An EFS encryption question.

B

Brian Komar

Not a good idea.
The first time that you forget to import the PKCS#12 before you attempt to
access a file, a new EFS certificate will be generated
From that point on, all newly encrypted files will use the new default EFS
key
If you want to have the removal of the EFS certificate from software, then I
recommend you move to Vista and use a smart-card based EFS certificate
Brian
 
B

bagassa

Good afternoon everyone,

What I like to do is lock some of my sensitive files using the windows EFS
encryption so that if someone were to steal my computer and somehow hack the
password into my account, they still would not be able to read the files.

If I were to:

1. encrypt the files
2. then export the "encrypting file system" certificate from the certificate
manager (in the personal folder) to a thumb drive (and a backup drive).
3. delete the certificate managers copy
4. Every time I want to access the files, I plug the thumb drive in, and use
it to decrypt the files.

Is this a good way to do it ? Any red flags here ?

Thanks for your time and help

Peter
 
B

Brian Komar

Inline...
bagassa said:
Good afternoon Brian,

You raised a good point. Does this mean that the burglar who stole my
computer and broke into my account could still read the files, simply
because Windows will always make a new certificate ?
Click to expand...
No. They would need access to the removed certificate's private key to open
previous files
There is no registry change that can stop this automatic generation?
Click to expand...
No. You need to read the whitepaper on how EFS works.
You could prevent the creation of self-signed EFS, but the client would
still either request a Basic EFS certificate or autoenroll another
certificate.

About those smart card readers you mentioned. Where can I get a simple
one at a reasonable price ?
Click to expand...
You need three things:
1) Smart card
2) Smart card reader
3) Middleware/mini-driver
Google is your friend. Search for Gemalto
 
B

bagassa

Good afternoon Brian,

You raised a good point. Does this mean that the burglar who stole my
computer and broke into my account could still read the files, simply
because Windows will always make a new certificate ?

There is no registry change that can stop this automatic generation?

About those smart card readers you mentioned. Where can I get a simple one
at a reasonable price ?

Thanks for your time and input, Brian.

Peter

========================================
 
B

bagassa

Last question Brian,

The only white paper I found on the MS website talks about security in
general, or about the BitLocker feature which I don't have (I have Vista
Business).

Can I get a link to that EFS white paper that you mentioned ?

Regards,

Peter

==========================
 
G

GreenieLeBrun

bagassa said:
Last question Brian,

The only white paper I found on the MS website talks about security in
general, or about the BitLocker feature which I don't have (I have
Vista Business).

Can I get a link to that EFS white paper that you mentioned ?

Regards,

Peter

==========================
Click to expand...

These may help:-

The Encrypting File System
http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx

Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316/en-us
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

EFS and moving files from old computer to new 2
New EFS tool available - EFS Certificate Configuration Updater 14
Help with EFS 1
Changing computers with EFS documents 1
EFS OST File Encryption 1
EFS Auto enroll 0
NTFS Encryption / Smartcard 3
EFS Trouble - External Drive 2

Top