NTFS Encryption / Smartcard

[Michael Meiners]

Hi,

I am trying to store the certificates for NTFS Encryption on the smartcards
of my user. It took me quite long to find a CSP which is capable of doing
so. So far it is working now but now I have some questions regarding NTFS
encryption.

Im am still experimenting around. First I create an encrypted folder, then I
export the encryption certificate and import it into the smartcard and
delete the certificate from the windows store. If I now log off and on I can
only access the encrypted folder if the smartcard is inserted into the
reader. The problem here is that as soon I create a new encrypted folder
windows does not use the existing encryption certificate but generates a new
one. So I would require to have for every encrypted folder a seperate smart
card. Any thoughts how I can optimize this?

As I mentioned above I currently move the windows generated encryption
certificate from the windows store to the card. It would be much more
elegant if I could generate my own certificates and windows uses them for
encryption. I know that the certificate requires the "File System
Encryption" Attribute. In fact some of the certificates I generated do work
fine and other are just ignored by windows. Is there somewhere a document
about the requirements of an encryption certificate available?

Kind Regards
Your M&M

 

[Iuvenalis]

Hi,

I am trying to store the certificates for NTFS Encryption on the
smartcards
of my user. It took me quite long to find a CSP which is capable of doing
so. So far it is working now but now I have some questions regarding NTFS
encryption.

Im am still experimenting around. First I create an encrypted folder, then
I
export the encryption certificate and import it into the smartcard and
delete the certificate from the windows store. If I now log off and on I
can
only access the encrypted folder if the smartcard is inserted into the
reader. The problem here is that as soon I create a new encrypted folder
windows does not use the existing encryption certificate but generates a
new
one. So I would require to have for every encrypted folder a seperate
smart
card. Any thoughts how I can optimize this?

As I mentioned above I currently move the windows generated encryption
certificate from the windows store to the card. It would be much more
elegant if I could generate my own certificates and windows uses them for
encryption. I know that the certificate requires the "File System
Encryption" Attribute. In fact some of the certificates I generated do
work
fine and other are just ignored by windows. Is there somewhere a document
about the requirements of an encryption certificate available?

Kind Regards
Your M&M

Why not use just one key (ie no smartcard), but also NTFS permissions to
determine who can access which dir?
That's what it's there for.

 

[Michael Meiners]

Why not use just one key (ie no smartcard), but also NTFS permissions to
determine who can access which dir?
That's what it's there for.

because anyone who has the password could access the directory. Or even
worse - anyone who gets hold of the harddrive (ie. lost laptop) has access
to the directory. Thats what encryption if for

 

[Iuvenalis]

because anyone who has the password could access the directory. Or even
worse - anyone who gets hold of the harddrive (ie. lost laptop) has access
to the directory. Thats what encryption if for

I didn't say don't encrypt it, I said to have just one encryption key, so it
is still encrypted if it is mounted in another machine.
The persons having access would need to provide a username & password to the
machine.
If it is a laptop I would certainly use Bitlocker on it at least or another
full volume encryption application anyway.
So Bitlocker + EFS + username & good passphrase.