W2K Encrypting File System

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Windows 2000 Pro includes an Encrypting File System ( EFS ) driver that renders volumes and files on NTFS volumes unreadable without the decryption key. You can encrypt at the folder or individual file level. It is best to use directory level encryption because anything created in the folder will be automatically encrypted, including temporary files generated by applications. If you have a laptop or a PC with sensitive data, EFS provides decent privacy protection. Remember that laptops are valuable, portable, and often stolen.

To use the Encrypting File System in W2K:

  • Right-click the folder or file you want to encrypt
  • Choose Properties
  • Click Advanced in the Attributes section of the General tab
  • Select the option Encrypt Contents To Secure Data in the Advanced Attributes dialog box
  • Click OK and close the Properties sheet.
The Encrypting File System driver and the NTFS compression driver are mutually exclusive. You can use one or the other on a folder or file, but not both.

The cleanest method for recovering encrypted files in a domain environment is to use the Backup utility. This is a very safe method. It can be made more secure by requiring the DRA to authenicate via a smart card. The steps involved in performing a recovery:

  • Log on as Administrator to the machine with the encrypted files.
  • Run Backup and back up the encrypted files and/or folders that you want to recover.
  • Log off and then log on to the secured machine that contains the DRA's private key using the account with the DRA for the logon.
  • Restore the files/folders from the backup.
  • Decrypt the files/folders you just restored.
In a domain there can be multiple recover agents. To decrypt the files successfully, you must have logged on with the recovery agent that was used during the encryption.

Another method to recover encrypted files is to export the DRA's private key and use it on a computer with encrypted data. This method is a bit faster than using Backup but it's not as secure because you have to import the private key to a destination machine.

  • Log on to the machine containing the DRA's private key.
  • Open an empty MMC and load the Certificates snap-in.
  • To export the agent's private key, right-click on the certificate, select Export, and indicate that you want to export the private key.
  • Copy the file with the private key to the machine that has the encrypted files.
  • On the destination machine, use the Certificates snap-in to import the DRA's private key file.
  • Decrypt the files.
  • Once you are sure the operation was successful, make sure you don't leave the imported private key on the machine. Doing so could compromise EFS security.

Elcomsoft has created Advanced EFS Data Recovery to decrypt files encrypted on NTFS partitions in Windows 2000. Files can be decrypted even in a case when the system is not bootable and so you cannot log on, and/or some encryption keys have been tampered. Besides,they say decryption is possible even when Windows is protected using SYSKEY.

See Also

Featured Links