Manage W2K's EFS with EFSinfo

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

W2K's Encrypting File System (EFS) protects confidential files even from intruders who gain physical access to the disk. Perhaps its best useability feature is its transparency. One can encrypt at the file or directory level. EFS lets a user per file designate a file or directory as encrypted. To clarify, encrypted files and directories are encrypted by an individual and can not be shared at this time. If UserX encrypts the file, UserY can not read them (even if UserX wants to share access). There is no method to share the encryption credentials. To encrypt a directory, you
  • Open the directory's Properties menu
  • Click Advanced
  • Select the Encrypt contents to secure data check box
W2K automatically encrypts and decrypts file data in memory as applications write to and read the file. Thus the transparency. After you encrypt the directory, you can use the files as you usually do, without thinking about encryption.

As a systems administrator, a required feature for encryption systems, W2K supports data-recovery agents such that one can recover data that any user encrypts. Consider the situation where critical data has been encrypted on the server and the owner is unavailable (dead, sick, on vacation, ...) You can use Group Policy to assign data-recovery agents. If EFS is used to encrypt a file, only the data-recovery agents specified in Group Policy can access that file. This sets up the situation where server administrators see files and directories they can't read on their "own" servers.

The key to recovery is determining what agent has access. To solve the dilemma, use EFSinfo which is a command-line utility from the W2K Server Resource Kit (it installs with the Security Tools component). EFSinfo displays the recovery agents for a specified directory or file. If you don't specify a pathname, EFSinfo displays encryption information for each file in the current directory. If you type

efsinfo /u

the utility will tell you whether the file is encrypted and who originally encrypted the file. You must use the /r parameter to get the authorized data-recovery agents. In the following example, myprivate.txt was encrypted by Administrator, who is also the data-recovery agent for this system.

D:\docs>efsinfo /r "myprivate.txt"


secret formula.txt: Encrypted
 Recovery Agents:
 XYZ\Administrator (OU=EFS File Encryption Certificate, L=EFS, CN=Administrator)

Efsinfo Syntax:

efsinfo [/u] [/r] [/c] [/i] [/y] [/s:dir] [pathname [...]] [/?]

/u displays encryption information about the files and folders in the current folder. This is the default option. Running Efsinfo without switches produces the same output.

/r displays Recovery agent information.

/c displays certificate thumbnail information.

/i continues performing the specified operation even after errors have occurred. By default, Efsinfo stops when an error is encountered.

/y displays the current EFS certificate thumbnail on the local computer. The files specified might not be on this computer. If no items are returned, there are no encrypted files on the computer.

/s:dir performs the specified operation on folders in the given folder and all subfolders.

pathname [...] specifies the path of one or more files or folders for which to display encryption information.

/? displays command-line Help.
If you need to recover EFS, Elcomsoft has created Advanced EFS Data Recovery to decrypt files encrypted on NTFS partitions in Windows 2000. Files can be decrypted even in a case when the system is not bootable and so you cannot log on, and/or some encryption keys have been tampered. Besides,they say decryption is possible even when Windows is protected using SYSKEY.

EFS Tidbits

  • EFS is a feature of NTFSv5 and only works with Windows 2000.
  • You cannot encrypt system files or folders, that is, systemroot usually \winnt
  • You cannot encrypt compressed files and folders until they are decompressed, its an either or situation.
  • Some apps create temporary files within the folder you are working, others use the TEMP folder. If you are using EFS, its best to encrypt the TEMP folder to protect temporary working files.
  • Copying a file into an encrypted folder results in the file being encrypted (the folder's attribute).
  • Moving a file into an encrypted folder leaves the file ASIS, plaintext or encrypted.
    The difference in copying and moving are due to the different operations. Copying a file requires the creation of a new file being created in the encrypted folder. Since the folder has the encrypted attribute, the new file is encrypted. Moving a file does not involve the actual contents. The operating system simply creates a new entry in the folders directory table and removes the old entry from the directory folder it had been in. Copying involves creating a new file and creating a new entry in the directory table of the folder. Moving only involves creating a new directory entry and deleting the old directory entry.
  • Moving or copying EFS files to another file system removes the encryption. NTFSv5 is the only file system that supports EFS. Move or copy the file to FAT, NTFSv4, or FAT32 and the file is converted to plaintext.
  • Backing up an encrypted file or folder will maintain the contents in their original encrypted form.
    The restored files can be successfully opened if you use the Certificate Export wizard and the Certificate Import wizard to transfer your certificate and private key to your user profile on the new computer.
  • Change the name of an encrypted file or folder. No effect on nature of contents. Stays ASIS. Only directory entry changed.
  • EFS protects from unauthorized access but does not prevent, for example, an administrator or user of group with delete access from deleting the file/folder. EFS would prevent decryption of file/folder if the PC were booted using another operating system.
  • EFS files accessed remotely will be decrypted by the OS and transmitted across the network in plaintext.
  • EFS files are transparently decrypted when access by authorized personnel and held in system cache and are potentially recoverable from the system cache if it is not cleared at shutdown.
  • Do not encrypt files when logged in as local administrator. EFS recovery is compromised since the creator and the recovery agent are the same account. This does not apply if you have changed the default recovery agent.

EFS links:

HowItWorks: Encrypting File System

Best Practices for Encrypting File System

Step-by-Step Guide to Encrypting File System

SANS Analysis : Windows 2000 Encrypting File System

Encrypting File System

Default SYSKEY configuration compromises encrypting file system

See Also

Featured Links