EFS Private Keys Storage

C

Choi Wai Kin

I am currently working on a new project using Oracle database to store
condifental information. My boss wants me to use EFS to encrypt the
data files. However, according to our department policy, the private
key used for encrypting condifental must be stored in a different
machine or in some kind of removable device (not in the database
server).

If I use a domain accout to encrypt the data files and then run all
Oracle services on the domain account, is it ture that the private key
will be stored in the domain controller instead of the local machine
and the private key will only be retrieved from the domain controller
when the Oracle services need to access the data file? And will the
private key be cached in the local harddisk?

BTW, is it possible to store the private key in a smart card? If so,
I wonder if there is any reference or white paper that I can refer to.

Thank you very much.

Regards,
Wai.

PS: I guess my boss does carry if the data is really secure, and he
only want to keep sure that we meet the department policy. :)
 
D

Drew Cooper [MSFT]

EFS private keys are stored in a user's application data. I haven't tried
this, but if the user has redirected AppData and the profile is scrubbed
from your Oracle server on logoff you might be able to meet your needs. The
key will exist on the machine at any time that the user is logged on (with
user profile) - I don't know if that matters.

If the database is going to be online all the time there's no way to keep
the private key somewhere else. That's true of EFS or any other kind of
encryption.

EFS doesn't support private keys on smartcards currently.
 
C

Choi Wai Kin

Thank you for your response. It helps a lot.
If the database is going to be online all the time there's no way to keep
the private key somewhere else. That's true of EFS or any other kind of
encryption.
Click to expand...

And, I have one more question.

When the private key is downloaded from the domain controller for
decryption, is the private key stored in memory only? OR Must it be
stored in the harddisk? If it must be stored in the harddisk, where
will it be stored?

Thank you very much.

Regards,
Wai.
 
D

David Cross [MS]

private keys are not stored on the domain controlller - if you use a roaming
user profile, they will be cached to a file server in encrypted form - same
as they are today in a user profile.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

bug with efs on server 2003 5
EFS - setting up Recovery Agent 4
EFS Auto enroll 0
EFS Certificate Issue 5
EFS for XP 2
EFS recovery agents 3
Certificates, Keys, Mobile Users, Intended Usage 2
EFS expired certificate 2

Top