Encrypting File System overview
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Encrypting File System overview
Encrypting File System (EFS) provides the core file encryption technology used to store encrypted files on NTFS file system volumes. Once you encrypt a file or folder, you work with the encrypted file or folder just as you do with any other files and folders.
Encryption is transparent to the user that encrypted the file. This means that you do not have to manually decrypt the encrypted file before you can use it. You can open and change the file as you normally do.
Using EFS is similar to using permissions on files and folders. Both methods can be used to restrict access to data. However, an intruder who gains unauthorized physical access to your encrypted files or folders will be prevented from reading them. If the intruder tries to open or copy your encrypted file or folder he receives an access denied message. Permissions on files and folders does not protect against unauthorized physical attacks.
You encrypt or decrypt a folder or file by setting the encryption property for folders and files just as you set any other attribute such as read-only, compressed, or hidden. If you encrypt a folder, all files and subfolders created in the encrypted folder are automatically encrypted. It is recommended that you encrypt at the folder level.
You can also encrypt or decrypt a file or folder using the cipher command. For more information, see Cipher.
When you work with encrypted files and folders, keep in mind the following information:
Only files and folders on NTFS volumes can be encrypted. Because WebDAV works with NTFS, NTFS is required when encrypting files over WebDAV (Web distributed authoring and versioning).
Files or folders that are compressed cannot also be encrypted. If the user marks a file or folder for encryption, that file or folder will be uncompressed.
Encrypted files can become decrypted if you copy or move the file to a volume that is not an NTFS volume.
Moving unencrypted files into an encrypted folder will automatically encrypt those files in the new folder. However, the reverse operation will not automatically decrypt files. Files must be explicitly decrypted.
Files marked with the System attribute cannot be encrypted, nor can files in the systemroot directory structure.
Encrypting a folder or file does not protect against deletion or listing files or directories. Anyone with the appropriate permissions can delete or list encrypted folders or files. For this reason, using EFS in combination with NTFS permissions is recommended.
You can encrypt or decrypt files and folders located on a remote computer that has been enabled for remote encryption. However, if you open the encrypted file over the network, the data that is transmitted over the network by this process is not encrypted. Other protocols, such as SSL/TLS (Secure Socket Layer/Transport Layer Security) or Internet Protocol security (IPSec) must be used to encrypt data over the wire. WebDAV, however, is able to encrypt the file locally and transmit it in encrypted form.