Personal data encryption in Windows 11

1 year ago AndyC

There’s
a
new,
more
secure
way
to
encrypt
files
in
Windows
11,
but
it’s
only
an
option
for
building
secure
applications,
not
a
replacement
for
BitLocker.

Personal data encryption in Windows 11

There’s
a
new,
more
secure
way
to
encrypt
files
in
Windows
11,
but
it’s
only
an
option
for
building
secure
applications,
not
a
replacement
for
BitLocker.

Windows 11 logo seen on the screen of tablet and user pointing at it with finger. Stafford, United Kingdom, July 1, 2021
Image:
Ascannio/Adobe
Stock

Windows
10
already
has
two
flavours
of
encryption

BitLocker
and
Windows
Device
Encryption

and
as
of

the
22H2
release,
Windows
11
Enterprise
and
Education
adds
Personal
Data
Encryption.

BitLocker
and
Device
Encryption
are
effectively
the
same

full
disk
encryption
technology,
but
there
are
management
tools
for
BitLocker
(which
is
only
available
in
Windows
Pro,
Enterprise
and
Education)
that
let
admins
control
whether
one
or
more
drives
on
a
system
are
encrypted,
as
well
as
backing
up
and
recovering
the
keys.
Device
Encryption
is
included
in
Windows
Home
and
encrypts
all
the
drives
on
the
PC,
with
no
option
to
exclude
secondary
drives.
The
name
is
different
because
calling
it
BitLocker
would
make
people
think
they
were
getting
the
same
management
tools
and
options.

Personal
Data
Encryption
doesn’t
replace
either
of
them
because
it
doesn’t
encrypt
a
whole
drive;
instead,
it
protects
individual
files
and
folders
using
256-bit
AES-CBC
encryption
keys
that
are
protected
by
Windows
Hello
for
Business,
but
only
through
applications
that
are
built
to
use
it.

Jump
to:

File
encryption
in
Windows

You
could
already
encrypt
a
selection
of
files
in
Windows
by:

  1. Selecting
    them
    in
    File
    Explorer.
  2. Right-clicking
    and
    choosing
    Properties.
  3. Clicking
    the
    Advanced
    button
    in
    the
    Attributes
    section
    of
    the
    General
    tab.
  4. Checking
    the
    ‘Encrypt
    contents
    to
    secure
    data’
    checkbox.

That
uses
the
Encrypting
File
System
built
into
Windows,
but
it
has
several
drawbacks.

Complications
from
encrypting
via
EFS

EFS
dates
back
to
Windows
2000,
long
before
TPMs
were
common
in
PCs,
so
it
doesn’t
use
hardware
security
to
protect
the
encryption
keys.
They’re
stored
in
Windows,
and
an
attacker
could
potentially
extract
them

or
they
could
just
try
to
hack
into
your
Windows
account.

Files
encrypted
with
EFS
can
also
be
accessed
only
by
the
user
account
that
encrypted
them.
That’s
seamless:
As
soon
as
you
log
in
with
that
user
account
you
can
access
encrypted
files
without
doing
anything
extra,
but
if
you
log
in
with
a
different
account,
you
can’t
open
them
at
all.

PDE
uses
Windows
Hello
for
more
secure
keys

BitLocker
unlocks
the
encrypted
drive
as
soon
as
you
boot
Windows:
PDE
only
unlocks
encrypted
files
when
the
user
logs
in

and
logs
in
using
Windows
Hello.

By
using
Windows
Hello
for
Business,
Personal
Data
Encryption
puts
the
encryption
keys
into
secure
hardware
where
they’re
only
released
when
you
authenticate
either
biometrically
or
with
a
PIN,
which
is
also
protected
by
hardware
security
and
unlike
a
password,
doesn’t
roam
to
other
devices
you
use
that
account
with.

That’s
more
secure,
but
also
more
transparent
for
users

although
you
do
have
to
get
used
to
not
seeing
Personal
Data
Encryption-protected
files
if
you
decide
to
sign
in
to
your
account
using
your
password
instead.

Turning
on
Personal
Data
Encryption

There
are
some
limitations
for
using
Personal
Data
Encryption.
The
PC
has
to
be
joined
to
Azure
AD
and
not
be
a
hybrid
device
(i.e.,
one
that’s
joined
to
your
organization’s
Active
Directory
but
also
registered
with
Azure
AD).
Remote
Desktop
connections
aren’t
supported,
you
can’t
see
Personal
Data
Encryption-protected
files
through
a
network
share,
and
you
can’t
use
a
FIDO
key
instead
of
Windows
Hello
for
Business
or
automatic
restart
sign-on
to
Windows.

To
make
sure
the
Personal
Data
Encryption
keys
aren’t
accidentally
exposed,
you
will
want
to
disable
hibernation,
crash
dumps
and
Windows
Error
Reporting:
You
can
do
that
through
the
same
MDM
solution
you
use
to
enable
Personal
Data
Encryption
(whether
that’s

Intune
or
through

Group
Policy
with
a
CSP).

You
can
also
decide
whether
you
want
encrypted
files
to
be
available
when
Windows
is
locked
or
not.
If
you
choose
level
two
protection,
encrypted
files
will
be
accessible
for
one
minute
after
the
Windows
lock
screen
appears
but
then
the
decryption
keys
will
be
discarded.
You
don’t
have
to
use
OneDrive
for
it,
but
you
will
want
to
make
sure
that
you
have
backups
in
case
the
Personal
Data
Encryption
keys
are
lost.

Unlike
EFS,
once
you’ve
enabled
Personal
Data
Encryption,
you
don’t
encrypt
files
through
File
Explorer:
In
fact,
there’s
no
user
interface
for
Personal
Data
Encryption
at
all.
That’s
because
it’s
controlled
through

APIs
that
developers
use
in
applications;
the
first
to
enable
PDA
is
the
built-in
Mail
app,
which
can
encrypt
both
email
messages
and
attachments.

PDE
is
a
partner
to
BitLocker

Again,
Personal
Data
Encryption
doesn’t
replace
BitLocker:
It’s
designed
to
be
used
alongside
it
for
files
that
organizations
decide
need
the
extra
protection.

If
you
have
a
line
of
business
application
that
handles
particularly
sensitive
information,
you
can
use
the
PDE
APIs
to
make
sure
the
files
can
only
be
accessed
by
employees
who
are
supposed
to
have
access
and
only
on
managed
devices
that
are
Azure
AD
joined.
You
want
that
to
be
set
by
your
compliance
policies,
rather
than
to
give
individual
employees
a
tool
for
encrypting
files

which
could
be
used
by
malicious
insiders
to
hide
data
they
shouldn’t
have
on
their
devices
and
might
be
trying
to
take
outside
the
organization.

Unlike
files
that
are
protected
by
tools
like

Azure
Information
Protection
or
Purview
Information
Protection
where
sensitivity
labels
and
encryption
are
enforced
on
files
permanently,
users
can
decrypt
files
protected
with
Personal
Data
Encryption
manually
in
File
Explorer.
Here’s
how:

  1. Right-click
    on
    the
    file.
  2. Choose
    Properties.
  3. Click
    the
    Advanced
    button
    on
    the
    General
    tab

    the
    same
    place
    you
    apply
    EFS
    encryption.
  4. Uncheck
    the
    option
    Encrypt
    contents
    to
    secure
    data.

Remember,
you
can’t
encrypt
the
file
again
the
same
way;
that
can
only
be
done
by
an
application.

If
you
have
a
lot
of
encrypted
files,
you
can
use
the

CIPHER
command
to
decrypt
one
or
more
files
in
a
folder.
You
can
only
do
that
when
you’ve
logged
in
with
Windows
Hello
for
Business
and
already
have
access.
This
is
not
a
security
flaw,
because
if
you
had
access,
you
could
just
copy
and
paste
the
contents
of
the
file
elsewhere
anyway.

The
Personal
Data
Encryption
name
is
rather
confusing:
It’s
personal
because
it’s
tied
to
the
way
a
person
logs
in
with
Windows
Hello
for
Business,
but
it’s
not
something
an
individual
can
choose
to
use
and
it’s
not
for
protecting
personal
files.
Instead,
it’s
another
building
block
for
making
Windows
a
more
secure
way
to
handle
information

but
only
once
there
are
more
applications
that
make
use
of
it.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

More Stories

US AI Experts Targeted in SugarGh0st RAT Campaign

US AI Experts Targeted in SugarGh0st RAT Campaign

2 days ago AndyC
A Human-Centric Security Approach, Supported by AI

A Human-Centric Security Approach, Supported by AI

2 days ago AndyC
Black Basta Ransomware Struck More Than 500 Organizations Worldwide

Black Basta Ransomware Struck More Than 500 Organizations Worldwide

2 days ago AndyC
Get on Cybersecurity Certification Track With 5 Off These Courses

Get on Cybersecurity Certification Track With $145 Off These Courses

3 days ago AndyC
<div>Restore Damaged Files & Save Your Business for Only </div>

Restore Damaged Files & Save Your Business for Only $50

3 days ago AndyC
Proofpoint Among First in Enterprise Archiving Industry to Achieve PCI Compliance Attestation

Proofpoint Among First in Enterprise Archiving Industry to Achieve PCI Compliance Attestation

3 days ago AndyC

You may have missed

Weekly Update 400

Weekly Update 400

6 mins ago AndyC
Macquarie Uni to spend up to 0m on 10-year digital transformation

Macquarie Uni to spend up to $700m on 10-year digital transformation

3 hours ago AndyC
EU demands clarity on AI risks in Bing

EU demands clarity on AI risks in Bing

3 hours ago AndyC
Microsoft offers cloud customers AMD alternative to Nvidia AI processors

Microsoft offers cloud customers AMD alternative to Nvidia AI processors

3 hours ago AndyC
Digital ID bill passes parliament

Digital ID bill passes parliament

3 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.