it and rescramble it when you're done.
As long as applications create temporary or backup files within the same folder as the original data file, you're protected because encryption works on a folder basis. That is, if you open up LOVELETTER.DOC in C:\Personal\Letters, which is an encrypted folder, and your word processor creates an autosave temporary file named ~LOVELETTER.DOC in the same folder, the temporary file is encrypted, just like the original file.
To go one better, Microsoft makes sure that the encryption keys never show up in the pagefile. You wouldn't want someone sifting through PAGEFILE.SYS in the middle of the night and discovering how to decrypt your encrypted files.
In a network environment, administrators can use Windows XP policies to control the use of encryption. For example, an administrator could disable EFS for a domain or for an organizational unit within a domain. I explore the concept of policies in painful detail in Chapter 11.
The safety net
If a user forgets his or her account password, and you just know that's going to happen at some point, the recovery agent has a private key that will unlock an encrypted file.
Instant Answer By default, the recovery agent is the administrator of the local PC, or (if the PC is on a network) the domain administrator who first logged on to the first domain controller in the domain.
The recommended practice is to copy (for example, by using Backup) the encrypted file to the recovery agent's PC, where the recovery agent can decrypt the file simply by clearing the Encrypt Contents to Secure Data check box on the file's property sheet.
Basic versus dynamic disks
Windows XP supports two kinds of disk organization:
* Basic disks, which use partitions in much the same way as Windows NT Workstation 4.0 or Windows Me/98/95.
* Dynamic disks, which are unique to Windows XP and 2000. The default behavior is for Windows XP to set up your disks as basic disks, unless you're upgrading a Windows NT Workstation 4.0 machine that uses advanced disk management features. Check out Chapter 7 for the details.
You need to use a dynamic disk if you want to create
* Striped volumes (a single drive letter with multiple physical disks running a high-speed configuration)
* Spanned volumes (a single drive letter with multiple physical disks running a normal-speed configuration)
* Very large volumes (greater than 2TB)
For now, just know that you can use dynamic disks with any of the three Windows XP file systems, but certain features (such as extending a volume) are only available if you use NTFS.
Converting from One File System to Another
So you chose file system A, and now you realize you should have chosen file system B. What can you do?
* If you're installing Windows XP, the setup program asks you if you'd like to convert an existing FAT16 or FAT32 drive to NTFS. The default answer is No on Windows XP Professional (but Yes on Windows 2000 Server).
* If you're past the installation phase, you can use a supplied program to convert from FAT or FAT32 to NTFS, but not in the reverse direction.
From FAT or FAT32 to NTFS
The conversion utility typically lives in C:\WINDOWS\SYSTEM32 and is named CONVERT.EXE. This tool converts your disk while keeping all the files on the disk intact, unlike a format operation. (Still, you're well advised to make a backup of the drive before conversion, anyway, just in case.) The syntax is
CONVERT.EXE <driveletter>: /fs:ntfs [/v] [/cvtarea:filename]
where <driveletter> is the letter of the drive you want to convert.
* The /v qualifier is optional (hence the square brackets, which you would not actually type) and means 'run the utility in verbose mode,' that is, with status messages.
* The /cvtarea qualifier tells Windows to create an unfragmented root directory file to contain the Master File Table (MFT), so that the MFT doesn't become fragmented in the future; this is an improvement over Windows 2000. By the way, you have to use the FSUTIL FILE CREATENEW command to actually create the file, before you use the CONVERT command with the /cvtarea qualifier.
* The /nosecurity qualifier tells Windows not to apply default NTFS permissions to the converted volume, which is now the default behavior of CONVERT.EXE (again, a change from Windows 2000).
Note that you can't convert the current drive. If you have only a C drive on a given PC, CONVERT.EXE advises you that it will perform the conversion at the next restart.