Features of EFS

EFS provides its users with privacy, transparent operation, and a means of data recovery. In addition, it ensures that encryption is not inadvertently defeated by copying or moving files.


EFS is designed to protect the privacy of sensitive data. Besides the user who encrypts a file, only designated recovery agent personnel can decrypt it. Other system accounts that have permissions for that file — even the Take Ownership permission — cannot open the file without the encryptor's private key.

EFS is especially useful for securing sensitive data on computers shared by several users and on portable computers. Both kinds of systems are susceptible to attack by techniques that circumvent the restrictions of access control lists (ACLs) In a shared system, access can be gained by starting up a different operating system. With a portable computer, a thief might take only a moment to steal it. The thief can then remove the hard disk drive, plug the hard disk drive into another computer, and read the files. EFS files, however, appear as unintelligible characters when the thief does not have the decryption key.

Transparent Operation

In EFS, file encryption does not require the file owner to decrypt and re-encrypt the file on each use. Decryption and encryption of the file take place transparently as it is read from and written to the disk.

In contrast, encryption services in most products are not transparent to the user. The user has to decrypt the file before every use and re-encrypt it when finished. If the user forgets to encrypt a file, the file is unprotected. And, because the user must go to the trouble of specifying that a file be encrypted and decrypted on each use, it discourages the use of encryption.

Integration with the File System

EFS is tightly integrated with NTFS. You set the encryption attribute for folders or files as you set other attributes, such as read-only, compressed, or hidden. When encryption is set for a folder, EFS automatically encrypts the following:

  • All new files created in the folder

  • All plaintext files copied to the folder

  • Optionally, all existing files and subfolders in the folder

When EFS is implemented at the folder level, temporary copies of an encrypted file in the same folder (such as those created during editing) are also encrypted, as are backups created in the same folder. The encryption survives moves and renames, provided that all files are on Windows 2000 NTFS volumes.

note-icon Note

EFS is available only on Windows 2000 NTFS volumes. Copying or moving the file or folder to another file system removes the encryption and returns the file to its normal format. The exception to this is files and folders that are stored by Windows 2000 Backup. Files and folders remain encrypted on the backup media.

Data Recovery System

Encrypting a file always raises a risk that it cannot be read again. The owner of the private key might leave the enterprise. If disgruntled, the owner might maliciously encrypt all of his or her files before leaving. Worse yet, he or she might encrypt critical shared files so that no one else can use them. For this reason, EFS is designed to be used only if the system is configured with one or more recovery agent administrators.

Designated user accounts, called recovery agentI> accounts are issued recovery agent certificates with public keys and private keys that are used for EFS data recovery operations. Recovery agent accounts are designated by EFS recovery policy. By default, the recovery agent account is the highest-level Administrator account. On a stand-alone computer, this is the local Administrator. In a domain, the domain Administrator for the first domain controller installed in the domain is the default recovery agent account for all computers in the domain. Different recovery agent accounts can be assigned by changing EFS recovery policy, and different recovery policies can be configured for different parts of an enterprise. The private key for a recovery agent account must be located on the computer where recovery operations are to be conducted.

When a recovery agent certificate is issued, the certificate and private key are installed in the user profile for the user account that requested the certificate. You also have the option to export the recovery agent certificate and private keys to store them in archives or to transfer the certificate and private key to other user accounts and computers.

There can be more than one recovery agent account for an EFS file, each with a different private key. Data recovery discloses only the encrypted data, not the user's private key that was used to encrypt the bulk encryption key or any other private keys for recovery. This ensures that no other private information is revealed to the recovery agent administrator accidentally.

If you choose to configure an EFS recovery policy with no recovery agent certificates, EFS is disabled. Because of this feature, you cannot normally use EFS to encrypt data so it cannot be recovered — whether the encryption is done through accident or through malice. However, you could later destroy the private key for recovery to prevent data recovery.

Information to Remember About EFS
EFS only works on the Windows 2000 NTFS file system.
EFS does not run if there is no recovery agent certificate, but it does designate a recovery agent account by default and generates the necessary certificate if you do not.
You can use EFS to encrypt or decrypt data on a remote computer, but you cannot use it to encrypt data sent over the network.
You cannot encrypt system files or folders.
You cannot encrypt compressed files and folders until you decompress them.
Encrypting an entire folder ensures that the temporary copies of encrypted files that it contains are also encrypted.
Copying a file into an encrypted folder encrypts the file, but moving it into the folder leaves the file encrypted or unencrypted, just as it was before you copied the file.
Moving or copying EFS files to another file system removes the encryption, but backing them up preserves the encryption.
Other file permissions are unaffected. An administrator, for instance, can still delete a user's EFS file even though the user cannot open it. —