Windows 2000 and the Encrypting File System
Windows 2000 expert Bill Boswell walks you through an introduction to Windows 2000's Encrypting File System and data recovery agents.
Welcome to the operating systems section of InformIT. This is a place to get nitty-gritty details on the products and features that you as system administrators and IT managers need to know to manage your enterprise.
Windows 2000 is the featured operating system this week. There is a lot to explore in Windows 2000. Many of the new features, such as Active Directory and Kerberos and Group Policies, have gotten lots of press. One of the more complex new features likely to have a big impact on the daily lives of our users has gotten comparatively little attention, though. That's the Encrypting File System, or EFS.
EFS provides a way to encrypt sensitive files so that only the person who encrypted the files can read them. When your users finally get Windows 2000 on their desktops and laptops, they're likely to get pretty excited when they find out that they can encrypt their files. Beyond the capability to hide their resumes and recipes, users have a genuine concern about the security of their information. This is especially true for traveling users who carry a lot of proprietary data on their laptops. Also, users who keep sensitive files in shared areas on servers are often skeptical of protecting those files with NTFS permissions and want the additional level of protection that encryption can give.
EFS is an integral component of the operating system itself, not an add-on. EFS is installed on all Windows 2000 servers and desktops by default. The capability to encrypt files can be disabled using Group Policy or local policies, but the EFS service itself cannot be removed or stopped. This means that we as system administrators need to have a clear understanding of how EFS works before we deploy Windows 2000 to our users.
Users can encrypt files simply by selecting the encryption option under Advanced Attributes in File Properties (see Figure 1). This sets an encryption flag on the file and puts a series of processes in motion to encrypt the file and secure the keys used to do the encryption.
Advanced Attributes showing encryption option
Folders can also be flagged as encrypted. When a user creates a file inside an encrypted folder, the encryption flag on the file is set automatically. This encrypts the file for the user who created it, not for the user who encrypted the folder. Using encrypted folders is preferred because encrypting an individual file leaves behind a clear-text temp file that is hidden from the operating system but that still exists on the hard drive.
Files can be encrypted only on an NTFS 5 volume. If you copy or move a file to a FAT, FAT32, or classic NTFS volume, the file will be decrypted and stored in clear text.
EFS operates completely transparently to the user. All encryption and decryption is done on the fly. The encryption key used to scramble the file is also encrypted and stored along with the file. This makes it possible to back up and restore encrypted files to another location.