Microsoft

Lock IT Down: Protecting sensitive data is easy with EFS

Use Windows 2000s encrypting file system to secure data


Imagine what might happen if you or a company official lost a laptop. Could somebody boot it up and read confidential documents? Could sensitive information be leaked?

“Of course not,” you say. Your organization is using NTFS partitions and alphanumeric passwords.

Well, what happens when somebody lifts your laptop at an airport, takes it home, and loads another Windows 2000 installation? What happens is they can retrieve the data on NTFS partitions. That is, unless you used Microsoft’s Encrypted File System (EFS).

EFS uses a combination of public and private keys, so EFS-protected data is safe from intruders, even if they can access the hard drive.

You should understand EFS and how it works if you’re going to protect your organization’s sensitive data. And if you’re hoping to pass Redmond’s Win2K exams, you should be prepared to answer a few questions regarding the security enhancement.
Receive Paperchase Digest in your e-mail box each Friday and catch every column, along with timely tips and reviews not found on the site! It’s easy, and it’s free. Just go to the TechMails page and sign up for Erik Eckel’s Paperchase Digest to ensure that you keep up-to-date on the latest certification tips, shortcuts, news, and more!
What’s EFS?
EFS uses an encryption algorithm for files housed on NTFS (version 5) partitions. Once a file has been encrypted using EFS, it can be retrieved only if the user has the private key required to decrypt it. Since EFS runs as an integrated system service managed by Win2K’s Public Key Infrastructure (PKI) services, the encryption and decryption are transparent to the user.

How secure is it?
EFS is free of the Achilles’ heels that plague other security enhancements. For example, when temporary copies of an EFS-protected file are made, they too are encrypted. Even paging files are encrypted, as are backups and copies of the file. Renaming a file doesn’t result in a loss of encryption either. The only caveat is the EFS-protected file must stay resident on an NTFS partition.

North American users also benefit from the availability of 128-bit encryption. The international version supports 40-bit encryption.

How does it work?
Follow these steps to encrypt a file:
  1. Right-click on the folder you want to encrypt.
  2. Select Properties.
  3. Choose Advanced from the General tab.
  4. Select the Encrypt Contents To Secure Data check box.


  1. Click OK to close the Advanced Attributes dialog box.
  2. Click OK to close the folder’s Properties dialog box.
  3. Specify whether you want to apply the change to that folder only or to all subfolders and the files within them.


  1. Click OK.

If other users try to access the file, they’ll receive an “access denied” message.



Here’s what happens when you encrypt the file. Random, multiple-file encryption keys are generated, and they encrypt the contents of the file block by block. These keys are stored in three places:
  • With the file
  • In the Data Decryption Field (DDF)
  • In the Data Recovery Field (DRF)

Before the file encryption keys are stored, your public key is used to encrypt the file encryption keys. For recovery purposes, the keys housed in the DRF are encrypted using a recovery agent.

Your private key is then needed to decrypt the file. When you try to access an encrypted file, EFS detects the attempt and retrieves your certificate from the Win2K PKI, along with your private key. If everything matches, it uses the private key to decrypt the DDF for that resource, which in turn retrieves the file encryption keys, permitting you access to the file’s contents.

In the event that a user account is deleted or a user leaves the company, someone with data recovery rights (typically an administrator) can use a recovery agent to unlock the DRF. You configure the recovery agent using local policies in a workgroup or Group Policies in a domain.

What if I change my mind?
After you’ve encrypted a resource, you can decrypt it by following these steps:
  1. Right-click on the folder you want to decrypt.
  2. Select Properties.
  3. Choose Advanced from the General tab.
  4. Deselect the Encrypt Contents To Secure Data check box.
  5. Click OK to close the Advanced Attributes dialog box.
  6. Click OK to close the folder’s Properties dialog box.
  7. Specify whether you want to apply the change to that folder only or to all subfolders and the files within them.
  8. Click OK.

Important points to remember
Encrypted files can’t be shared. It’s also important to be aware that an encrypted file can’t be compressed, and compressed files can’t be encrypted. You might want to keep an eye out for a question or two on a Microsoft exam trying to trip you up on those facts.
If you'd like to share your opinion, please post a comment at the bottom of this page or send the editor an e-mail.

Editor's Picks