Implementing the Encrypting File System in Windows 2000

The Encrypting File System (EFS) uses a private key encryption mechanism for storing data in encrypted form on the network. ESF is the file encryption technology used for NTFS volumes. EFS runs as a service and uses both private key encryption and public key encryption.

On This Page

Encrypting a file or folder
Decrypting Files and Folders
Copying an Encrypted Folder or File
Moving or Renaming an Encrypted Folder or File
Deleting an Encrypted Folder or File
Backing Up an Encrypted Folder or File
Restoring an Encrypted File or Folder
Restoring Files to a Different Computer
Folder and File Encryption On a Remote Server
Securing the Default Recovery Key on a Stand-alone Computer

Encrypting a file or folder

Users can encrypt a file only if and authorized administrator enables encryption. Encrypt a file or folder on an NFTS volume as follows:

1. Select the file or folder to encrypt.

2. Right-click on the file or folder and click Properties.

3. On the General tab, click Advanced.

   

4. On the Advanced Attributes dialog box, select Encrypt contents to secure data and click OK.

   

5. Click OK in the Properties dialog box.

6. A Confirm Attributes Changes dialog will ask to choose between encrypting the folder and all its contents or just the folder itself. If the folder is empty, choose to encrypt the folder only; otherwise, choose the folder and its contents, and click OK.

   

7. A dialog box shows the status of encrypting the folder or file. Click OK again to make this change, and close the snap-in.

After a folder is encrypted, files saved in that folder are automatically encrypted. When an encrypted file is moved to another folder that is not encrypted, the file remains encrypted. However, if the owner of the file moves the file to a FAT partition or volume, such as a floppy disk, the file is automatically decrypted.

Decrypting Files and Folders

Encrypted files can only be decrypted using the private key that encrypted them.

Decrypt a file as follows:

1. Right-click the folder and click Properties.

2. On the General tab in the Properties dialog box, click Advanced.

3. Clear the Encrypt contents to secure data dialog box.

4. Click OK.

5. Click OK again to confirm.

There will be a dialog box offering the option to just decrypt the folder, or to decrypt the folder and all of its contents.

Note: The Administrator has sufficient rights to decrypt all files that have been encrypted.

Copying an Encrypted Folder or File

The following explains the procedures and limitations for copying encrypted folders or files on the same volume and from one volume to another.

• To copy a file or folder on the same computer from one NTFS partition in a Windows 2000 location to another NTFS partition in a Windows 2000 location. Copy the file or folder in the same manner as an unencrypted file. Use Windows Explorer or the command prompt. The copy is encrypted.

• To copy a file or folder on the same computer from an NTFS partition in a Windows 2000 volume to a FAT partition. Copy the file or folder in the same manner as an unencrypted file. Use Windows Explorer or the command prompt. Because the destination file system does not support encryption, the copy is not encrypted.

• To copy a file or folder to a different computer where both use the NTFS partitions in Windows 2000. Copy the file or folder in the same manner as an unencrypted file. Use Windows Explorer or the command prompt. If the remote computer allows the user encryption of files, the copy is encrypted; otherwise it is not encrypted. Note that the remote computer must be trusted for delegation; in a domain environment, remote encryption is not enabled by default.

• To copy a file or folder to a different computer from an NTFS partition in a Windows 2000 location to a FAT or NTFS in a Windows NT 4.0 location. Copy the file or folder in the same manner as an unencrypted file. Use Windows Explorer or the command prompt. Because the destination file system does not support encryption, the copy is not encrypted.

Note: If the original file was encrypted, Microsoft recommends that the status of the destination file be confirmed by looking at the Advanced Attributes dialog box (click the Advanced button on the General tab of the file's property sheet).

Moving or Renaming an Encrypted Folder or File

The following explains the procedures and limitations for moving encrypted folders or files on the same volume and from one volume to another.

To move or rename a file or folder within the same volume: Move or rename the file in the same manner as an unencrypted file. Use Windows Explorer, the shortcut menu, or the command prompt. The destination file or folder remains encrypted.

