Encrypting File System
Applies To: Windows Server 2008
Encrypting File System (EFS) is a powerful tool for encrypting files and folders on client computers and remote file servers. It enables users to protect their data from unauthorized access by other users or external attackers.
What does EFS do?
EFS is useful for user-level file and folder encryption. EFS was first introduced in the Microsoft® Windows® 2000 operating system, and has been enhanced in subsequent releases of the operating system.
Who will be interested in this feature?
The following groups might be interested in EFS:
Administrators, IT security professionals, and compliance officers who are tasked with ensuring that confidential data is not disclosed without authorization.
Administrators responsible for servers or Windows Vista® client computers that are portable.
Users who share computers and work with confidential information.
Are there any special considerations?
Before implementing EFS, administrators should plan for recovery of information in the event that keys or certificates are lost. EFS supports a robust recovery mechanism which includes three major changes in this release of Windows:
Key Recovery Agent (KRA) changes
Data Recovery Agent (DRA) can now be on a smartcard, which eliminates the need for an offline recovery station and makes remote recovery possible.
These first two items are both important changes for the Administrator.
- The ntbackup tool is no longer included in the operating system. Instead, the Robocopy utility has been added to Windows Server® 2008 and can copy EFS-encrypted files without needing the decryption key. (Copies made in this way will remain encrypted.) Windows Backup supports backup of EFS files in Windows Server 2008.
All of these changes can significantly change the deployment plan for EFS.
What new functionality does this feature provide?
Several important enhancements to EFS are provided in Windows Server® 2008. These include the ability to store encryption certificates on smart cards, per-user encryption of files in the client side cache, additional Group Policy options, and a new rekeying wizard.
Smart card key storage
EFS encryption keys and certificates can be stored on smart cards, providing stronger protection for the encryption keys. This can be especially valuable to help protect portable computers or shared workstations. Using smart cards to store encryption keys may also provide ways to improve key management in large enterprises.
Why is this functionality important?
Using a smart card to store the EFS keys keeps those keys off of the hard disk of the computer. This increases the security of those keys because they cannot be attacked by another user or by someone who steals the computer.
What works differently?
In Windows Server 2008 and Windows Vista, EFS supports the storage of users’ private keys on smart cards.
Key caching
Using Group Policy settings, you can configure EFS to store private keys on smart cards in non-cached or cached mode.
Non-cached mode. Similar to the traditional way EFS works, all decryption operations requiring the user’s private key are performed on the smart card.
Cached mode. A symmetric key is derived from the user’s private key and cached in protected memory. Encryption and decryption operations involving the user’s key are then replaced with the corresponding symmetric cryptographic operations by using this derived key. This eliminates the need to keep the smart card plugged in at all times or to use the smart card processor for every decryption. It therefore provides a significant increase in performance.
EFS also provides policies to enforce “smart card required” and to control the parameters and caching behavior of users’ keys.
Smart card single sign-on
Smart card single sign-on (SSO) is triggered whenever the user logs on with a smart card and one of the following conditions is true:
The user does not have a valid EFS encryption key on the computer, and smart cards are required for EFS by policy settings.
The user has a valid EFS encryption key that resides on the smart card used for logon.
When SSO is triggered, EFS caches the personal identification number (PIN) entered by the user at logon and uses it for EFS operations as well. Thus the user does not see any PIN prompts from EFS during the session.
If the smart card used for the logon is removed from the smart card reader before any encryption operations are performed, Single Sign On is disabled. The user will be prompted for a smart card and PIN at the first EFS operation.
How should I prepare for this change?
To prepare to use smart cards to store EFS certificates, you should examine your existing public key infrastructure (PKI) implementation and include planning for EFS certificates in your PKI. If your organization does not have a PKI in place, you cannot use smart cards to store EFS certificates.
Per-user encryption of offline files
Offline copies of files from remote servers can also be encrypted by using EFS. When this option is enabled, each file in the offline cache is encrypted with a public key from the user who cached the file. Thus, only that user has access to the file, and even local administrators cannot read the file without having access to the user's private keys.
Important
If multiple users share a computer and more than one user tries to use an encrypted, cached copy of a particular file, only the first user to cache the file can access the offline copy of the file.
Why is this functionality important?
Security is enhanced by the addition of per-user encryption. Previously, any user of the computer could potentially gain access to any file in the offline cache.
What works differently?
In the past, the encryption was done by using system keys; thus, one user could read the offline files of another user. This situation no longer exists because the encryption is performed with each user's own public key.
How should I prepare for this change?
Familiarize yourself with the new EFS settings and choose the options that meet your company's specific security needs.
Increased configurability of EFS through Group Policy
EFS protection policies can be centrally controlled and configured for the entire enterprise by using Group Policy.
A number of new Group Policy options have been added to help administrators define and implement organizational policies for EFS. These include the ability to require smart cards for EFS, enforce page file encryption, stipulate minimum key lengths for EFS, enforce encryption of the user’s Documents folder, and prohibit self-signed certificates.
Why is this functionality important?
Increased configurability improves the efficiency of administrators by enabling them to configure and control EFS policies on an enterprise scale.
What works differently?
Additional settings enhance the effectiveness of Group Policy. To find out more, see What settings have been added or changed? later in this topic.
