EFS, Encrypting File System

From Provider Wiki

Jump to: navigation, search


Contents

EFS Description

Microsoft Windows XP includes the ability to encrypt data directly on volumes that use the NTFS file system at 128 and 256 bit AES symmetric encryption using Encrypting File System (EFS). Files are encrypted through the use of algorithms that essentially rearrange, scramble, and encode the data. A key pair is randomly generated when you encrypt your first file. This key pair is made up of a private and a public key. The key pair is used to encode and decode the encrypted files. Additional users can be designated to access the encrypted file.

You can encrypt files and folders if you set an attribute in the object's Properties dialog box. Because the encryption/decryption process is transparent to users, make sure that organizations that want to use file encryption fully promote strong guidelines about its usage.

Note: two upper-level enterprise versions of Windows Vista will include a disk-encryption program called BitLocker. BitLocker will encrypt the entire system volume, including system and hibernation files. Users can then utilize EFS to protect other volumes or files.

EFS-Specific Guidelines

  • Files and folders cannot be encrypted or decrypted on FAT volumes.
  • Encrypted files are not accessible from Macintosh clients.
  • EFS is configurable through group policy for Domain accounts. However, EFS will not protect data from unauthorized traveling (users with access to data on a server copies to laptops or removable media) such as is available with some commercially available security products.
  • It is strongly recommended that users export their certificates and private keys to removable media for secure storage.
  • Encrypting files consistently at the folder level minimizes the chance of mistakenly leaving a file unencrypted that should be encrypted. In some cases a file can become decrypted if it is modified. However, adding individual users to access encrypted data is limited to the file level. Adding access to a group is not permitted with EFS.
  • Although the NTFS file system supports both compression and encryption, it does not support both at the same time. This means that you can only select one of the other. A file or folder cannot be both encrypted and compressed at the same time. If you encrypt a compressed file or folder, that file or folder will be uncompressed.

EFS in a Domain

Within a Windows forest, users can store encrypted files on remote servers. The remote files must be stored in either network shares or WebDAV folders. To encrypt remote files in a share, the remote server must be trusted for delegation before users can encrypt files on the remote server. This is done via the Active Directory Users and Computers tool. Then, to encrypt a file on the remote server, you need to map a network drive. Remotely encrypting files using a share can only be done in a domain because EFS must use Kerberos delegation to impersonate the user.

It's important to note that EFS only encrypts data when it is stored on the disk. It does not encrypt data during transmission over the network. For that purpose, you can use IPsec. However, if you encrypt a file and then copy or move it to a WebDAV folder, it stays encrypted while in transit.

Note: One change in EFS for Windows XP/2003, as compared to Windows 2000, is that encrypted files can be shared among multiple users. All users who share the encrypted file must have an EFS certificate on the computer on which it’s stored.

The EFS domain recovery agent certificate is stored by default on the first domain controller in the domain. It’s important to remember this if you’re considering demoting the DC or if it is in danger of crashing. You should export the private key to avoid a situation where you are unable to decrypt the files if a user’s account is deleted.

The Data Protection API (DPAPI) protects EFS private keys, along with other private credentials in Windows 2000/XP/2003. If a user changes the domain password over a remote access dialup or VPN connection, the DPAPI master key may not be replicated immediately to all domain controllers. This can cause the user to get an Access Denied message when trying to access local encrypted files after making the password change. You can solve this problem by creating a registry value named ProtectionPolicy in HKLM\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb. Set the value to 1.

Warning: This registry modification will allow the user to access encrypted files after a remote access password change, but it can also expose the user’s account to the threat of attack.

When implementing EFS in a domain, by default the Administrator of the first domain controller is the recovery agent. You should create new recovery agent accounts and remove the recovery agent role from the Administrator account. The recovery agent account(s) should be used only for that purpose.

If a computer was previously a standalone system and then joins a domain that uses a CA to issue EFS certificates, you might not be able to open files that were encrypted with a self-signed certificate prior to joining the domain. You can access these files by logging off the domain and logging back onto the local computer.


Caveats for EFS

  • Temp files are not encrypted. If your system crashes in the process of drafting a sensitive document the saved temp file information is accessable.
  • A user only has to have NTFS modify (write) permission to a file to be able to encrypt it. This means that if multiple users have permission to access a file, one of them could encrypt it and make it inaccessible to the others.
  • Encrypted files that are moved to a non-NTFS volume will become decrypted.
  • Encrypting a folder or file does not protect against deletion or listing files in directories. Use of EFS in combination with NTFS permissions is strongly recommended.


Using EFS

Encrypt a file or folder and its contents with EFS:

  1. Right-click the file or folder that you want to encrypt, and then click Properties.
  2. In the Properties dialog box, click Advanced.
    The Advanced Attributes dialog box displays attribute options for compression and encryption. This dialog box also includes archive and indexing attributes.
  3. Encrypt the file or folder by clicking "Encrypt contents to secure data" check box, and then click OK.
  4. Click OK to close the Advanced Attributes dialog box.
    If you are only encrypting a file you will get a warning dialog box and the (recommended) option to encrypt the entire enclosing folder. If you are encrypting a folder you you will get a Confirm Attribute Changes dialog box.
  5. You can choose to encrypt only the folder so that all files subsequently moved to the folder or created in this folder will be encrypted. If you want to also encrypt all the contents of this folder, click Apply changes to this folder, subfolders, and files, and then click OK.

Decrypting a file or folder in EFS:

To decrypt a folder, use basically the same process but in reverse order: #Right-click the file or folder that you want to decrypt, and then click Properties.

  1. Click Advanced.
  2. Click to clear the Encrypt contents to secure data check box to decrypt the data.
  3. Click OK to close the Advanced Attributes dialog box.
  4. Click OK to close the Properties dialog box.
    If the folder has files in it, the Confirm Attribute Changes dialog box appears. You can choose to decrypt only the folder. However, this will not decrypt any files currently contained in the folder.
  5. If you want to decrypt all the contents of this folder, click Apply changes to this folder, subfolders, and files, and then click OK.

How To Back Up Your Certificate

To back up your certificates, follow these steps: Start Microsoft Internet Explorer.

  1. On the Tools menu, click Internet Options.
  2. On the Content tab, in the Certificates section, click Certificates.
  3. Click the Personal tab.
  4. Select the ticket and click Export to start the Certificate Export Wizard, and then click Next.
    Note: There may be several certificates present, depending on whether you have installed certificates for other purpose. Select one certificate at a time until the Certificate Intended Purposes field shows Encrypting File System. This is the certificate that was generated when you encrypted your first folder.
  5. Click Yes, export the private key to export the private key, and then click Next.
  6. Click Enable Strong protection, and then click Next.
  7. Type your password. (You must have a password to protect the private key.)
  8. Specify the path where you want to save the key. You can save the key to a floppy disk, another location on the hard disk, or a CD. If the hard disk fails or is reformatted, the key and the backup will be lost. (If you back up the key to a floppy disk or CD, you must store that disk or CD in a secure location.)
  9. Specify the destination, and then click Next.

Links

Microsoft's Encrypting File System (EFS) Support Article page.

Retrieved from "http://prowiki.isc.upenn.edu/wiki/EFS%2C_Encrypting_File_System"
Personal tools