Encryption and decryption are the primary tasks of EFS. Several different encryption and decryption options are available to users. Users can encrypt and decrypt files by using My Computer and by using the cipher command, and optionally by using the shortcut menu accessed by right-clicking a file or folder.
EFS also allows users to encrypt offline files. Additionally, EFS provides several options for users to determine the encryption status of files and folders.
What Can Be Encrypted
Individual files and file folders (or sub-folders) on NTFS volumes can be encrypted. Although it is common to refer to file folders with the encryption attribute set as encrypted, the folder itself is not encrypted. When encryption is set for a folder, EFS automatically encrypts all new files created in the folder and all files copied or moved into the folder by using My Computer. Offline Files can also be encrypted.
Note
When offline files are encrypted, the entire offline files database is encrypted rather than individual files. Individual files do not display the encryption attribute. The database is encrypted using the system s startup key.
System files and any files in the systemroot folder or its subfolders cannot be encrypted. No files or directories in a roaming user profile can be encrypted. A file cannot be both compressed and encrypted. Being compressed does not prevent encryption, but when the file is encrypted, it is uncompressed.
How Files Are Encrypted
EFS uses a combination of public key and symmetric key encryption to ensure that files are protected from all but the most computationally infeasible methods of attack. Public key encryption algorithms use asymmetric keys for encryption and decryption, which means that different keys are used to encrypt and decrypt the same data. Public key encryption involves the use of a private key (which is held only by its owner) and a public key (which is publicly available on the network). Information that is encrypted by using the public key can be decrypted only by using the corresponding private key. The two keys together are called a key pair or a key set.
Asymmetric cryptography, however, requires a significant amount of processing time for its mathematical operations. Public key operations are often used as part of initial key exchange or key protection operations. As soon as possible, cryptographic services change from public key to symmetric operations, in which the same key is used for both encryption and decryption. Compared with public key operations, symmetric encryption is commonly 100 to 1,000 times faster.
EFS follows the industry standard cryptographic procedure of key encipherment. Data is encrypted using a symmetric file encryption key (FEK) for speed and then the FEK is secured asymmetrically for maximum security. When a user requests that a file be encrypted, EFS uses a uniquely generated FEK to encrypt a file and then encrypts the FEK by using the public key taken from the user s public key certificate. The encrypted FEK is stored in a file header. When a user requests decryption, EFS decrypts the FEK using the user s private key, and then uses the FEK to decrypt the file.
Structure of an Encrypted File
An encrypted file contains encrypted data and a header with fields to store copies of the encrypted FEK for authorized users and designated data recovery agents (DRA). For more information about DRAs, see Data Recovery and Data Recovery Agents later in this chapter.
The structure for an encrypted file is shown in Figure 17-2.
Figure 17-2: Structure of an encrypted data file
Data Decryption Field
An encrypted file contains a minimum of one stored FEK, the FEK encrypted by using the initial encryptor s public key. The storage field for this encrypted FEK is called the data decryption field (DDF). Additionally, if an EFS-encrypted file is shared, a copy of the FEK is encrypted by using the newly authorized user s public key, and the encrypted FEK is stored in another DDF.
For more information about sharing encrypted files, see Authorizing Multi-User Access to Encrypted Files later in this chapter.
Data Recovery Field
If a computer s effective security policy designates one or more data recovery agent (DRA), then copies of the FEK are encrypted for each DRA using each DRA s public key and stored in another file header field called the data recovery field (DRF).
The Encryption Process
When a user encrypts an existing file, the following process occurs:
The EFS service opens the file for exclusive access.
All data streams in the file are copied to a plaintext temporary file in the system s temporary directory.
An FEK is randomly generated and used to encrypt the file by using DESX or 3DES, depending on the effective security policy.
A DDF is created to contain the FEK encrypted by using the user s public key. EFS automatically obtains the user s public key from the user s X.509 version 3 file encryption certificate.
If a recovery agent has been designated through Group Policy, a DRF is created to contain the FEK encrypted by using RSA and the recovery agent s public key. For more information about using Group Policy to configure data recovery agents, see Configuring Data Recovery Policy in a Stand-Alone Environment later in this chapter.
EFS automatically obtains the recovery agent s public key from the recovery agent s X.509 version 3 certificate for file recovery, which is stored in the EFS recovery policy. If there are multiple recovery agents, a copy of the FEK is encrypted by using each agent s public key, and a DRF is created to store each encrypted FEK.
Note
The file recovery property in the certificate is an example of an enhanced key usage (EKU) field. An EKU extension and extended property specify and limit the valid uses of a certificate. File Recovery is one of the EKU fields defined by Microsoft as part of the Microsoft public key infrastructure (PKI).
EFS writes the encrypted data, along with the DDF and the DRF, back to the file. Because symmetric encryption does not add additional data, file size increase is minimal after encryption. The metadata, consisting primarily of encrypted FEKs, is usually less than one kilobyte. File size in bytes before and after encryption is normally reported to be the same.
