Windows 11 Enterprise y Education añaden cifrado de datos personales: qué es y cómo funciona

Windows 11 Enterprise and Education have introduced Personal Data Encryption as an additional security feature, adding to the existing encryption options of BitLocker and Windows Device Encryption. While BitLocker and Device Encryption provide full disk encryption, Personal Data Encryption focuses on individual files and folders, enhancing security through the use of 256-bit AES-CBC encryption keys protected by Windows Hello for Business.

Windows 11 Enterprise y Education añaden cifrado de datos personales: qué es y cómo funciona - Seguridad | Imagen 1 Newsmatic

Índice de Contenido
  1. File Encryption in Windows
    1. Enhanced Security Through Windows Hello
  2. Enabling Personal Data Encryption
  3. Personal Data Encryption as a Complement to BitLocker

File Encryption in Windows

Historically, Windows has offered file encryption through the Encrypting File System (EFS). This method, however, has limitations. First, EFS does not utilize hardware security, making it vulnerable to potential key extraction or unauthorized access. Additionally, files encrypted with EFS can only be accessed by the specific user account that encrypted them. Any attempt to open the files with a different account will be unsuccessful.

Enhanced Security Through Windows Hello

Personal Data Encryption takes advantage of the security provided by Windows Hello for Business. The encryption keys are stored in secure hardware and are only released upon successful authentication using biometrics or a PIN. Unlike passwords, which can be compromised, PINs and biometric data are protected by hardware security and do not roam across multiple devices.

While this approach offers enhanced security, it is important to note that Personal Data Encryption-protected files will not be visible if a user chooses to log in using their password rather than Windows Hello.

Enabling Personal Data Encryption

There are some prerequisites for using Personal Data Encryption. The PC must be joined to Azure AD and cannot be a hybrid device. Remote Desktop connections are not supported, and Personal Data Encryption-protected files cannot be accessed through a network share. Additionally, the use of FIDO keys or automatic restart sign-on to Windows is not supported.

Protección antivirus en línea: McAfee Clinic lleva la seguridad de tu PC al siguiente nivel

To prevent accidental exposure of Personal Data Encryption keys, it is recommended to disable hibernation, crash dumps, and Windows Error Reporting through the same MDM solution used to enable Personal Data Encryption, such as Intune or Group Policy with a CSP.

Administrators can choose whether encrypted files should be accessible when Windows is locked. Level two protection allows access for one minute after the Windows lock screen appears, after which the decryption keys are discarded. While OneDrive is not obligatory for using Personal Data Encryption, ensuring backups are in place is crucial in case of key loss.

Unlike EFS, Personal Data Encryption does not provide a user interface within File Explorer. Instead, it is controlled through APIs utilized by applications. The built-in Mail app is among the first applications to leverage Personal Data Encryption, allowing for the encryption of both email messages and attachments.

Personal Data Encryption as a Complement to BitLocker

Personal Data Encryption is designed to complement, not replace, BitLocker. Organizations can use Personal Data Encryption APIs to restrict file access to specific employees on managed devices joined to Azure AD. This approach ensures compliance with organizational policies and prevents unauthorized individuals from encrypting files and potentially hiding sensitive data.

If a user wishes to decrypt a Personal Data Encryption-protected file manually, they can do so through File Explorer by following these steps:

  1. Right-click on the file.
  2. Select Properties.
  3. Click the Advanced button on the General tab, where EFS encryption is also applied.
  4. Deselect the "Encrypt contents to secure data" option.

It is important to note that once a file has been decrypted, it cannot be encrypted again using the same method. This can only be done through an application.

Cómo proteger tu computadora de los virus: métodos y consejos

If a large number of encrypted files need to be decrypted, the CIPHER command can be used to decrypt multiple files within a folder. However, this can only be done when logged in with Windows Hello for Business and with the necessary access. It is crucial to remember that this is not a security flaw, as if a user has access, they could simply copy and paste the contents of the file regardless.

Although the name "Personal Data Encryption" can be misleading, it refers to the authentication method used with Windows Hello for Business and is not intended for protecting personal files. Instead, it serves as an additional security measure that strengthens Windows' ability to handle sensitive information, especially when more applications adopt this feature.

En Newsmatic nos especializamos en tecnología de vanguardia, contamos con los artículos mas novedosos sobre Seguridad, allí encontraras muchos artículos similares a Windows 11 Enterprise y Education añaden cifrado de datos personales: qué es y cómo funciona , tenemos lo ultimo en tecnología 2023.

Artículos Relacionados


Utilizamos cookies para mejorar su experiencia de navegación, mostrarle anuncios o contenidos personalizados y analizar nuestro tráfico. Al hacer clic en “Aceptar todo” usted da su consentimiento a nuestro uso de las cookies.