EFS

From BNL Physics Computing

[edit]

Using EFS with Windows XP/2000

(Wayne Betts, last update July 3, 2007)

Windows XP and Windows 2000 include a feature to encrypt individual folders and files on NTFS filesystems. This encryption is reasonably strong and fairly easy to use, but it does call for some precautionary steps in order to prevent data loss in some circumstances. Before relying on EFS, you should make a backup copy of your certificates which are used to encrypt and decrypt EFS. (NB. You won’t have a certificate until the first time you use NTFS encryption, so you’ll have to choose to encrypt something (such as a new empty folder) and then you can export your certificate to a removable media that you will safely store away for emergency use.) How to create backups credentials is covered below under "Backing up (exporting) your certificates/keys".


You should be aware that you might not be the only person who can decrypt your EFS content. (In fact, it is typically a requirement for encryption used on government computers that law enforcement personnel have a back door to gain access to encrypted content.) In some cases, there is an administrator account that is designated as a “default recovery agent” that will also be able to decrypt your EFS content. The circumstances that determine whether or not there is a default recovery agent are a bit complicated, depending on whether you have Windows XP or 2000, whether or not your computer is a member of a domain, and if so, the domain’s policies. Knowing if there is a recovery agent is a good thing for two reasons:

1. You know if someone else has access to your encrypted files that you’d rather not, and

2. you know if someone else has access to your encrypted files that you desperately need but can’t decrypt yourself for some reason!

Unfortunately, as of this writing, this author does not know, in general, how to definitively determine whether there is a recovery agent, but the BNL domain does NOT have a default recovery agent, so users should be especially cautious to (securely) backup their private keys and have a recovery plan (details of which are given below under “Backing up (exporting) your certificates/keys”).

Something to keep in mind: in Windows XP, if a local user’s password is reset by a local administrator, then that user will lose access to his encrypted files (unless he has previously exported his key and can re-import it). This does not happen in Windows 2000. One consequence of this is that a Windows 2000 administrator can gain access to a local user’s encrypted files by simply changing the user’s password. (Of course the local user is likely to notice if he can’t login, but that too can often be skirted with a little deceit on the administrator’s part.)

Technical digression: If you are using EFS to comply with a government mandate for encryption, then you are probably also required to use FIPS-compliant algorithms for the encryption. If you are an administrator, you can enable FIPS compliance in Policy Settings. For instance, in Local Security Settings, there is a policy named “System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing,” which you should enable. By default, this is “Disabled”. Unfortunately, enabling FIPS compliance may break access to many secure (https) websites that use web servers without FIPS-compliant algorithms. (For instance, SSL2 and SSL3 are quite common, but are not FIPS-compliant, while TLS 1.0 is FIPS-compliant, but is not as widely supported). This seems to be a bit of a conundrum, for which I can offer no simple solution.

With all this in mind, perhaps you’re rethinking using EFS, since it may not actually meet all your requirements. But with all that said, at least it is awfully easy to use, which you’re about to see in the next section.

[edit]

Your first encrypted folder

(The following instructions assume you have Windows XP. If you have Windows 2000, it will probably be similar, but I haven’t tested it.) Let’s say you’ve chosen EFS as your encryption solution, for whatever reason. Let’s start with a fresh new folder, in which you will place all files that you want encrypted:

1. In Windows Explorer, navigate to your “My Documents” folder. Create a new folder in there and call it something like “My Encrypted Stuff”. (If you are particularly paranoid, don’t give it a name that makes it obvious it is encrypted.)

2. Right-click on the “My Encrypted Stuff” folder and select “Properties” from the menu.

3. Under the General tab, click on the “Advanced” button and you should see a box like this:

Image:Advanced attributes.png

4. Obviously enough, go ahead and click on the checkbox next to “Encrypt contents to secure data”. (NB. You cannot choose to simultaneously encrypt and compress a folder.)

