Printer Friendly Version
What is EFS? How can I use it to protect my files and folders?
Relax while LANsurveyor automatically maps your network.
LANsurveyor automatically discovers your LAN or WAN and produces comprehensive, easy-to-view network diagrams that can be exported into Microsoft Office® Visio®.
The Encrypting File System (EFS) is a component of the NTFS file system on Windows 2000, Windows XP Professional, and Windows Server 2003. (Windows XP Home doesn't include EFS). EFS enables transparent encryption and decryption of files by using advanced, standard cryptographic algorithms. Unlike 3rd-Party encryption tools, EFS is fully integrated into the Windows Explorer shell, thus enabling easy encryption and decryption of files and folders. Any individual or program that doesn't possess the appropriate cryptographic key cannot gain access to the encrypted data. Encrypted files can be protected even from those who gain physical possession of the computer that the files reside on. Even persons who are authorized to access the computer and its file system cannot view the data.
Note: EFS does not offer 100% security against all sorts of attacks. Besides EFS you must also use other defensive strategies such as physically securing your data and computers, using a strong password and so on. Using EFS requires only a few simple bits of knowledge. However, using EFS without knowledge of best practices and without understanding recovery processes can give you a mistaken sense of security, as your files might not be encrypted when you think they are, or you might enable unauthorized access by having a weak password or having made the password available to others. It might also result in a loss of data, if proper recovery steps aren't taken.
EFS has several advantages over traditional encryption techniques. EFS’s encryption technology integrates into the file system, so users can’t access the hard disk without going through the file system. W2K’s EFS drivers run in kernel mode to provide better security. EFS is easy to manage and completely transparent to the user. A user can use a private key, which the OS generates, to encrypt only those files or folders that need protection. Users can then access their data transparently. Users who don’t have the private key can’t access the data.
No preparation is needed to encrypt files and the first time a user encrypts a file an encryption certificate for the user and a private key are automatically created.
If encrypted files are moved they stay encrypted, if users add files to an encrypted folder the new files are automatically encrypted. There is no need to decrypt a file before use; the operating system automatically handles this for you in a secure manner.
In the event of a user’s private key being lost (either by reinstallation or new user creation) the EFS recovery agent can decrypt the files.
(This original section of this article was originally written by John Savill and can be found HERE).
How to use EFS?
EFS is directly integrated into the Windows 2000 shell, and is completely transparent to most programs.
Applying EFS is similar to applying NTFS’s compression attribute. When you encrypt a folder, NTFS individually encrypts the files inside the folder and automatically encrypts any files you add to the folder. If any subfolders exist, you can also encrypt them. By default, NTFS encrypts any subfolders you create in an encrypted folder.
To set up EFS encryption:
- Right-click the folder you want, and then click Properties.
- On the General tab, click Advanced.
- Click to select the Encrypt contents to secure data check box, click OK, and then click OK.
- Click either Apply changes to this folder only or Apply changes to this folder, subfolders and files as appropriate.
For a quicker way around this please read the following article: Quickly Encrypt Files by Right Clicking Them.
To see the current encryption status of your files and folders please read the EFS - Quickly Check EFS Attributes article.
Information to remember about EFS
- EFS only works on the Windows 2000 NTFS file system.
- EFS does not run if there is no recovery agent certificate, but it does designate a recovery agent account by default and generates the necessary certificate if you do not.
- You can use EFS to encrypt or decrypt data on a remote computer, but you cannot use it to encrypt data sent over the network.
- You cannot encrypt system files or folders. You cannot encrypt compressed files and folders until you decompress them.
- Encrypting an entire folder ensures that the temporary copies of encrypted files that it contains are also encrypted.
- Copying a file into an encrypted folder encrypts the file, but moving it into the folder leaves the file encrypted or unencrypted, just as it was before you copied the file.
- Moving or copying EFS files to another file system removes the encryption, but backing them up preserves the encryption.
- Other file permissions are unaffected. An administrator, for instance, can still delete a user's EFS file even though the user cannot open it.
Related articles
You might also want to read the following related articles:
- Access Denied Error in EFS Encrypted Files
- Compression and Other Attributes in EFS
- Copy Encrypted Files on the Network
- Data Protection and Recovery in Windows XP
- Disable EFS in Windows 2000
- Disable EFS in Windows XP/2003
- How does EFS Work?
- New EFS Features in Windows XP
- Quickly Check EFS Attributes
- Quickly Check Which User Encrypted a File
- Create a mountable virtual encrypted hard drive in Windows Vista using TrueCrypt
Links
Encrypting File System for Windows 2000
Encrypting File System for Windows 2000 Whitepaper
Encrypting Files in Windows 2000 - 222054
HOW TO: Encrypt Data Using EFS in Windows 2000 - 230520
Best Practices for Encrypting File System - 223316
Encrypting and decrypting data with Encrypting File System
HOW TO: Encrypt Files and Folders on a Remote Windows 2000 Server - 230044
