Encrypting and decrypting data

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Encrypting and decrypting data

With Encrypting File System (EFS) you can store data securely. EFS does this by encrypting data in selected NTFS file system files and folders.

Because EFS is integrated with the file system, it is easy to manage, difficult to attack, and transparent to the user. This is particularly useful for securing data on computers that may be vulnerable to theft, such as mobile computers.

Files and folders cannot be encrypted or decrypted on FAT volumes. Also, EFS is designed to store data securely on local computers. As such, it does not support the secure transmission of files over a network. Other technologies, such as Internet Protocol Security (IPSec), can be used in conjunction with EFS to provide a larger solution. For more information, see Internet Protocol Security (IPSec).

Using encryption keys

Once a user has specified that a file be encrypted, the actual process of data encryption and decryption is completely transparent to the user. The user does not need to understand this process. However, the following explanation of how data encryption and decryption works might be useful for administrators.

Encryption of files works as follows:

  • Each file has a unique file encryption key, which is later used to decrypt the file's data.

  • The file encryption key is itself encrypted--it is protected by the user's public key corresponding to the user's EFS certificate.

  • The file encryption key is also protected by the public key of each additional EFS user that has been authorized to decrypt the file and each recovery agent.

For steps on how to encrypt a file or folder, see Encrypt a file or folder

The EFS certificate and private key used can be issued by a number of sources, including automatically-generated certificates, certificates created by Microsoft certification authorities (CAs), or third-party CAs. For more information about third-party certificates and EFS, see article Q273856, "Third-Party Certificate Authority Support for Encrypting File System," in the Microsoft Knowledge Base.

Decryption of files works as follows:

  • To decrypt a file, the file encryption key must first be decrypted. The file encryption key is decrypted when the user has a private key that matches the public key.

  • The original user may not be the only person that can decrypt the file encryption key. Other designated users or recovery agents can also decrypt the file encryption key, by using their own private key.

For steps on how to decrypt a file or folder, see Decrypt a file or folder

Private keys are securely held in a protected key store, and not in the Security Account Manager (SAM) or in a separate directory. For more information, see the Microsoft TechNet on the Microsoft Web site.

Storing encrypted files on remote servers

If users in your Windows XP or Windows Server 2003 family computing environment want to store encrypted files on remote servers, it is useful to know the following:

  • Windows XP and the Windows Server 2003 family support the storage of encrypted files on remote servers.

  • Users can use EFS remotely only when both computers are members of the same Windows Server 2003 family forest.

  • Encrypted data is not encrypted when in transit over the network, but only when stored on disk. The exceptions to this are when your system includes Internet Protocol security (IPSec) or Web Distributed Authoring and Versioning (WebDAV). IPSec encrypts data while it is transported over a Transmission Control Protocol/Internet Protocol (TCP/IP) network. If the file is encrypted before being copied or moved to a WebDAV folder on a server, it will remain encrypted during the transmission and while it is stored on the server.

  • Encrypted files are not accessible from Macintosh clients.

  • Storing EFS certificates and private keys on smartcards is not currently supported.

  • Strong private key protection for EFS private keys is not currently supported.

Before users can encrypt files that reside on a remote server, an administrator must designate the remote server as trusted for delegation. This allows all users with files on that server to encrypt those files. For more information, see Enable a remote server for file encryption and Encrypt a file or folder on a remote computer.