2.8.4 EFS – Part 2

Part 2 of 2.8.4 EFS by Val BakhIn part 1, we explained how Encrypting File Systems (EFS) works. We used a story about your attempts to secure your door as an example. Let’s continue the discussion and translate this story into technical terms. Because certificates are so closely related to encryption, we’ll also discuss certificates.
The most important aspect to using EFS is encryption keys. There are two types of keys: a file encryptionkey (FEK) or a private/public pair. EFS generates a FEK automatically for each file you want to protect, and uses the FEK in order to encrypt that file. Certificates are available for both public and private keys. A certificate is a digital object that confirms your identity by associating your username or user account to a pair of keys. Both keys complement one another; the public key is generally available to all, while the private key is stored in your user account. A private key can also be stored on a smartcard or similar device in secure environments.
Open the file’s properties and click Advanced on the General tab. Then, select Encrypt contents to protect data. Transparent encryption occurs when you open an encrypted file. It is automatically decrypted when you close the file. The file is automatically re-encrypted when you close it. To share the file with others click Advanced on the General tab of the file’s properties. Click Details in the Advanced Attributes dialog box and click Add. Only those users can be selected that have an EFS certificate. If the person you wish to allow access to your file does not have an EFS certificate, ask them to encrypt it. It could be a file on your own computer or on another computer depending on the situation. EFS will automatically generate or obtain a certificate for the user.
An EFS certificate can be requested from a certification authority (CA), which might be available on your company network. A CA is a specially configured computer that can issue and revoke certificates, publish certificate revocation lists (CRLs), and perform other related certificate-management tasks. The Certificates console on your computer initiates a request. The computer generates a private/public pair and sends it to the CA. The CA issues a certificate and sends it back. Optionally, Active Directory Domain Services (AD DS) may publish the certificate. Your domain account stores the published certificate and associated public key. The private key is not stored. Your certificate and public key are now available to all AD DS users. The certificate is sent to you electronically. The certificate’s copy is stored in your personal certificate store. Your private key is securely stored in the user profile. If the profile is local the key is stored on your computer. If the profile is roaming the key is stored on the profile file server as well as in the local copy on each computer where you logged in to.
EFS generates an FEK when you try to encrypt a file on the computer. The FEK encrypts the file using the FEK and then searches for a certificate that can be issued to you. EFS uses the associated key to encrypt the FEK if such a certificate is available. EFS will attempt to obtain a certificate from an enterprise CA if EFS cannot find your certificate. EFS will automatically generate a self-signed certificate if there is no CA available or if EFS can’t obtain one for you. The key difference between a self-signed certificate and a certificate issued from a CA is that the former is generally trusted by all relevant entities such as users on your corporate network.

Comments are closed