Question: This question isn't so much a research question as it is a technical one, and in full disclosure, it comes from the editor and not a subscriber. I regularly encrypt sensitive files on my Windows XP Pro computer using Windows encryption as just one method of securing information on it. I travel a lot and I use my own laptop in the workplace.

I also run an automatic backup program by Iomega, which copies my files to an external hard drive (or a temporary cache if I'm traveling) at frequent intervals. Recently, I noticed that it copies the encrypted files without retaining the encryption. Does anyone know if the mere act of copying a file encrypted with Windows in effect decrypts the file? Is this perhaps the unintended consequence of copying the file to a non-NTFS file system or FAT32 drive? If so, what does this say about the security of Windows encryption?

Robert McComber: To answer the writer's question, the act of copying the file does remove the encryption. Windows File System encryption is tied to both NTFS and generally to the presence of Active Directory. It is also important to keep in mind that Windows File Encryption, by virtue of this process, does not protect the file in transit; i.e., when it is being moved between two machines across the network, it is not encrypted. If the Windows File System encryption is used on a corporate Active Directory domain, the administrators can open the files, though it does require some effort.

If the writer is interested in a file encryption or drive encryption solution that protects the information both in transit and at rest, they should consider a standalone file protection solution. Depending on corporate policies, there may be an existing solution or this might have to be setup just for the single machine. It is important to check with IT if any company documents are going to be encrypted, however, as there is always a risk of losing the password, in which case the information encrypted would likewise be lost.

Some potential encryption packages include PGP Desktop Professional 9.6 (www.pgp.com) which is a retail product and has excellent corporate integration tools, or TrueCrypt (www.truecrypt.org), a standalone open-source tool available freely. I use Truecrypt myself as it's easy to handle and very flexible.

Editor: Robert McComber is Product Security Specialist with Telvent in Canada. Thank you, Rob, for your most helpful response.