To move a file or folder between volumes: This is essentially a copy operation. Review the previous subsection, "Copying an Encrypted Folder or File. "

Deleting an Encrypted Folder or File

If a user has sufficient access to delete the file or folder, the user can delete it in the same manner as an unencrypted file.

Note: Deleting an encrypted folder or file is not restricted to the user who originally encrypted the file.

Backing Up an Encrypted Folder or File

The following explains the procedures and limitations for backing up encrypted folders or files.

• Backing up by copying: Backup created using the Copy command or menu selection can end up in clear text, as explained previously in the subsection, "Copying an Encrypted Folder or File. "

• Backing up using Backup in Windows 2000 or any backup utility that supports Windows 2000 features: This is the recommended way to back up encrypted files. The backup operation maintains the file encryption, and the backup operator does not need access to private keys to do the backup; they only need access to the file or folder to complete the task.

Use Backup to back up a file, folder, or drive as follows:

1. Click Start, point to Programs, point to Accessories, point to System Tools, and then click Backup. The Backup wizard appears.

2. Click the Backup tab.

3. Select the drive, files, or folders to back up. (In this case My Documents\Encrypted Files).

   

4. Select the destination in the Backup media or file name list. Click Browse to locate a pre-existing backup file.

5. Click Start Backup.

6. In the Backup Job Information dialog box, make selections, and then click Start Backup.

   

7. When the backup process is complete, click Close in the Backup Progress dialog box.

   

Backup backs up the entire encrypted file, folder, or drive to the backup file selected. This file can be copied to FAT media, such as floppy disks, and is secure because its contents remain encrypted.

Restoring an Encrypted File or Folder

Restore operations parallel those used for backing up encrypted files. The following explains the procedures and limitations for restoring backed up encrypted files to the computer where the backup was performed and to a computer other than the one where the files were backed up.

• Restoring by Copying: Restored files created using the Copy command or menu selection can end up in clear text, as explained previously in the subsection "Copying an Encrypted Folder or File. "

• Restoring using Backup in Windows 2000 or any backup utility that supports Windows 2000 features: This is the recommended way to restore encrypted files. The restore operation maintains the file encryption, and the restoring agent does not need access to private keys to restore the files. After the restoration is complete, the user with the private key can use the file normally.

Use Backup to restore a file on the same computer as follows:

1. Click Start, point to Programs, point to Accessories, point to System Tools, and then click Backup.

2. Click the Restore tab.

3. Right-click File, and then click Catalog file.

4. Enter the path to the backup file (for example, C:\Encryptedbackup.bkf).

5. Check the encrypted folder that needs to be restored. All its contents are restored automatically. In the Restore files to list, select Alternate location.

   

6. In the Alternate location box, provide the name of the folder where the encrypted material is to be restored.

7. Click Start Restore.

   

8. Click OK to confirm the restore process.

   

9. Click OK to confirm the backup file.

   

10. When the restore process is complete, click Close.

    

The Restore Progress dialog shows the progress of the operation. The Properties of the folder can be used to check that indeed it was restored encrypted.

1. Close the Backup window.

Restoring Files to a Different Computer

To be able to use encrypted files on a computer other than the one the files were encrypted on, authorized administrators need to ensure that the encryption certificate and associated private key are available on the other system. This can be done by manually moving the keys. Before moving keys manually, authorized users should back up encryption certificates and private keys. They can then restore the certificates and keys on a different system.

Back up the encryption certificate and private key as follows:

1. Click Start, click Run, type mmc in the Open box, and click OK.

2. On the Console menu, click Add/Remove snap-ins, and click Add.

3. Locate the Certificates snap-in, and click Add.

   

4. Select My user account and then click Finish. Click Close. Click OK.

   

5. Locate the Encrypting File System certificates in the Personal certificate store. Click the + next to **Certificates–**Current User. Expand the Personal folder. Click Certificates.

   

6. Right-click the certificate, click All Tasks, and click Export.

   

7. This starts the Certificate Manager Export wizard. Click Next.

   

8. Click Yes, export the private key. Click Next.

   

9. The export format available is Personal Information Exchange-PKCS#12, or .pfx—personal exchange format. Click Next.

   

10. Provide the password to protect the .pfx data. Click Next.

11. Provide the path and file name where the .pfx data is to be stored. In this case, type c:\mykey. Click Next.

    

12. A list of certificates and keys to be exported is displayed. Click Finish to confirm.

13. Click OK to close the wizard, and close the snap-in.

This exports the encryption certificate and private key to a .pfx file that must be backed up securely.