5. Click OK. Then click OK in the parent window and that’s it really. You now have an encrypted folder. Any files or sub-folders that you create or put into this folder will be encrypted.

Now you’ll probably agree that creating an encrypted folder (or encrypting an existing folder) is a trivial affair. But it does bring with it some additional concerns and considerations. As already mentioned, there might be other individuals who could, at least in principle, access your encrypted folder. But for now, we’ll assume there is no other such person, or you trust everyone who might have such access (a woefully naïve assumption, really, but one that most people will make). Still, there is a lot going on in the background that Windows effectively hides from you that you really should be aware of to protect yourself from irrecoverable data loss scenarios.

Imagine that your disk drive crashes or Windows becomes corrupted and your computer is no longer bootable. Your files might be perfectly intact and recoverable, but the encryption keys are gone, and with them goes any hope of recovering your encrypted folder(s). Or somewhat less dramatic, if you forget your password and an administrator resets it for you, poof, you just lost access. To help mitigate circumstances like this, you are strongly encouraged to export your certificate, including your private key (which you will password protect, though then you have to remember the password at the critical time!) to a nice safe place. Then there is hope of importing your saved certificate/keys and gaining access to your encrypted files, without seeking out a “recovery agent” (which you may recall from above, may or may not exist…)

[edit]

Backing up (exporting) your certificates/keys

To save an emergency copy of your certificate, do the following:

1. Open the “Internet Options” icon from the Control Panel. (Alternatively, open Internet Explorer, go to the Tools Menu and select “Internet Options”.) Then select the “Content” tab: Image:Internet_Properties.png

2. Click on the “Certificates” button near the middle and click on the available certificates in the “Personal” tab, until you find the one whose “intended purpose” is “Encrypting File System”:

Image:Certificates.png

3. Click on the “Export…” button and the “Certificate Export Wizard” appears. Read the description, then click on "Next".

4. Select “Yes, export the private key”:

Image:Certificate_Export_Wizard.png

5. Click on Next and then on the “Export File Format” window, select “Personal Information Exchange – PKCS #12 (.pfx), and “Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above):

Image:Certificate_Export_Wizard_2.png

6. Click on Next and then enter a password for your private key. If you forget this password, then this backup won’t help you a bit, so be sure you will remember it when the need arises:

Image:Certificate_Export_Wizard_3.png

7. Click on Next and choose a location for the backup file (using the Browse feature is recommended to select a location, then select a reasonable file name). Don't put your backup cert into an encrypted folder -- that would defeat the whole purpose of this!:

Image:Certificate_Export_Wizard_4.png

8. Click Next one more time, and you’ll see the final screen ("Completing the Certificate Export Wizard"). Click on Finish, and lo and behold, you’re finished. (You should get a small pop-up window that says “The export was successful.” Click on OK.)

9. Well, you’re not really finished. You want to be darn sure you store this someplace safe and secure, and also verify it periodically to make sure it is still intact. There’s nothing worse than going to your backup in a crisis and finding it has failed also!

If you find yourself in a circumstance in which you need this certificate, you can import it by going to "Internet Properties -> Certificates" and use the "Import" button.

In addition to disaster recovery, this can also be helpful if you wish to transfer encrypted content from one machine to another. By exporting your key on the source machine and importing it on the destination, you can transfer the files without them ever being unencrypted during the transfer (keeping in mind though that EFS only works on NTFS filesystems – if you move encrypted content to a non-NTFS filesystem, the encryption will be removed). You might also want to be able to share encrypted files with other users. This is possible with Windows XP – though it is only possible for individual encrypted files, not encrypted folders. It requires them to also generate a certificate on the system (by encrypting something of their own, even if it is just an empty directory). Then you can go into the “Details” dialogue of the file’s Properties -> Advanced window (the first image in this document) and allow other users to have access.

Retrieved from "http://www.phy.bnl.gov/computing/index.php/EFS"