How to Share Files Using Encrypting File System

Article
09/11/2009

Microsoft Windows XP provides many enhancements in the area of data protection—especially Encrypting File System (EFS). This article describes how to share files using EFS, and is intended to assist system architects and administrators in developing best practices for creating data recovery and data protection strategies using Windows XP.

In Windows XP, EFS supports file sharing between multiple users on a single file. This provides an opportunity for data recovery by adding additional users to an encrypted file. Although the use of additional users cannot be enforced through policy or other means, it is a useful and easy method for enabling recovery of encrypted files by multiple users without actually using groups, and without sharing private keys between users.

Once a file has been initially encrypted, file sharing is enabled through a new button in the user interface (UI). A file must be encrypted first and then saved before additional users may be added. After selecting the Advanced Properties of an encrypted file, a user may be added by selecting the Details button. Individual users may add other users (not groups) from the local machine or from the Active Directory, provided the user has a valid certificate for EFS.

Sharing encrypted files using EFS has been supported since Windows 2000 through Win32 application program interfaces (API), but EFS has not been exposed in the Windows Explorer UI until the development of the Windows XP Professional client.

To encrypt a file for multiple users

Open Windows Explorer and select the file you want to encrypt
Right-click the chosen file and select Properties from the context menu.
Select the Advanced button to enable EFS.
Encrypt the file by selecting the Encrypt contents to secure data check box as shown in Figure 1 below. Click OK.

Figure 1. Encrypting contents to secure data

Note A file cannot be compressed and encrypted as those are mutually exclusive attributes.

If this is the first time this file or folder has been encrypted, a dialog box will appear asking if you would like to encrypt the file only or the folder.
Select the appropriate choice and click OK. This will return you to the original dialog box.

Note The file is not encrypted until you click OK. Also, additional users may not be added until the file has been encrypted by the first user.
Click OK to encrypt the file.
Open the file properties again through the Advanced properties button and then select the Details button to add additional users. Once the Details dialog box is open, the add user option will be displayed.

Note Additional information is available in the Encryption Details dialog box which may be useful for troubleshooting purposes.

To add users

Click the Add button as shown in Figure 2 below.

Figure 2. Adding users

A new dialog box will be presented showing the existing users and certificates that are cached in the "Other People" certificate store of the local machine. It will also allow new users to be added from the Active Directory by clicking the Find User button.

Note A user must have a valid EFS certificate in the Active Directory to be added.
Click the Find User button to find new users as shown in Figure 3 below.

Figure 3. Finding new users from Active Directory

The standard object picker dialog box will be displayed and a search will be conducted.

A dialog box will display users that hold valid EFS certificates in the Active Directory based on your search criteria. If no valid certificate is found for the given user, the dialog box shown below in Figure 4 will be displayed:

Figure 4. Finding user search results

If valid certificates exist in the userCertificate attribute of the user object in the directory, they will be displayed in the certificate selection dialog box shown below in Figure 5.

Figure 5. List of user certificates

Important Windows XP now performs revocation checking on all certificates for other users when they’re added to an encrypted file. For performance reasons, users that hold a private key are not checked for revocation. However, certificates that do not contain a CDP (Certificate Revocation List Distribution Point) extension (such as those from some 3rd party CAs) will not be validated for revocation status. If the revocation status check on a certificate fails, the messages shown in Figure 6 below will be displayed and the certificate will not be used.

or

Figure 6. Failed check of certificate revocation status

If the revocation status and chain building completed successfully, the user will be added to the dialog box and the file updated as shown in Figure 7 below.
Click OK to register the change and continue.

Figure 7. Successfully adding a new user

Note Any user that can decrypt a file can also remove other users—if the user doing the decrypting also has write permission.

Note EFS has a limit of 256K in the file header for the EFS metadata. This limits the number of individual entries for file sharing that may be added. On average, a maximum of 800 individual users may be added to an encrypted file.

To view the certificate for information

You can select a user certificate, and view the certificate for information to make your administrative decision. To view a certificate, as shown in Figure 6 above, complete the following steps:

Highlight the certificate in the dialog box and click the View Certificate button.
Click OK to close this dialog box when finished. You will be returned to the previous dialog box within which you can choose the appropriate user to be added to the encrypted file.
Highlight the selected user certificate that you want to use and click OK.

How to Share Files Using Encrypting File System

EFS File Sharing

Enabling EFS file sharing

Related Links

Additional resources