70-270 Windows XP TechNotes
Encrypted File System (EFS)

Index

- Encrypted File System (EFS)
- Enabling EFS
- Recovery Agents
- Cipher.exe

Encrypted File System (EFS)

One of the best new features of NTFS 5 (introduced with Windows 2000) is the Encrypted File System (EFS). EFS provides transparent data encryption for files and folders on disk. Transparent means that the user is not required to manually encrypt and decrypt files. When EFS is enabled for a folder, and a file is written or read, the process of encryption and decryption occurs automatically.

EFS uses a combination of symmetric and asymmetric encryption. Data is divided into blocks, which are encrypted using symmetric encryption keys. These keys are stored in a list that is encrypted with the user’s public key (X.590v3). When a user opens an encrypted file, the user’s private key will be used to decrypt the list with symmetric keys, which in turn are used to decrypt the file.

Enabling EFS

You can enable EFS for a file or folder by using Windows Explorer. Right-click the folder or file, select Properties, click the Advanced button on the General tab, and enable the option Encrypt contents to secure data.

As you can see in the screenshot above, the option to encrypt the contents is located in the Compress or Encrypt attributes section. Important to note is the word “or”, you cannot enable both compression and encryption for the same file or folder. If you enable the option Compress contents to save disk space, the option Encrypt contents to secure data will be disabled automatically.
If you enable encryption for a folder and want all the files and subfolders in it to inherit the setting, choose Apply changes to this folder, subfolder and files after you click OK or Apply on the General tab of the folder’s properties sheet. When you create new files in a folder with the encryption attribute enabled, they will be encrypted automatically.

By default, encrypted files and folders can be accessed only by the user who encrypted them. In Windows 2000 this means you cannot share EFS encrypted files and folders with other users, but in Windows XP however, you can share encrypted files (not folders) with other users. To do this, click the Details button next to Encrypt contents to secure data option the on the Advanced Attributes dialog box, and add the users you want to allow access.



When you rename, move, or copy an encrypted file, the file will remain encrypted, even if you move or copy it to an unencrypted folder or a network share. Encrypted files stored on backup media will remain encrypted, but will have to be restored to an NTFS volume to be decrypted and accessed.


Recovery Agents 

If the user lost his private key, or the entire user account got lost, you can access and decrypt the files by logging on as a Recovery Agent. On a Windows XP computer that is a member of a domain, the default Recovery Agent is the Domain Administrator account. On a stand-alone Windows XP computer, no default Recovery Agent is designated.

The group policy setting Encrypted Data Recovery Agent can be configured to specify additional user accounts that can act recovery agents. This setting can be used in multiple policies, allowing you to specify different recovery agents per domain, OU, or computer. For this policy to work, you need to install Certificate Services on a Windows 2000/2003 server. On a stand-alone Windows XP computer, EFS creates a self-signed certificate for recovery agents.

Another purpose of this policy setting is disabling EFS. By default, the administrator accounts mentioned earlier are the Recovery Agents. If you enable the Encrypted Data Recovery Agent policy setting, but do not specify an account, EFS will not work.

CIPHER.EXE

The cipher.exe utility allows you to encrypt and decrypt files from the command line in addition to displaying the encryption state and several other function related to EFS. Below are some of the most important parameters for the cipher command. Without parameters, the cipher command displays the encryption state of the current folder and the files in it.

/e Encrypts the current or specified folder and the folders in it. Use the /s parameter if you want to include all subfolders and use the /a parameter if you want to encrypt files as well.

/d Decrypts the current or specified folder and the folders in it. Use the /s parameter if you want to include all subfolders and use the /a parameter if you want to encrypt files as well.

Encrypting files from may leave parts of the unencrypted data on the disk. You can run cipher /w:folder to permanently overwrite all the deleted data on a hard disk.

A new option that has been added in the Service Pack 2 for Windows XP, is the /x parameter, allowing a user to backup the certificate and private key to a file. For a complete list of the available parameters, run cipher /?.

 

 
Current related exam objectives for the 70-270 exam:

Configuring, Managing, and Troubleshooting Security

- Configure, manage, and troubleshoot Encrypting File System (EFS).


TechExams.Net
Date: Monday, December 16, 2004
Author: Johan Hiemstra
MCSE NT4 MCSA 2000/2003
CCNA CCDA CNA Security+ CWNA