Exploring How EFS Works
Realizing that anyone who has physical access to a system is a potential threat to its contents, the EFS approach to security hinges on its capability to protect files even when they are accessed within different operating systems. For example, if someone loads Windows 98 on a Windows XP-configured system and tries to get to the files, the EFS authentication approach through key matching and certificates should keep the intruder from being able to access the protected data. In tests with the NTFS file system enabled across multiple operating systems, the EFS works. Time will tell if the EFS will function on the FAT file system that is so prevalent in Windows 3.X, Windows 95/98, Windows NT 4.0, and Windows 2000. Although the FAT file system has the capability to provide compatibility to legacy Win16 API-based applications, it's not known for its security.
Because EFS is tightly integrated with NTFS, file encryption and decryption are transparent. When you open a file, it is decrypted by EFS as data is read from disk. When you save the file, EFS encrypts the data as it is written to disk. As an authorized user, you might not even realize that the files are encrypted because you can work with them as you normally do.
In its default configuration, EFS enables you to start encrypting files from Windows Explorer 5 with no administrative effort. From a user's point of view, encrypting a file is simply a matter of setting a file attribute. The encryption attribute can also be set for a file folder. This means that any file created in or added to the folder is automatically encrypted.
Microsoft claims that all individual files and file folders (or subfolders) on NTFS volumes can be set with the encryption attribute, and is therefore protected using the EFS approach to security. Although it is common to refer to file folders with the encryption attribute set as "encrypted," the folder itself is not encrypted, and no public-private key pair is required to set the encryption attribute for a file folder. When encryption is set for a folder, EFS automatically encrypts the following:
- All new files created in the folder
- All plaintext files copied or moved into the folder
- Optionally, all existing files and subfolders
Offline Files, known in Windows 2000 as client-side caching, can also be encrypted through EFS. Windows 2000 accomplishes this through the use of the IntelliMirror technology first introduced in that operating system two years ago.