To restore an encryption certificate and private key on a different system do the following:

1. Copy the .pfx file to a floppy disk, and take it to the computer on which the encryption certificate and private key are to be imported.

2. Start the Certificates snap-in by clicking Start, clicking Run, and then typing mmc.

3. On the Console menu, click Add/Remove snap-ins, and click Add.

4. Click Certificates, and click Add. Select My user account and then click Finish. Click Close. Click OK.

5. Right-click Personal store, click All Tasks, and click Import to import the .pfx file.

   

6. This starts the Certificate Manager Import wizard. Follow the wizard steps to successfully import the certificate and private key.

   

7. Provide the path to the .pfx file. In our example, it is c:\mykey.pfx.

8. Type the password to unwrap the .pfx data.

9. Click Place all certificates in the following store, and accept the Personal certificate store. Click Next.

   

10. Click Finish, and then click OK to start the import operation. When the import is complete, click OK to close the wizard.

    

Once the same keys available, the user can transparently use encrypted files that may have been backed up on different computer.

Folder and File Encryption On a Remote Server

Users can transparently encrypt and decrypt files and use encrypted files stored on a remote server. This works whether the users access those files remotely or log on to the other computer locally. However, remember that when encrypted files are moved using backup and restore mechanisms, the appropriate encryption certificate and private keys must also be moved to allow use of the encrypted files in their new destinations. Without correct private keys, users cannot open or decrypt the files.

Note: If an encrypted file is opened over the network, the data that is transmitted over the network by this process is not encrypted. Other protocols, such as Secure Sockets Layer/Personal Communication Technology (SSL/PCT) or Internet Protocol Security (IPSec) must be used to encrypt data over the wire.

Securing the Default Recovery Key on a Stand-alone Computer

As part of the local administrator's initial logon, a default recovery policy is set up on each stand-alone computer. This policy makes the local administrator the default recovery agent for the computer.

To change this policy:

1. Click Start, click Run, and type MMC in the Open box. Click OK.

2. Click Console, click Add/Remove Snap-In. Click Add.

3. Click Group Policy and click Add.

4. Accept the default of Local Computer and click Finish. Click Close and click OK.

5. Click the + next to Local Computer Policy to expand it. In the same way, expand Computer Configuration, Windows Settings, Security Settings, Public Key Policies, and then click Encrypted Data Recovery Agents. The screen should look something like the one below.

   

6. There is a self-signed Administrator certificate in the policy. This makes the local administrator account the default recovery agent. If this certificate is deleted, there will be an empty recovery policy, which turns EFS off. EFS does not allow encryption of data if there are no recovery agents set up.

7. To protect the recovery key associated with this certificate, click Console, and click Add/Remove snap-ins. Click Add.

8. Click Certificates, and click Add. Click Current User. Click Finish. Click Close. Click OK.

9. Click the + next to Certificates–Current User. In the same way, expand the Personal folder. Click Certificates in the left pane.

10. Click Administrator in the right pane and scroll to Intended Purposes. This should be set to File Recovery. Use the procedure in the subsection, "Restoring Files to a Different Computer, " to export the certificate and private key in a .pfx file.

11. After creating the .pfx file, delete the certificate and the private key associated with it from the Personal store. This ensures that the only copy of the key is in the .pfx file. To do so, click Administrator in the right pane and then click the red X on the toolbar. There will be a warning message saying that the user will not be able to decrypt data encrypted using this certificate. Click Yes to continue.

12. Secure the .pfx file in a safe or locked cabinet. This file should be used only when a file needs to be recovered.

Securing the Default Recovery Key for the Domain: As with the stand-alone computer, a default recovery policy is configured for the domain when the first domain controller is set up. The default recovery policy uses a self-signed certificate to make the domain Administrator account the recovery agent.

Note: To change the default, log on as Administrator on the first domain controller of the domain, and follow the steps above to secure the recovery key for the domain.