The plaintext temporary file is deleted.
Note
Data from deleted files might not be erased when the file is deleted. The cipher /w command can be used to remove data from available unused disk space on the entire volume. For more information about the cipher command, see WindowsXP Professional Help and Support Center, or use the cipher /? command at a command prompt.
When a user saves a file to a folder that has been configured for encryption, the process is similar except that no temporary file is created.
Figure 17-3 illustrates the process of obtaining an FEK to encrypt the data and obtaining public keys to encrypt the FEK, and shows the structure of the encrypted file.
Figure 17-3: Encrypting a file with EFS
The Decryption Process
When an application accesses an encrypted file, decryption proceeds as follows:
NTFS recognizes that the file is encrypted and sends a request to the EFS driver.
The EFS driver retrieves the DDF and passes it to the EFS service.
The EFS service retrieves the user s private key from the user s profile and uses it to decrypt the DDF and obtain the FEK.
The EFS service passes the FEK back to the EFS driver.
The EFS driver uses the FEK to decrypt sections of the file as needed for the application.
Note
When an application opens a file, only those sections of the file that the application is using are decrypted because EFS uses cipher block chaining. The behavior is different if the user removes the encryption attribute from the file. In this case, the entire file is decrypted and rewritten as plaintext.
The EFS driver returns the decrypted data to NTFS, which then sends the data to the requesting application.
Figure17-4 illustrates the process of obtaining the user s private key from the user s profile, using it to decrypt the FEK, and using the FEK to decrypt the data for a user.
Figure 17-4: Decrypting a file for a user
Working with Encryption and Decryption
When encrypting files, it is best to turn on encryption for folders rather than to encrypt files individually. By using encrypted folders, you do not have to encrypt each file when you save it. This also ensures that any temporary or backup files that the application creates remain encrypted during and after editing, provided that the application does its editing in the same folder. When files or folders are encrypted or decrypted, the date and time stamps on the files and folders are updated to the current date and time.
Note
Applications do not always use the same folder for temporary files or backup files. Microsoft Word, for example, uses the folder where the encrypted file is located for temporary and backup files but can be configured to use alternate folders. Also, if EFS is appropriate for a specific user, it is a good practice to encrypt the user s My Documents folder because many applications use this folder as the default location to save files. Remember, though, that no files or directories in roaming profiles can be encrypted.
Encrypting and Decrypting Files and Folders by Using My Computer
Applying encryption to a folder by using My Computer is simply a matter of assigning an attribute.
To apply encryption to a folder by using My Computer
In My Computer, select the folder to encrypt.
Right click the folder and click Properties.
On the General tab, click the Advanced button.
Select the Encrypt contents to secure data check box, and then click OK.
When you click OK, if the folder contains unencrypted files or subfolders, another dialog box appears to ask you if you want to apply the changes to just the folder or to the folder, its subfolders, and all files.
Table 17-1 shows the results of selecting the Apply changes to this folder only option.
Table 17-1: Results of Selecting the Apply Changes to This Folder Only Option
File Description
Encryption Status
Already stored in the folder and its subfolders.
Unchanged. Files remain either encrypted or unencrypted.
Created in or copied to the folder by you later.
File encrypted and FEK encrypted by using your public key.
Created in or copied to the folder by another user later.
File encrypted and FEK encrypted by using the other user s public key.
Created in or copied to subfolders later.
Unchanged.
Moved to the folder or subfolders later.
Unchanged.
Table 17-2 shows the results of choosing the Apply changes to this folder, subfolders, and files option.
Table 17-2: Results of Selecting the Apply Changes to This Folder, Subfolders, and Files Option
File Description
Encryption Status
Already in the folder and its subfolders.
If you have Write permission, file encrypted and FEK encrypted by using your public key; otherwise, files are unchanged.
Later created in or copied to the folder or subfolders by you.
File encrypted and FEK encrypted by using your public key.
Later created in or copied to the folder or subfolders by another user.
File encrypted and FEK encrypted by using the other user s public key.
Later moved to the folder or subfolders.
Moving unencrypted files into an encrypted folder will automatically encrypt those files in the new folder.
With either choice, the folder s list of files remains in plaintext and you can enumerate files as usual.
Caution
EFS lets you encrypt files you do not own, provided that you have Write Attributes, Create Files/Write Data, and List Folder/Read Data permissions for the files. If you select Apply changes to this folder, subfolders, and files in folders where other users also store files, no one but you will be able to decrypt the files. If this occurs, you can recover the files by reversing the process. Select the folder and clear the Encrypt contents to secure data check box. On a shared computer, it is better to encrypt folders like My Documents for each individual user. If users have roaming profiles, the My Documents folder cannot be encrypted because no files in a roaming profile can be encrypted. In this case, it is better to create individual data folders outside the user profile for each user.
You can turn on EFS for an individual file by using My Computer in the same way that you apply encryption to a folder. However, when you encrypt a single file, the following warning appears: You have chosen to encrypt a file that is not in an encrypted folder. The file can become decrypted when it is modified. If you select the Always encrypt only the file check box, the warning no longer appears, and EFS encrypts only the file that you select.
