How does EFS work?

R

ridergroov

Alright I have read af ew things about EFS and encrypting files on the
net and it's nto totally sinking in. First question is, are files that
you encrypt only accessible from the computer they reside throught hte
account that they were encrypted on or can you access them across the
network? Second, wouldn't using NTFS file permissions to lock people
out of certain folders be the same thing? Lastly, where is this
certificate that is spoken of. I'm a little unfamiliar with how
encryption works in the first place and these common observances are
leaving me a little more confused. I also don't understand why there
is no password involved in this type of encrypting technique. I use
AxCrypt to encrypt things and I need a password for that....that makes
sense to me where this method doesn't. Thanks!
 
M

Marcin Domaslawski

Hi,

In big short ...

When you select Properties -> Advanced -> Details you will see who has
access to your encrypted file - there is a user names and certificate finger
prints (You should also select an account as a recovery agent - it helps you
to recover data when something crash with your account). You can add here
also user from network.

You can see your certificate by certmgr.exe -> in Personal container.

Your files are encrypted by certificate which is generated for your account
when you used this option first time. You dont have to enter an additional
passwords, because this certificate is available when you log in to the
system.

Marcin Domaslawski
 
J

John Wunderlich

Second, wouldn't using NTFS file permissions to lock people out of
certain folders be the same thing?
Click to expand...

No. With NTFS file permissions, the files are stored unencrypted
and only Windows decides whether a user can view them.
Administrators can view anything they want, and all anyone has to do
is boot your system from a Linux boot disk to view any file that was
supposedly protected by NTFS permissions. EFS actually encrypts the
file which then cannot be read by any means without the encryption
key.
Lastly, where is this certificate that is spoken of. I'm
a little unfamiliar with how encryption works in the first place
and these common observances are leaving me a little more
confused. I also don't understand why there is no password
involved in this type of encrypting technique.
Click to expand...

The certificate is the equivalent of a computer-generated randomly-
chosen password used to encrypt these files. It is stored, itself,
encrypted somewhere on your computer. The "password" that gives you
access to this certificate is derived from the password/username
that you used to logon to Windows in the first place. Make certain
that you back up this certificate or it is only a matter of time
before you lose access to your own files. It is accessed via the
Internet Options control panel.
I use AxCrypt to encrypt things and I need a password for
that....that makes sense to me where this method doesn't. Thanks!
Click to expand...

Likewise I find that without a lot of work, EFS is heavily tied to
one computer. If that computer should fail to boot and the
certificate is not backed up, all access to those files is lost. I
use the freeware "Truecrypt" to satisfy my encrypted file needs.

HTH,
-- John
 
G

GreenieLeBrun

ridergroov said:
Alright I have read af ew things about EFS and encrypting files on the
net and it's nto totally sinking in. First question is, are files that
you encrypt only accessible from the computer they reside throught hte
account that they were encrypted on or can you access them across the
network? Second, wouldn't using NTFS file permissions to lock people
out of certain folders be the same thing? Lastly, where is this
certificate that is spoken of. I'm a little unfamiliar with how
encryption works in the first place and these common observances are
leaving me a little more confused. I also don't understand why there
is no password involved in this type of encrypting technique. I use
AxCrypt to encrypt things and I need a password for that....that makes
sense to me where this method doesn't. Thanks!
Click to expand...

This may answer some questions :-

The Encrypting File System
http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

EFS Data Recovery 1
New EFS tool available - EFS Certificate Configuration Updater 14
EFS Auto enroll 0
User vs. Basic EFS certificate 3
VS2005 website deployment problems with EFS 2
Subject: VS2005 website deployment problems with EFS 9
EFS and certificate revocation list 1
Cannot get EFS recovery agent function to work! 6

Top