How should I prepare for this change?
Familiarize yourself with the new EFS settings in Group Policy and choose the options that meet your company's specific security needs.
Encrypting File System rekeying wizard
The Encrypting File System rekeying wizard allows the user to choose a certificate for EFS and to select and migrate existing files that will use the newly chosen certificate. It can also be used to migrate users in existing installations from software certificates to smartcards. The wizard can also be used by an administrator or users themselves in recovery situations. It is more efficient than decrypting and reencrypting files.
Why is this functionality important?
The wizard provides a streamlined, step-by-step process to choose certificates or migrate files.
What works differently?
Files are not automatically re-encrypted whenever they are opened or updated. The wizard provides the user with a high degree of flexibility.
How should I prepare for this change?
On a test computer, click Start. In the Start Search box, type rekeywiz, and then press ENTER. This starts the Encrypting File System rekeying wizard and allow you to become familiar with its operation.
What settings have been added or changed?
In this release of Windows Server 2008, additional EFS options can be managed with Group Policy. The Group Policy settings listed in the following table are available in administrative templates.
This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of each setting in the Group Policy Management Console (GPMC).
| Template and setting | Path and description | Default | ||
|---|---|---|---|---|
GroupPolicy.admx—EFS recovery policy processing |
Computer Configuration\Administrative Templates\System\Group Policy—Determines when encryption policies are updated. |
Not configured |
||
EncryptFilesonMove.admx—Do not automatically encrypt files moved to encrypted folders |
Computer Configuration\Administrative Templates\System\—Prevents Windows Explorer from encrypting files that are moved to an encrypted folder. |
Not configured |
||
OfflineFiles.admx—Encrypt the Offline Files cache |
Computer Configuration\Administrative Templates\Network\Offline Files\—This setting determines whether offline files are encrypted.
|
Not configured |
||
Search.admx—Allow indexing of encrypted files |
Computer Configuration\Administrative Templates\Windows Components\Search\—This setting allows encrypted items to be indexed by Windows Search. Note There might be data security issues if encrypted files are indexed and the index is not adequately protected by EFS or another means.
|
Not configured |
.gif)
NoteYou can also use the GPMC or the Local Group Policy Editor (secpol.msc) to configure the following EFS options. To view or change these options, expand the Public Key Policies node, right-click Encrypting File System, and then click Properties.
On the General tab, you can configure general options and certificate options. The following general options are available:
| Option | Notes | Default |
|---|---|---|
File encryption using Encrypting File System (EFS) |
If set to Don't allow, EFS cannot be used on this computer. If set to Allow or Not defined, EFS can be used on this computer. |
Not defined |
Encrypt the contents of the user's Documents folder |
If enabled, the Documents folder of all users on this computer will automatically be encrypted with EFS. |
Disabled |
Require a smart card for EFS |
If enabled, software certificates cannot be used for EFS. |
Disabled |
Create caching-capable user key from smart card |
If enabled, the first time a smart card is required for EFS during a user's session, a cached version of the required keys is made, as described earlier in this topic. If disabled, a smart card must be inserted whenever encrypting or decrypting a file protected with a certificate on the smart card. |
Enabled |
Enable pagefile encryption |
If enabled, the Windows memory paging file will be encrypted with EFS. |
Disabled |
Display key backup notifications when user key is created or changed |
If enabled, users will be prompted to back up their EFS keys for recovery whenever a new key is created or a key is changed. |
Domain-joined: Disabled Workgroup or Stand-Alone: Enabled |
In the certificates section, the following options are available:
| Option | Notes | Default |
|---|---|---|
Allow EFS to generate self-signed certificates when a certification authority is not available |
If disabled, users will not be able to use EFS, except with certificates from a certification authority. |
Enabled |
Key size for self-signed certificates |
You can select 1024, 2048, 4096, 8192 or 16384 bit keys. Long key sizes increase security but might decrease performance. |
2048 |
EFS template for automatic certificate requests |
This is the name of the certificate template used to request an EFS certificate from a certification authority. |
Basic EFS |
Note
All EFS templates in Windows Server 2008, both for user and recovery, as well as self-signed EFS certificates now specify a 2048-bit key length by default.
On the Cache tab you can adjust the behavior of the EFS certificate cache. For more information about caching in EFS, click the Learn more about EFS caching link on the Cache tab.
Do I need to change any existing code?
No change to existing code is required for EFS.
How should I prepare to deploy this feature?
Prior to enabling EFS, you should consider the following:
Establish a designated recovery agent and a recovery process.
Review the new EFS settings and determine which configurations are best for your specific security requirements.
Is this feature available in all editions of Windows Server 2008?
EFS is an integral part of the file system all editions of Windows Server 2008, with no difference in functionality among editions. EFS is available on 32-bit and 64-bit platforms.
EFS is available in Windows Vista® Business, Windows Vista® Enterprise and Windows Vista® Ultimate, and can help significantly in protecting data stored on client computers, particularly portable ones.
Additional references
For additional information about EFS, see Encrypting File System in Windows XP and Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkID=85746).
For additional information about protecting data with Microsoft encryption technologies, see Data Encryption Toolkit for Mobile PCs (https://go.microsoft.com/fwlink/?LinkID=85982).