The Encrypting File System ( EFS ) available in Windows 2000 lets
you encrypt files or folders using public key cryptography. There are obvious
advantages to using it on laptops with sensitive data. If the laptop were
stolen, and there are theft rings in airports targeting these highly expensive
and portable items, then its hoped that the EFS would prevent your privacy from
- EFS is a feature of NTFSv5 and only works with Windows 2000.
- You cannot encrypt system files or folders, that is, systemroot
- You cannot encrypt compressed files and folders until they are decompressed,
its an either or situation.
- Some apps create temporary files within the folder you are working, others
use the TEMP folder. If you are using EFS, its best to encrypt the TEMP folder
to protect temporary working files.
- Copying a file into an encrypted folder results in the file being encrypted
(the folder’s attribute).
- Moving a file into an encrypted folder leaves the file ASIS, plaintext or
The difference in copying and moving are due to
the different operations. Copying a file requires the creation of a new file
being created in the encrypted folder. Since the folder has the encrypted
attribute, the new file is encrypted. Moving a file does not involve the actual
contents. The operating system simply creates a new entry in the folders
directory table and removes the old entry from the directory folder it had been
in. Copying involves creating a new file and creating a new entry in the
directory table of the folder. Moving only involves creating a new directory
entry and deleting the old directory entry.
- Moving or copying EFS files to another file system removes the encryption.
NTFSv5 is the only file system that supports EFS. Move or copy the
file to FAT, NTFSv4, or FAT32 and the file is converted to plaintext.
- Backing up an encrypted file or folder will maintain the contents in their
original encrypted form.
The restored files can be
successfully opened if you use the Certificate Export wizard and the Certificate
Import wizard to transfer your certificate and private key to your user profile
on the new computer.
- Change the name of an encrypted file or folder. No effect on nature of
contents. Stays ASIS. Only directory entry changed.
- EFS protects from unauthorized access but does not prevent, for example, an
administrator or user of group with delete access from deleting the file/folder.
EFS would prevent decryption of file/folder if the PC were booted using another
- EFS files accessed remotely will be decrypted by the OS and transmitted
across the network in plaintext.
- EFS files are transparently decrypted when access by authorized personnel
and held in system cache and are potentially recoverable from the system cache
if it is not cleared at shutdown.
- Do not encrypt files when logged in as local administrator. EFS recovery is
compromised since the creator and the recovery agent are the same account. This
does not apply if you have changed the default recovery agent.
The public keys of the user of EFS and the key recovery agent are used to
encrypt the data. The default data recovery agent is the built in administrator
account. There are far too many methods to gain access to this account if one
has physical access to the box. See Recover Lost
Windows NT Administrator Password which is my Windows NT tip but this stuff
works under Windows 2000, as most things do. Anyone possessing the Administrator
account password can also decrypt files.
You need to backup the encryption certificates and export them. If you don’t
remove them, you have no real security and you are in danger of lossing access
to encrypted files should your HD fail.
- Click Start
- Click Control Panel
- Double-click Administrative Tools
- Double-click Local Security Policy
- Click Public Key Policies
- Click Encrypted Data Recovery Agents
- Right-click on the certificate listed there.
Normally there is only one,
issued by and to Administrator, with the Intended Purposes column reading File
- Select All Task
- Select Export
- Click Next which starts the Certificate Export Wizard
- Select Yes to export the private key
- Click Next
- Under Personal Information Exchange for security
purposes you will want to select Delete the private key if the
export is successful
- Click Next
- Choose a password to protect the private key. Click Next
- Choose a file to export the certificate to
for max security, save to a
floppy and store it securely
- Click Next
- Click Finish to export the certificate
Organizations need policies to insure that EFS is used properly and safely.
Microsoft has written the following:
Step-by-Step Guide to Encrypting File System
Best Practices for Encrypting File System
Encrypting File System for Windows 2000
Analysis of Reported Vulnerability in the Windows 2000 Encrypting
File System (EFS)
How to Back Up Your Encrypting File System Private Key
How to Restore an Encrypting File System Private Key for Encrypted
Methods for Recovering Encrypted Data Files
5-Minute Security Advisor – Recovering Encrypted Data Using EFS
Related EFS links:
- SAN’s The
Encrypting File System: How Secure is It?
Wright’s The Encrypting File System: How Secure is It?
- Roberta Bragg’s Hardening EFS
- Determine whether Syskey
has been applied to a system
administrator keys to recover files should the user lose his/her keys,
unfortunately the local admin keys are also stored in his profile located on the
hard drive. If the HD fails or is reformatted, or if Windows is reinstalled,
these keys will also be lost. Additionally, for XP users : Windows XP
Professional does not make the local Administrator account the data recovery
agent! If the user’s keys are corrupt or lost in a standalone workstation, you
are out of luck. Well, maybe NOT. Elcomsoft has created Advanced EFS Data Recovery to decrypt
files encrypted on NTFS partitions in Windows 2000. Files can be decrypted even
in a case when the system is not bootable and so you cannot log on, and/or some
encryption keys have been tampered. Besides,they say decryption is possible even
when Windows is protected using SYSKEY.
If W2K or XP are joined to a W2K domain, the domain admins are recovery
agents making EFS less vulnerable to hardware failures.
For the commandline oriented, there is the cipher
command. Encryption is performed with the /e switch. Used alone, the /e switch
instructs Windows 2000 to encrypt an entire folder. For example, to encrypt a
folder named folder1, you’d type the following command:
cipher /e myfolder1
Any files that you later add to myfolder1 will automatically be
To encrypt an individual file, the /a switch must also be used. So to encrypt
a file named mydocument.txt, you’d enter the command:
cipher /e /a document.txt
Decryption from the command prompt is handled the same way, except
that the /d switch replaces /e. You can get a list of all files and folders and
their current encryption state simply by running cipher without any parameters.
Microsoft has recently upgraded cipher to support the security function of
overwriting deallocated data. Have you deleted a file and want to be sure it can
not be recovered. Use ciper.exe.
You can also get the complete list of supported options using the following
For more info on cipher, read Cipher.exe Security Tool for the Encrypting File System.
Mark Russinovich at www.sysinternals.com has released the freeware utility EFSDump for
Windows 2000 which displays what accounts are authorized to access encrypted
Windows 2000 introduces the Encrypting File System
(EFS) so that users can protect their sensitive data. Several new APIs make
their debut to support this factility, including one – QueryUsersOnEncryptedFile
– that lets you see who has access to encrypted files. This applet uses the API
to show you what accounts are authorized to access encrypted files. Full source
code is included.