Before you start
Objectives: Learn what is Encrypting File System and why should we use this feature in Windows OS.
Prerequisites: you should know what is encryption.
Key terms: file, encrypted, key, files, recovery, private, computer, agent, encrypt, access, efs, encryption
What is Encrypting File System (EFS)
EFS enables us to encrypt files and folders using a public encryption key tied to a specific user. These encrypted files can then only be used by using a private key that the user who encrypted the files has access to. This process is known as a Public Key Encryption (PKI). In PKI, the user has two keys. One is a Public key which is stored in the certificate, and a Private key. Users can use the public key to encrypt data and the Private key to read the encrypted data. The Private key is kept in the users private certificate store. So, anything that we encrypt with the public key can only be decrypted with the private key.
To implement Encrypting File System (EFS) we have to use NTFS file system on our volumes (EFS is a feature of NTFS). EFS uses both symmetric and asymmetric cryptography. Certificates (keys) are used to manage access to files. These can be trusted third-party certificates, or they can be self signed certificates. In an asymmetrical system, we basically encrypt files or folders with either a public or private key. If the file or folder was encrypted with the private key, we have to use the public key to decrypt it. If it was encrypted with a public key, we have to use the private to decrypt it.
With EFS, we must have a private key in order to access the encrypted file. That means that only original user (and Default Recovery Agent or any user with the copy of the private key), has access to the encrypted file. Private keys should be backed up or archived for recovery purposes.
Encryption is represented as an attribute of a file or a folder, just like a ‘compression’ attribute. We can either encrypt or compress a file. We can not use both of those attributes together (we can not encrypt a compressed file or folder). When we encrypt a compressed file, the file will first be decompressed, and then encrypted. It will also remain uncompressed while encrypted.
When we set the ‘Encrypt’ attribute on a single file, the file will be encrypted. To do that we have to go to the advanced properties of a file. When we encrypt a folder, we can also choose to encrypt all the files and sub folders that are in that particular folder. We can also use command prompt to encrypt files. To do that we can use the ‘cypher‘ command.
The first time a user encrypts a file or folder on Windows machine, the system will create EFS certificate (public key) and a private key for them. Windows then transparently decrypts and encrypts folders and files as users use them. Multiple users can use EFS to encrypt files as well. We can share an encrypted file with another user only if that user has an EFS certificate in the EFS computer store. Have in mind, we can’t have multiple users encrypt a folder.
By default, EFS uses self-signed certificates that are created on the local machine. These certificates are generated by a users computer, not by a Certificate Authority (CA). This means that if the computer which generated the certificate is formatted, the user will lose access to the encrypted files (if the keys are not backed up). This is why it is very important to back up certificates stored on a local machine. EFS keys issued by a enterprise CA can be stored in Active Directory (AD) and be applied to files that need to be shared between multiple users. We can also use smart cards to store private EFS certificate, while the public key is stored in AD.
Moving Encrypted Files
When talking about encryption, one of the concerns is what will happen if we move an encrypted file to another location. To be able to use the encryption, we have to have NTFS formatted partition. If we move our encrypted file somewhere else on the same partition, it will remain encrypted. If we move our encrypted file to another partition that is also NTFS formatted, it will still remain encrypted. If we move our file to the FAT32 partition, our file will be decrypted. Only the original user can move encrypted file to the FAT or FAT32 partition, because it first needs to be decrypted. This will typically happen if we move our file to the Floppy disk or a USB stick. If we copy an unencrypted file to the encrypted folder, the file will be encrypted. If we move the unencrypted file into an encrypted folder, the file remains unencrypted. If we create new file in encrypted folder, that file will be encrypted. Encrypting folders is more recommended than encrypting single files. If we back up and then restore EFS files, the encryption is preserved. If we save an encrypted file to a network share, the file will be encrypted only if the server is trusted for delegation and has access to the user’s certificate.
By default, only original user can read encrypted files. There’s also the Default Recovery Agent (DRA) user account. Recovery Agents are allowed to restore EFS encrypted files by using their own private key. The recovery on local computers (not members of the domain), the DRA must be set up manually. Also, multiple default recovery agent are possible. In a domain, the domain Administrator account is the default recovery agent. The key of the domain DRA is typically stored on some type of removable media (like USB drive) and locked in a safe place.
We must have Write permission to a folder or file to encrypt it. We cannot encrypt System or Read-only files. To recover encrypted files, the files and recovery key need to be on the same computer. Without the private key or recovery key, we cannot copy or move an encrypted file. We can however, back up the files and restore them to the computer where a recovery key is located. We can also export the recovery key and import it onto the computer storing the files we want to recover. Normally, encrypted files are meant to be stored and read on the local computer only. We can only encrypt files stored on remote computers if the computer is trusted for delegation in Active Directory. When moving files encrypted on our local system to another computer (for use on that computer), we have to make sure that our certificate and private key are available on the other computer. Otherwise, we might be unable to open those files. When moving encrypted files to another computer over the network, files are not encrypted while they are in transit. Files might be intercepted as they are transferred. We should use IPSec to secure network communications in this case. When we do a backup of our encrypted files, the encryption will be preserved, and we will be able to restore it to an NTFS partition.
EFS in HomeGroup Environment
To share EFS encrypted files in HomeGroup environment, each computer must have the same EFS certificates. This is in contrast to AD environment where EFS certificates are stored centrally. Even if every computer in HomeGroup has the same user name and password, each computer generates a unique EFS certificate for each user. Because of that we still need to export EFS certificate on one computer and then import them on all other computers in HomeGroup. To configure sharing of EFS encrypted files in HomeGroup, each user can encrypt files on one computer and then export their EFS keys. These keys can then be imported on the other computer on the HomeGroup.
EFS encrypts file content with a randomly generated secret key called theFile Encryption Key or FEK. This key is specific to each file. The FEK is then encrypted by the user’s public key and stored with the file as an attribute called the Data Decryption Field or DDF. The recovery agent’s public key also encrypts the FEK, so that the recovery agent can open the file if necessary. The Recovery Agent version of the FEK is stored in the file as an attribute called the Data Recovery Field or DRF. When the file is accessed by the user who encrypted it, Windows uses that user’s private key to decrypt the FEK found in the DDF. It then uses the FEK to decipher the file’s contents. When the recovery agent access the encrypted file, Windows uses the recovery agent private key to decrypt the file encryption key found in the DRF. It then uses the FEK to decrypt the file. This process keeps the user’s private key safe because no one else has access to it, not even the recovery agent. When someone without the appropriate private key tries to open and encrypted file, they will be denied access because they are unable to decrypt the FEK.
Keep in mind that EFS is not available in all editions of Windows. For example, when it comes to Windows 7, EFS is only available in Professional, Enterprise and Ultimate editions.
Windows includes several tools which we can use to import and export (backup) certificates to a PFX file.
- Certificate Manager console
- Manage File Encryption Certificates
- Cypher.exe (command line tool)
PFX files can be imported back to the original computer or on another computer if necessary. This can be done by using the mentioned tools, or by simply double-clicking the PFX file in Windows Explorer. The easiest way to backup certificates is to use Manage File Encryption Certificates tool. With this tool we can also configure our system to use smart cards. The Certificate Manager console can also be used to backup certificates.
We have separate articles in which we describe how to work with EFS in Windows: