What is Encrypting File System?
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
What Is Encrypting File System?
In this section
Encrypting File System (EFS) provides the core file encryption technology for storing files on NTFS file system volumes. Security features such as logon authentication and file permissions protect network resources from unauthorized access. However, anyone with physical access to a computer such as a stolen laptop can bypass security in the operating system by installing a new operating system on that computer. In this way, sensitive data can be exposed. Encrypting sensitive files by means of EFS adds another layer of security. When files are encrypted, data in them is protected even if an attacker has full access to the data storage system on the computer.
Problems Solved by EFS
EFS addresses security concerns raised by tools available on other operating systems that allow users to access files stored on an NTFS volume without an access check. With EFS, data in NTFS files is encrypted on disk. The encryption technology used is public key–based and runs as an integrated system service, making it easy to manage, difficult to attack, and transparent to the user. If a user attempting to access an encrypted NTFS file has the private key associated with that file, the user is able to open the fileandwork with it transparently as a normal document. A user without the private key to the file is denied access.
Because EFS is tightly integrated with NTFS, file encryption and decryption are transparent. When users open a file, it is decrypted by EFS as data is read from disk. When users save the file, EFS encrypts the data as it is written to disk. Authorized users might not even realize that the files are encrypted because they can work with the files as they normally do.
EFS allows users to store confidential information on a computer when people who have physical access to a computer might otherwise compromise that information, intentionally or unintentionally. EFS is especially useful for securing sensitive data on portable computers, such as those commonly used by consultants or sales people who frequently conduct business away from the offices of an organization. It can also be useful on computers shared by several users, such as in banks or medical facilities. Both kinds of systems are susceptible to attack by techniques that circumvent the restrictions of access control lists (ACLs). In a shared system, an attacker can gain access by starting a different operating system. An attacker can also steal a computer, remove a hard disk, place the hard disk in another system, and gain access to the files stored on the disk. Files encrypted by EFS, however, appear as unintelligible characters when the attacker does not have the decryption key.
In its default configuration, EFS enables users to start encrypting files with no administrative effort. From the point of view of the user, encrypting a file is simply a matter of setting a file attribute. The encryption attribute can also be set for a file folder. This means that any file created in or added to the folder is automatically encrypted.
Only authorized users and designated data recovery agents (DRAs) can decrypt encrypted files. Other system accounts that have permissions for a file — even the Take Ownership permission — cannot open the file without authorization. Even the local administrator account cannot open the file if that account is not designated as a DRA. If an unauthorized user tries to open an encrypted file, access is denied.
What Can Be Encrypted
Individual files and file folders (or sub-folders) on NTFS volumes can be encrypted. Although it is common to refer to file folders as having the encryption attribute set as “encrypted,” the folder itself is not encrypted. When encryption is set for a folder, EFS automatically encrypts all new files created in the folder. All files copied or moved into the folder Offline Files can also be encrypted.
When offline files are encrypted, the entire offline files database is encrypted rather than individual files. Individual files do not display the encryption attribute. The database is encrypted using the startup key for the system.
System files and any files in the systemroot folder or its subfolders cannot be encrypted. No files or directories in a roaming user profile can be encrypted. A file cannot be both compressed and encrypted. Being compressed does not prevent encryption, but when the file is encrypted, it is uncompressed.
Encrypting the temp directory can cause some applications to not function properly, and therefore is not recommended.
Recovering Data Protected with EFS
EFS supports data recovery in the sense that it makes it possible for designated data recovery agents (DRAs) to decrypt files that user has encrypted. A DRA is established by default on Windows 2000 systems. The DRA is optional on Windows XP Professional and Windows Server 2003 in order to provide organizations with greater flexibility in implementing data recovery strategies. With Windows XP Professional and Windows Server 2003, one or more DRAs can be established for individual computers, for a domain, or for a combination of individual computers and the domain. However, in no case is the private key of any user revealed to a recovery agent.
EFS Interactions and Dependencies
EFS is available only on computers running Windows Server 2003, Windows XP Professional, Windows 2000 Server, and Windows 2000 Professional, and using the NTFS file system.
However, there are differences between how EFS is implemented on Windows Server 2003 and Windows XP Professional compared to Windows 2000. In particular, systems running Windows Server 2003 and Windows XP Professional do not require the existence of a DRA, whereas EFS is disabled on systems running Windows 2000 unless there is a DRA.
On computers running Windows 2000, an EDRP is automatically configured on stand-alone computers when the local administrator initially logs on. This policy makes the local Administrator account the DRA for the computer. Recovery keys and a self-signed file recovery certificate are automatically generated. The local Administrator can change the default EDRP if needed.
In Windows 2000 Active Directory environments, a default recovery policy is configured for a domain when the first domain controller is set up. The default recovery policy uses a self-signed certificate to make the domain administrator account the DRA. The domain Administrator can change the default EDRP if needed.
The following interactions and dependencies also affect how EFS can be used:
You can use EFS to encrypt or decrypt data on a remote computer, but you cannot use it to encrypt data sent over the network unless Web Distributed Authoring and Versioning (WebDAV) encryption is configured. Otherwise, IPSec should be used to protect data across the network.
You cannot encrypt system files or folders.
You cannot encrypt compressed files and folders until you decompress them.
If you encrypt an entire folder, temporary copies of encrypted files that it contains are also encrypted.
If you copy a file into an encrypted folder encrypts the file, but if you move it into the folder the file remains encrypted or unencrypted, just as it was before you copied the file.
If you move or copy EFS files to another file system, encryption is removed, but if you back them up, the encryption is preserved.
When you encrypt a file, other file permissions are unaffected. An administrator, for instance, can still delete your EFS file even though the administrator cannot open it.
You must have EFS certificates available to use EFS. If you do not currently have a public key infrastructure (PKI), you can use self-signed certificates. If you have a PKI, you can configure them to provide EFS certificates.
EFS in Windows Server 2003 and Windows XP Professional includes the following features that are not available on systems running Windows 2000:
Additional users can be authorized to access encrypted files.
Certificates can be checked for revocation status when encrypted files are shared. (revocation is checked only when a user is added to an encrypted file)
Offline files can be encrypted.
The Advanced Encryption Standard (AES) and DES (3DES) encryption algorithms are supported.
Encrypted files can be stored in Web folders using WebDav.
EFS can be used with Windows Server 2003 clusters.
File recovery policy can be configured with greater flexibility.