EFS and private and public key handling ???

[Guest]

Dear all

The big thing when you start to encrypt data is an many people mentionned, to not loose encryption key
As I understand encryption ey are located per user basis on the system

I have seen on recommendation in Microsoft book saying that in orderr to improve security is to store private and public key on a flash card. Then when decryption or encryption is needed we insert that flash card and do the work

Now the question is does the keys can remains on the flash card during encryption or decryption and telling the system that he will found the keys from there or is there no other way to import the keys in the system and remove them when finished

The main advantage when keys can be access directly from the flash is that you do not care to remember if you have same them or not

Does this way can be done and if yes how

regard
serge

 

[Drew Cooper [MSFT]]

What book was that?

If done correctly, that would involve importing the keypair, doing some EFS,
exporting the keypair to remove it form the user profile, then using a
utility to securely wipe unused disk space. If done correctly it would be
more secure than leaving the keypair in the user's profile. If done
correctly, it would be a truly HORRIBLE user experience. If done
incorrectly, it could be the worst of both worlds - not more secure; just
more painful to use.

To answer your question:
The certificate and private key can be exported to a .pfx file and deleted
using the Certificates MMC snapin (Personal store). The really easy way to
export an EFS keypair ("cipher /x") will leave the cert and key on the
machine. That's not what you're describing, so the nasty time-consuming way
will have to do. "cipher /w" can be run to wipe free clusters on a drive
once the export is complete. Oh, no - now that I think of it, the situation
is worse than that! We keep a handle open to the key. Reboot the machine
before you "cipher /w" if you really want to be sure that the private key is
gone.
That .pfx file can be "run" or clicked-on to start the PFX Import Wizard.

There is no supported way to use EFS with keys on removable media or
smartcards on any released version of Windows.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Dear all,

The big thing when you start to encrypt data is an many people mentionned, to not loose encryption key.
As I understand encryption ey are located per user basis on the system.

I have seen on recommendation in Microsoft book saying that in orderr to

improve security is to store private and public key on a flash card. Then
when decryption or encryption is needed we insert that flash card and do the
work.

Now the question is does the keys can remains on the flash card during

encryption or decryption and telling the system that he will found the keys
from there or is there no other way to import the keys in the system and
remove them when finished ?

The main advantage when keys can be access directly from the flash is that

you do not care to remember if you have same them or not.