Home > Articles > Home & Office Computing > Microsoft Windows Desktop

  • Print
  • + Share This
  • 💬 Discuss
Like this article? We recommend

The Keys to EFS

Three kinds of keys are used in EFS, and they're the keys (so to speak) to using EFS effectively:

  • The encryption key is the user's key pair—the public and private keys that are used to encrypt and (usually) decrypt the file key.
  • The recovery key is a public/private key pair held by the recovery agent and used to decrypt the file key when the user's key is damaged or unavailable.
  • The file encryption key (FEK) actually encrypts the file. It's a DESX key, randomly generated automatically for each file as it's encrypted. Every file encrypted under EFS has a separate file encryption key. The FEK for each file is encrypted by the user's public key and again by the recovery agent's public key, and both copies are kept with the encrypted file.

The user's and the recovery agent's public/private key pairs are stored separately from each other. On a network (as distinct from a standalone computer such as a laptop) the recovery agent's key pairs are kept in separate files on the network with the recovery agent account, while the user's key pair is kept in separate files on the user's machine.

Explanation time: The user needs his/her key pair constantly available to encrypt and decrypt files constantly. The recovery agent's keys are backed up and, one hopes, never needed. The recovery agent's keys are kept on the recovery agent's computer.

The user's private key is used to read the copy of the file encryption key encrypted with the user's public key; then the FEK is used to decrypt the file itself. If the user's private key isn't available, the recovery agent's private key can be used to decrypt the copy of the FEK that was encrypted with the recovery agent's public key.

Normally, the user's system will decrypt the file with the user's private key. However, if the user's private key isn't available, the recovery agent can recover the file using its private key. In either case, the private key is used to recover the appropriate copy of the file encryption key, and the FEK is used to decrypt the file.

Obviously, one of the major concerns with EFS is safeguarding the keys and making sure that they're available when needed. If you lose or corrupt those keys, you're in trouble. If a bad guy gets hold of those keys, you're in even bigger trouble.

  • + Share This
  • 🔖 Save To Your Account

Discussions

comments powered by Disqus