The Encrypting File System ( EFS ) is a new feature in Windows 2000. EFS is an extension to NTFS version 5.0 which is included with Windows 2000, and allows the user to encrypt files and folders. EFS uses public/private key technology which makes it difficult, but not necessarily impossible to crack. As is typical with this key technology, the public key is used to encrypt the data, and a private key is used for decryption. After encryption is configured, the encrypt/decrypt process is transparent to the user.
The first time that a user selects the encryption attribute from the properties dialog of a file or folder, as shown in Figure 8.16, EFS will automatically generate a public key pair, then the private key is certified by a Certificate Authority (CA). If a CA is not available, the public key is self-signed. All of this is transparent to the user. Figure 8.16. The folder properties dialog box, showing the Advanced Attributes selections.
So that the data can be recovered in case the user loses their private key, or leaves the company, the local administrator account is designated as the Data Recovery Agent (DRA) . This is the default, and can be changed using the Public Key Policies node of the Local Security Settings MMC as shown in Figure 8.17. Because this account is designated as the DRA, a recovery key that can be used by the local administrator to recover the encrypted data is generated and saved in the local administrators' certificate store. This recovery key can be used only to recover the data. The user's private key is never revealed. Figure 8.17. The Local Security Settings MMC, showing the Encrypted Data Recovery Agents certificate.
On a standalone Windows 2000 servers and workstations, the local administrator account is designated as the Data Recovery Agent (DRA). In a domain, the domain administrators account has this role. If the DRA role is removed by a configuration error, the system assumes that no data recovery policy is in place and will refuse to encrypt any files or folders. The following conditions apply when moving or copying encrypted files:
Recovering an Encrypted File or FolderTo recover an encrypted file or folder, you must use the EFS recovery agent. To recover a file or folder
Encryption Using the Cipher CommandThe cipher command-line utility is supplied so that you can work with encrypted files and folders from the command line. This is handy when you are encrypting or decrypting a large number of files or folders, because you can use wildcards, or run the utility from a script. C:\> cipher /f The cipher command options are shown in Table 8.1. Table 8.1. Cipher Command-Line Options
|