EFS implementation basics

  • Thread starter Thread starter Jon
  • Start date Start date
J

Jon

I want to implement EFS on my home pc (XP Pro on a standalone workgroup) so
that if it gets stolen (or my offsite backups get stolen) the files will be
encrypted and unreadable. I understand that I should export my private key,
and that I should make the administrator account a recovery agent, export
that key and delete it from the machine. I think I know how to do all this,
and will obviously test it all first. What I would like to know prior to
doing all this (and can't easily test) is: 1. Can I import my private key
into a new account (created for example on a new machine, or recreated on
current machine if it crashes and burns). 2. Similarly, if I get a new
machine, can I import the recovery agent key into a new administrator
account? 3.Can I encrypt the entire Documents and Settings folder, rather
than just My Documents? Emails, archives and heaps of other junk gets stored
outside of My Documents, but within the profile. Will the encryption affect
the operation of any programs? Thanks...
 
Jon said:
I want to implement EFS on my home pc (XP Pro on a standalone workgroup) so
that if it gets stolen (or my offsite backups get stolen) the files will be
encrypted and unreadable. I understand that I should export my private
Click to expand...
key,

certificate and key - keep them on a couple copies of non-degradable
media, like CD-R and do remember the password to the pfx file.
and that I should make the administrator account a recovery agent, export
Click to expand...

recovery agent does not need to be "the" or even "an" adminstrator
When recovering using the DRA it will only be necessary that the
DRA key be loaded in the account and that the account have NTFS
permissions on the files
that key and delete it from the machine. I think I know how to do all
Click to expand...
this,

export and safegard the certificate and key, just as for the
accounts that use EFS. It is necessary for the certificate to
be in the personal certificates of the DRA, but the decryption
key does not need to be (it can be removed from the system).
If the key is removed, it will have to be loaded for the DRA
to do any recovery.
and will obviously test it all first. What I would like to know prior to
doing all this (and can't easily test) is:
Click to expand...

Actually, you can easily test, and I would recommend doing so.
Just define a couple of test accounts and play - import the cert
and key, etc.
1. Can I import my private key
into a new account (created for example on a new machine, or recreated on
current machine if it crashes and burns).
Click to expand...

Yes. However, be careful if differing operating systems are
involved. If you are using only XP, just keep the systems at
the same service level.
2. Similarly, if I get a new
machine, can I import the recovery agent key into a new administrator
account?
Click to expand...

same as 1.
3.Can I encrypt the entire Documents and Settings folder, rather
than just My Documents?
Click to expand...

I would not recommend doing this. Why impose this on
things like the IE cache, the temp area, etc. and some things
like the ntuser.dat part of the registry just do not need this
extra exposure to complexity.

It would be better to redirect folders to a location, move
where Outlook/Outlook Express stores things, etc. to some
folder.
Emails, archives and heaps of other junk gets stored
outside of My Documents, but within the profile. Will the encryption affect
the operation of any programs? Thanks...
Click to expand...
When you import the key from a pfx be sure that you select
to allow the key to be used without prompting at each use
for the password. That is the only choice that will work.
 
PS Make and keep current the password recovery
disk for any account involved in EFS.
 
Back
Top