Encrypting File System Tools and Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Encrypting File System Tools and Settings

In this section

  • Encrypting File System Tools

  • Encrypting File System Registry Entries

  • Encrypting File System Group Policy Settings

  • Related Information

Encrypting File System Tools

The following tools are associated with Encrypting File System.

Cipher.exe: Cipher

Category

Cipher is an operating system command-line tool.

Version compatibility

This tool is compatible with Windows 2000, Windows XP, Windows Server 2003.

Allows a user or administrator to display or alter the encryption of files. In addition to encrypting or decrypting a file or folder, Cipher can be used to update the file encryption keys or the keys of the data recovery agent (DRA) should there be a change in the data recovery policy.

When used with the /w switch, Cipher can also remove data from portions of the volume it can access that have not been allocated to files or directories. Cipher does not lock the drive, so other programs can obtain space on the drive which cipher cannot erase. Because the /w option writes to a large portion of the volume, it might take a long time to complete and should only be used when necessary.

For more information about Cipher, see “Command-Line References” in the Tools and Settings Collection.

Efsinfo.exe: Encrypting File System Information

Category

Encrypting File System Information is a Windows Server 2003 command-line tool.

Version compatibility

This tool is compatible with Windows 2000, Windows XP, Windows Server 2003.

Encrypting File System Information displays information about files and folders encrypted with Encrypting File System (EFS) on partitions that use the NTFS file system. Options include displaying encryption information about the files and folders in the current folder, recovery agent information, and certificate thumbnail information.

For more information about EFSinfo, see “Command-Line References” in the Tools and Settings Collection.

Xcopy.exe: Xcopy

Category

Xcopy is a command line tool that ships with Windows Server 2003 and Windows XP Professional.

Version compatibility

This tool is compatible with Windows 2000, Windows XP Professional, Windows Server 2003.

Encrypted files are copied from Web folders in the same way that plaintext files are copied from file shares. The Xcopy command does not require any special parameters. The file is transmitted in ciphertext and remains encrypted on the local computer if possible. The encryption status for files copied from Web folders is the same as for files copied locally.

Encrypted files are copied from Web folders in the same way that plaintext files are copied from file shares. The Copy and Xcopy commands do not require any special parameters. The file is transmitted in ciphertext and remains encrypted on the local computer if possible. The encryption status for files copied from Web folders is the same as that for files copied locally.

For more information about Xcopy, see “Command-Line References” in the Tools and Settings Collection.

SecPol.msc: Local Security Settings Snap-in

Category

Local Security Settings is a Microsoft Management Console (MMC) snap-in that ships with Windows Server 2003, Windows 2000 Server, and Windows XP Professional.

Version compatibility

This tool is compatible with Windows 2000, Windows XP Professional, Windows Server 2003.

Local Security Settings is compatible with Windows Server 2003 and Windows 2000 Server, and can be used to EFS data recovery agents on computers running Windows Server 2003, Windows XP Professional, and Windows 2000.

To find more information about the Local Security Settings snap-in, see “Security Policy Settings.”

Encrypting File System Registry Entries

The following registry entries are associated with Encrypting File System.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys

  • HKEY_CURRENT_USER\Software\Microsoft\Cryptography\CertificateTemplateCache

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

The following information is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys

The following registry entries are created only when EFS is used for the first time.

CertificateHash

Registry path

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\CertificateHash

Version

Windows Server 2003, Windows 2000, and Windows XP.

This registry entry contains the certificate hash used by the current user to encrypt and decrypt data.

Flag

Registry path

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\Flag

Version

Windows Server 2003, Windows 2000, and Windows XP.

This registry entry identifies the encryption algorithm used to encrypt and decrypt new EFS files.

Note

For more information about the encryption algorithms that can be used with EFS, see “How Encrypting File System Works” in the Technical Reference.

KeyCacheValidationPeriod

Registry path

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\KeyCacheValidationPeriod

Version

Windows Server 2003, Windows 2000, and Windows XP.

This registry entry identifies the length of time in seconds a cached EFS certificate is assumed to be valid before revalidation is required.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys

The following registry entries control how EFS is used on the local machine.

UserCacheSize

Registry path

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\UserCacheSize

Version

Windows Server 2003, Windows 2000, and Windows XP.

This registry entry identifies the number of user EFS certificates to cache.

EFSDomainGPOCreated

Registry path

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\EFSDomainGPOCreated

Version

Windows Server 2003, Windows 2000, and Windows XP.

This registry entry records whether domain-based EFS Group Policy settings are in effect.

EFSBlob

Registry path

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\EFSBlob

Version

Windows Server 2003, Windows 2000, and Windows XP.

This registry entry contains data about the file recovery certificates that have been registered for the system.

HKEY_CURRENT_USER\Software\Microsoft\Cryptography\CertificateTemplateCache

The template cache is used to cache copies of the domain’s certificate templates which are distributed by Active Directory Domain Services. When your domain administrator configures certificate templates for your organization this registry key will contain sub-keys for each template in the domain.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\EFS

The following registry entries are added when domain Group Policy is used to enable or disable EFS.

EFSConfiguration

Registry path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\EFS\EFSConfiguration

Version

Windows Server 2003, Windows 2000, and Windows XP

This registry setting makes it possible to disable and re-enable EFS on a local computer using Group Policy.

LastGoodEFSConfiguration

Registry path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\EFS\LastGoodEFSConfiguration

Version

Windows Server 2003, Windows 2000, and Windows XP

This registry setting is added when EFS is disabled through domain Group Policy. This registry setting is deleted if EFS is re-enabled using domain Group Policy.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

Registry path

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer

Version

Windows Server 2003, Windows 2000, and Windows XP

This registry setting can be used to display Encrypt and Decrypt options on the Windows Explorer shortcut menu when a user right-clicks a file or folder.

Encrypting File System Group Policy Settings

The following table lists and describes the Group Policy settings that are associated with Encrypting File System.

Group Policy Settings Associated with Encrypting File System

Group Policy Setting Description

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Autoenrollment

Can be used to enroll certificates automatically, renew expired certificates, update pending certificates, and remove certificates that have been revoked. In addition, this setting can be used to block certificate auto-enrollment.

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System

Can be used to disable or enable encryption of files using EFS. The default setting is enabled. In addition, this setting can be used to register one or more data recovery agents for use with EFS or to remove data recovery agents if they are no longer desired.

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Automatic Certificate Request Settings

Can be used to configure automatic certificate request settings for a specific certificate template for a domain by using the Automatic Certificate Request Setup Wizard. The request will be processed automatically at the first occurrence of any of the following: a user logs on, Group Policy is refreshed, or a computer joins the domain and is subject to a Group Policy setting.

To find more information about these Group Policy settings, see “Group Policy Settings Reference” in the Tools and Settings Collection.

The following resources contain additional information that is relevant to this section.