To decrypt a file or folder by using My Computer
Right-click the file or folder, and then click Properties.
Click Advanced, and then clear the Encrypt contents to secure data check box.
This causes EFS to decrypt the selected folder and mark it as unencrypted. When you apply your choice, you also have the option to decrypt all files and subfolders in the folder.
Encrypting and Decrypting Files and Folders by Using the Cipher Command
You can encrypt and decrypt folders or files by using the Cipher.exe command-line utility. Table 17-3 lists the parameters for the tasks that you can perform by using the cipher command.
Note
You can use wildcard characters and multiple parameters with the cipher command. A space is required between multiple parameters.
Table 17-3: Tasks and Parameters for the Cipher Command
Task
Parameter(s)
Display the encryption status of files and folders.
Use the cipher command with no parameters or with the name of a specific file or folder.
Set the encryption attribute for folders in the current directory.
/e
Encrypt files in the current directory.
/e /a
Remove the encryption attribute from folders in the current directory.
/d
Decrypt files in the current directory.
/d /a
Display all of the options available with cipher.
/?
In the following example, a folder called project docs is encrypted and decrypted. Cipher "project docs" displays the status as U or unencrypted. Cipher /e "project docs" encrypts the folder. Cipher /d decrypts the folder.
X:\>cipher "project docs" Listing X:\ New files added to this directory will not be encrypted. U Project docs
X:\>cipher /e "project docs" Encrypting directories in X:\ Project docs [OK] 1 directorie(s) within 1 directorie(s) were encrypted.
X:\>cipher "project docs" Listing X:\ New files added to this directory will not be encrypted. E Project docs
X:\>cipher /d "project docs" Decrypting directories in X:\ Project docs [OK] 1 directorie(s) within 1 directorie(s) were decrypted.
X:\>cipher "project docs" Listing X:\ New files added to this directory will not be encrypted. U Project docs
Enabling EFS Options on the Shortcut Menu
Some organizations might choose to enable EFS on the shortcut menu. Encrypt and Decrypt are then available when a user right-clicks a file or folder in My Computer.
To enable EFS options on the shortcut menu by editing the registry
In the Run dialog box, type regedit.exe.
Navigate to the subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Explorer\Advanced.
On the Edit menu, point to New, and then click DWORD Value.
Enter EncryptionContextMenu for the value name, and 1 for the value data.
This change takes effect the next time My Computer is opened. When the user right-clicks a file or folder on an NTFS volume, the option to encrypt or decrypt appears on the shortcut menu.
Caution
Do not edit the registry unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Registry Reference in the Microsoft Windows 2000 Server Resource Kit at http://www.microsoft.com/reskit
Encrypting Offline Files
Microsoft Windows 2000 introduced client-side caching functionality, now called Offline Files, which is an IntelliMirror management technology that allows network users to access files on network shares even when the client computer is disconnected from the network. When disconnected from the network, mobile users can still browse, read, and edit files by using the same UNC path that is used on the network because the files have been cached on the client computer. When the user later connects to the server, the system reconciles the changes with the server. The Windows XP Professional client can use EFS to encrypt offline files and folders. This feature is especially attractive for traveling professionals who need to work offline periodically and maintain data security.
To encrypt offline files
In My Computer, on the Tools menu, click Folder Options.
On the Offline Files tab, select Enable Offline Files and Encrypt offline files to secure data, and click OK.
Offline files will now be encrypted when cached locally, even if they were not encrypted in the network folder.
Determining Encryption Status By Using My Computer
Because encryption is an attribute of a file or folder, it is possible to determine whether a file or folder is already encrypted by examining its attributes. You can open the Advanced Properties sheet for the file or folder and see that the Encrypt contents to secure data check box is selected. You can also add the Attributes column to the Details view. When you do this, any file with an E attribute is encrypted, and any folder with an E attribute has the encryption attribute set.
Both encrypted and compressed files can be displayed with alternate colors in My Computer. Encrypted files are green, and compressed files are blue. Files and folders can either be encrypted or compressed, but they cannot be both encrypted and compressed.
To display encrypted files in an alternate color
In My Computer, on the Tools menu, click Folder Options.
On the View tab, select the Show encrypted or compressed NTFS files in color check box, and click OK. All encrypted file and folder names are displayed in green.
Determining Encryption Status by Using the Cipher Command
Use the cipher command with no parameters or with a file or folder name to display encryption status. In the following example, the encryption status of files and folders in the X:\Project docs directory is displayed. Cipher is executed without any parameters. An E in the left column means that the file or folder is encrypted, and a U means that it is unencrypted.
X:\Project docs>cipher Listing X:\Project docs\ New files added to this directory will be encrypted. E cipher E plan2.txt E plan3.txt E plan4.txt E plan5.txt E plan6.txt E plan7.txt E plan8.txt E secretplan.txt
