Q: I use a Windows password to protect my laptop computer (which runs Windows 7 Professional), but my colleague has advised me to set up a BIOS password, too. Is a BIOS password warranted?
A: The use of BIOS and Windows passwords will prevent others from turning on your computer or booting up your Windows operating system, which does result in added protection. However, these passwords are not enough to adequately protect the data on your laptop in the event that it is lost or stolen. The data files on your laptop’s hard drive would remain vulnerable because a thief or hacker could remove the hard drive and install it in another computer as a secondary drive to access your data. The thief also could boot up your computer using an external USB drive containing Knoppix—an operating system specifically designed to boot from a CD or USB drive. Thereafter, your primary hard drive would become the secondary drive, and your data could be accessed, stolen or compromised.
For proper security, you need to encrypt the data on your laptop’s hard drive. There are numerous methods for accomplishing this goal, many of which are described in the article “Protect Your Portable Data—Always and Everywhere” (JofA, June 2009, page 30). In your case, I would recommend that you employ the Encrypting File System (EFS) because it is included in your Windows 7 Professional operating system. (EFS also is included in the professional editions of Windows Vista and XP.) Step-by-step instructions and additional comments regarding EFS are provided below.
To enable EFS, right-click on the data folder you want to protect and select Properties, Advanced, then check the box next to Encrypt contents to secure data, and click OK. (Repeat this step for each data folder you want to secure).
Once EFS has been applied, the folder name and all file names contained in the folder will display in green text, indicating that the folder and files automatically are encrypted when you log out of Windows. Likewise, when you log in to Windows, the data files are instantly decrypted. The result is that a thief or hacker no longer will be able to access your data once you have logged out of Windows or turned off your computer.
Note that EFS works only on hard drives formatted in Windows NTFS (New Technology File System). Because most USB drives and SD cards are formatted using FAT32 (file allocation table), those drives must be reformatted using NTFS before EFS can be applied.
To reformat these external drives, click the Windows Start button and select Computer. Right-click on the external drive and select Format. From the File system dropdown box, select the NTFS option and click the Start button, as shown below. ( Warning: The formatting process will erase all data on the USB or SD drive.)
Beginning with the Windows XP operating system, it is possible to share encrypted files with other users across a network, but this sharing process can be fairly involved depending on your operating systems, network configuration and security. Although your specific procedures will vary widely based on many factors, the process of sharing encrypted files across a network essentially is as follows:
1. Each user must create and export a public key certificate, and those certificates must then be imported and added to the encrypted files. Certificates can be managed and exported in the Windows Certificate Manager, which is accessible by typing certmgr.msc in the Windows Start, Search programs and file box.
2. Once a certificate has been exported from the remote user’s computer, launch the Certificate Manager on the computer containing the encrypted files, and import the certificate.
3. To complete the process of enabling the remote user to access an encrypted file across the network, right-click the encrypted file and select Properties, Advanced, Details, and click the Add button, then select the newly imported certificate and click OK three times.
Keep in mind that remote network users should also be set up as users on the host computer and that proper share and security permissions should be granted to those remote users. As a safety precaution, you should make a backup copy of the encrypting key just in case the key file on your computer becomes corrupt. A Microsoft article summarizing the best practices related to using EFS is available at support.microsoft.com/kb/223316.
More from the JofA: