How to Encrypt Offline Files

Microsoft Windows XP provides many enhancements in the area of data protection—especially Encrypting File System (EFS). This article describes how to encrypt offline files and is intended to assist system architects and administrators in developing best practices for creating data recovery and data protection strategies using Windows XP.

Encrypting Offline Files

Windows 2000 introduced the capability to cache offline files (also known as client-side caching [CSC]). This IntelliMirror™ management technology allows network users to access files on network shares, even when the client computer is disconnected from the network.

For example, when a mobile user views the share while disconnected, he or she can still browse, read, and edit files, because the files have been cached on the client computer. When the user later connects to the server, the system reconciles the changes with the server.

The Windows XP client now enables offline files and folders to be encrypted using the Encrypting File System. This feature is especially attractive for traveling professionals that need to work offline periodically while maintaining the security of their data.

A common database

A common database on the local machine is used to store all user files and to limit access to those files through explicit access control lists (ACLs). The database displays the files to the user in a manner that hides the database structure and format and appears as a normal folder to the user. Other user files and folders are not shown, and are not available to other users. When the offline files are encrypted, the entire database is encrypted using an EFS machine certificate. Individual files and folders may not be selected for decryption. Therefore, the entire offline files database is protected by default from attacks using the native EFS when this feature is enabled.

One limitation

One limitation of the encrypted offline files database is that files and folders will not be shown as an alternate color to the user when working offline. The remote server may also be using encryption of files and folders selectively when online, so this may appear as an inconsistency to the user when displaying encrypted files online and offline.

Important The CSC runs as a SYSTEM process and therefore may be accessed by any user or process that may run as SYSTEM or act as a SYSTEM process. This includes administrators on the local machine. Therefore, when sensitive data is stored in offline folders, administrative access should be restricted to users and SYSKEY should always be used to thwart offline attacks.

To encrypt offline files

Encrypted offline files is enabled by setting folder options which can be found in Windows Explorer by selecting Tools and then Folder Options in the command menu.

Note This option is only available in Windows XP Professional.

  1. Select the Offline Files tab as shown below.

    Selecting the Offline Files tab

  2. Select Enable Offline Files and Encrypt offline files to secure data.

  3. Click OK.

Offline files will be encrypted when cached locally using a private key and certificate for the user on the client machine.

Important Never encrypt files that are stored in a roaming user profile as the system will not be able to open the files in the profile when it is loaded at logon.