Windows 7 / Getting Started

---

Encrypted File System (EFS)

NTFS is a secure file system. However, an increasing number of people are using portables and utilities such as NTFSDos that bypasses NTFS security. Another layer of protection is needed for these more mobile environments. The Encrypted File System (EFS) was new for Windows 2000 and the NTFS 5-0 file system. EFS uses public and private key encryption and the CryptoAPI architecture. EFS can use any symmetric encryption algorithm to encrypt data and includes support for Microsoft Enhanced and Strong cryptographic service providers.

No preparation is needed to encrypt files. The first time a user encrypts a file, an encryption certificate for the user and a private key are automatically created.

Encrypted files stay encrypted when they are moved. New files in an encrypted folder are automatically encrypted. There is no need to decrypt a file before use; the operating system automatically handles this for you in a secure manner. If a user's private key is lost (either by reinstallation or new user creation), the EFS recovery agent can decrypt the files. In a domain environment, the recovery agent should be configured as part of the secure certificate services environment to ensure that the recovery agent is a domain-based account instead of a domain administrator account (for domain-joined machines). This is achieved by defining a Recovery Agent Policy.

An enhancement with the Windows 2003 and XP implementation of EFS was the capability to encrypt a file for multiple Data Recovery Agents (DRAs), which allowed multiple users to be given access to encrypted data.

To encrypt a file, perform the following:

1. Right-click on the file and select Properties from the context menu.
2. Under the General tab, click the Advanced button.
3. Check the Encrypt Contents to Secure Data and click OK.
4. Click OK to perform the encryption and close the Properties dialog for the file.
5. You might be prompted to encrypt just the file or also its parent folder. This is to offer protection in case software that accesses the file creates temporary versions of the file in its folder. These are unencrypted unless the folder is configured to be encrypted. Then any content is automatically encrypted.

After the file is encrypted, additional users can be granted access:

1. Right-click on the file and select Properties from the context menu.
2. Under the General tab, click the Advanced button.
3. Click the Details button in the Advanced Attributes dialog.
4. A list of users who have access to the file is shown. Click the Add button to give additional users access. (The users must have a valid EFS certificate in the AD.) Users who are trusted on the machine are displayed and can be selected. Or click Find User to enable other users in the forest. After the users are added, click OK.
5. The new users who have been granted access are listed. Click OK to all dialogs to close.

The EFS is a useful feature for individual or groups of files. However, the Windows Vista BitLocker functionality allows encryption of the entire drive and might be a better solution than EFS. When you copy a file that is encrypted with EFS to another NTFS volume, the file stays encrypted. If you copy to a FAT/FAT32 volume, the file is unencrypted.