Encrypting File System

Encrypting File System (EFS), a feature of the NTFS file system first introduced in Windows 2000, enables increased security of files by encrypting them so only those with the correct encryption key are able to view them. Encryption is the process of scrambling something (in this case a file) in a particular way such that you are the only one who can unscramble it. The two types of encryption are symmetric key, in which the same key is used to encrypt and decrypt, and asymmetric key, in which one key (a public key) is used to encrypt and a different key (the private key) is used to decrypt.

EFS Implementation

EFS uses a combination of both types of encryption. Each file has its own unique encryption key that is used for encrypting and decrypting the file (symmetric). Additionally, each user has her own public/private key pair that is used to encrypt/decrypt the file encryption key. The following is what happens when a user encrypts a file:

  • The operating system encrypts the file using the file's unique encryption key.

  • The file's encryption key is then itself encrypted using the user's public key and is stored in the data definition field (DDF) of the file.

  • The file encryption key is also encrypted with the public key of a recovery agent (by default the administrator) and stored in the data recovery field (DRF) of the file. This provides the ability to decrypt the file in case the user loses her private key.

This process ensures that the data is secure because only the private key of the user (or the recovery agent) can decrypt the key used to encrypt the file. The problem with this implementation is that it prevents the sharing of encrypted files?even to trusted personnel. In Windows Server 2003 (and Windows XP), the encryption model used by EFS has been expanded to allow the user to designate one or more authorized users. The user can add additional users' public keys to encrypt the file encryption key, thus enabling multiple users to be able to decrypt the file.

Storing Encrypted Files Remotely

Going along with the concept of making encrypted files more available, Windows Server 2003 supports storage of encrypted files on remote servers without having the user's digital certificate installed on the server. Several requirements exist for this to work. First, only Windows XP and Windows Server 2003 support this feature. Additionally, both the client and the server must be in the same Windows .NET forest. After the domain is in Windows .NET native mode (meaning there are no more Windows 2000 or Windows NT 4 domain controllers), a new delegation tab is available for computer accounts in Active Directory Users and Computers. Selecting Trust This Computer for Delegation to Any Service (Kerberos Only) allows the computer to support encrypted files remotely. This option enables the computer to impersonate the user. Therefore, the computer account then has access to the user's private key and is capable of encrypting and decrypting the user's files.

Encrypted Files on Remote Servers

There are a couple of things to be aware of if you're using encrypted files on remote servers. First, improper use of the Trusted for Delegation option could pose a security risk. Secondly, the file is not encrypted across the network; it is decrypted on the server and then transmitted across the network just like any other file. One thing you can do to mitigate this is to use some type of network encryption, such as IPSec, to encrypt the network traffic. You also can connect to the remote share via Web Distributed Authoring and Versioning (WebDAV), which can have its own encryption. Connecting via a WebDAV share has the additional benefit that you don't have to designate the computer as being trusted for delegation.

Additional improvements to EFS include the ability to use stronger encryption algorithms (DESX in Windows 2000 versus DESX or 3DES in Windows Server 2003) and the capability to encrypt offline files.