How to encrypt Windows 8 Professional Search index files using built-in Encrypted File System
Why would you want to encrypt the directory where Windows 8 keeps its big honkin' Windows.edb file and index files? That directory is where the very handy "Windows Search" function keeps it stuff. And searching around for a bit on Google, I noticed there's little information about whether Windows properly obfuscates all the data inside those files, with nothing definitive out there convincing me that all the issues discussed in this 2009 Thesis have been addressed. But if you have Windows 8 Pro or Windows 8 Enterprise, that also means you have the EFS (Encrypted File System) capability, built-in. So why not use it? Especially if:
- you're considering using the Windows Search Index encrypted files option.
- you're considering using 3rd party Windows Search add-ons that could also add sensitive data to those indices.
- you don't have whole drive encryption, such as Bitlocker or TrueCrypt turned on, perhaps because of possible SSD/Trim issues with encryption, or a desire to allow data de-dupe in backups, etc.
- you've read through this Microsoft TechNet article, and are still convinced you wish to proceed.
This is an intermediate skill-level exercise, intended for home-lab environments. This is not something you should consider on a corporate issued system, which may already have whole disk encryption and power on passwords set.
Setting up EFS for Indices requires admin rights to your Windows 8 operating system. This tip by John Savill at Windows IT Pro was the key to getting this all working.
I'm not claiming that this encryption is absolutely necessary, or that EFS is better than BitLocker. It's not. I wouldn't even say that this procedure is even advisable for most users. I'm merely saying this quick method of turning EFS on that I developed seems to be working well for those normally tricky/untouchable index files. It doesn't seem to slow anything down noticeably, on my admittedly fast SSD based systems, or on my test VMs. And there seems to be no evidence of any side effects on Windows itself, with nary a scary error anywhere. No goofy entries littering the Event Log, for example. So that's why I'm comfortable sharing this procedure.
Note that this is an entirely at-your-own-risk endeavor, with no certainty that Microsoft or I can possibly provide you with any support. Also note that backing up all your data first is entirely your responsibility! Ok, enough already, let's get started.
Step-by-step guide, with a video walk through at the end.
1) Download PsExec
Download PsExec by Mark Russinovich, from SystInternals, extract it to C:\Tools
technet.microsoft.com/en-us/sysinternals/bb897553
2) Use PsExec to Run as the Local System Context in Windows 8
a) press 'Win+X' then select 'Command Prompt (Admin)'
b) type (or paste in) the following command (that launches a second window logged in as a system account)
C:\Tools\psexec -sid cmd.exe
c) close the opened in step a, leaving just the window opened in step b
d) single-click upper-left corner of the window, choose 'Properties'
[caption id="attachment_16012" align="aligncenter" width="658"] single-click upper-left corner of 'cmd.exe' window, choose 'Properties'[/caption]
e) change 'Screen Buffer Size' to Height 999, click 'OK' button
3) Temporarily stop the "Windows Search" service
At the command line opened in Step 2 above, type the following command
net stop WSearch
In a few seconds, Windows may restart this service on it's own. So please proceed to Step 4 promptly.
4) Use Windows 8's built-in EFS (Encrypted File System) functionality to encrypt the folder that contains the indexing files
cd \ProgramData\Microsoft\Search\Data\Applications
CIPHER /E /S:Windows
Scroll back through the small command window, to be sure there were no 'file in use' errors encountered. If there were, just repeat steps 3 and 4 again until you see no errors. Using the up arrow keys to go back in your command history will make this easier.
5) Start the Windows Start Service
Just type
net start WSearch
and hit enter, wait a few seconds, it should complete without any errors.
6) Overwrite all empty space on this volume
if you're extremely patient and wish to be very thorough with ensuring all deleted temp files that could possibly contain only partially obfuscated text are really overwritten, you may wish to run the CIPHER cleanup command
CIPHER /W:Windows
7) Verify it's all working (optional)
On Windows 8, press Win+R, paste in the following line then hit 'Enter'
C:\ProgramData\Microsoft\Search\Data\Applications
and you should see a green folder entitled 'Windows', indicating it's been EFS encrypted. Double-click that folder, and you'll see the files within are also green. And you'll be able to see the size of that Windows.edb index file. You can also press Win+W and type Index then hit enter, to see the status of your Windows Search.
Read more about EFS at www.groovypost.com/howto/windows-8-7-efs-encrypt-files-folders where the article kindly warns you to export that CERT file, should you wish to be able to recover any data inside any encrypted files or folders you work with. The article also demonstrates how easy it is to use EFS right from Windows Explorer, perhaps for your "My Documents" folder.
That's all, your Windows Indexing should continue to work as it always did. But now you'll have just a little more peace of mind, even if you haven't gotten around to encrypting your entire disk quite yet.
This is a TinkerTry exclusive article. As of June 11 2013, you won't find this technique anyplace else. I make no claims to be a Windows security expert, constructive feedback is always welcome!
Video walk through:
Additional Sources:
“Finders Keepers” A Forensic Examination of Windows Desktop Search (Version 3) - James McCulloch Gordon, Feb 2009
www.scribd.com/doc/94223191/A-Forensic-Examination-of-Windows-Desktop-Search-Version-3
Protecting Data by Using EFS to Encrypt Hard Drives
technet.microsoft.com/en-us/library/cc875821.aspx
Indexing and Search: Frequently asked questions, Applies to Windows 8, Windows RT
windows.microsoft.com/en-us/windows-8/search-index-faq
Using Encrypting File System, Nov 03 2005
technet.microsoft.com/en-us/library/bb457116.aspx
How to enable EFS Encryption in Windows 8? - Feb 21 2013
You need to have Windows Professional, non-pro versions won't allow it, see also:
www.differencebetween.info/difference-between-windows-8-pro-and-windows-8-enterprise
About Data Deduplication, Nov 02 2012
msdn.microsoft.com/en-us/library/windows/desktop/hh769303(v=vs.85).aspx
Make Windows Search a Million Times More Useful with These Simple Tweaks, Whitson Gordon, Feb 23 2012
lifehacker.com/5887848/make-windows-search-a-million-times-more-useful-with-these-simple-tweaks