Putting Windows 2000's EFS to work

Jim Boyce has already introduced you to the Windows 2000 Encrypting File System (EFS). But how do you actually use it? In this Daily Feature, he shows you how EFS works and how to make practical use of it.

In the Daily Feature titled “Understanding the Windows 2000 Encrypting File System,” I introduced you to Windows 2000's new Encrypting File System (EFS). But now that you know what it does, how do you make it work? In this Daily Feature, I’ll show you.

Where do I begin?
You don’t need to do anything special, either as an administrator or end user, to start using EFS to encrypt files. EFS functions as a component of NTFS and therefore installs automatically when you install Windows 2000. You’ll need to define a recovery agent for EFS to allow encrypted data to be recovered in case, for example, an employee leaves the company and destroys his or her certificates before leaving or a user loses his or her certificates. By default, EFS creates the required recovery certificate and installs it in the domain or local security policy, which means that you can begin using encryption immediately.

Encrypting and decrypting files
Encrypting an individual file is easy, although you shouldn’t really do so. Rather, you should encrypt your data on a folder-by-folder or volume basis. Encryption and NTFS compression are alike in the respect that the folder properties determine how NTFS treats files that you create in the folder. If the Compression attribute is set for the folder, NTFS compresses all files that you create in the folder. Likewise, if the Encryption attribute is set, NTFS encrypts all files that you create in the folder. This includes files created automatically, such as temporary files created by an application. When you encrypt a folder, you aren’t actually encrypting the folder itself but rather setting its Encryption attribute, which NTFS uses to decide how to process files in the folder.

To set the Encryption attribute on a folder, right-click the folder and choose Properties. On the folder’s Property sheet, click Advanced to open the Advanced Attributes dialog box. Select the option Encrypt Contents To Secure Data, click OK, and then click OK or Apply in the Property sheet. Windows 2000 displays a dialog box asking if you want to apply the change to the folder only or to the folder and all subfolders and files. In general, you’ll probably want to select the latter option to ensure that anything placed in the folder is encrypted. Click OK to apply the change. All you need to do now is create files in that folder, and they will be encrypted. To decrypt the file and work with it, just open it in its parent application.

As you work with EFS, you’ll find that EFS and NTFS compression are mutually exclusive features. If you encrypt a folder, the folder will no longer be compressed (and the same is true for individual files). If you compress an encrypted folder, it will no longer be encrypted. So, you can encrypt a folder or compress it, but not both.

If you decide you don’t need EFS on a particular folder, you can decrypt it in much the same way you encrypted it. Open the folder’s Property sheet, click Advanced, and deselect the Encrypt Contents To Secure Data option. When you click OK, Windows 2000 asks if you want to apply the change only to the folder or to the child objects as well. If you apply the change only to the folder, any items already encrypted in the folder remain encrypted, but new items you add are not encrypted. If you choose to apply the change to all child objects, all child objects are decrypted.

Using the CIPHER command
While you will probably perform most encryption and decryption from the Explorer GUI, you might have a need to perform those tasks from a command console. For example, you might need to incorporate encryption or decryption tasks in a batch file or even a logon script. You can use the CIPHER command to encrypt and decrypt folders and individual files. Click here to view the syntax for the CIPHER command.

The options you can use on the CIPHER command include the following:
  • ·        /E encrypts the specified directories. This option sets the encryption attribute for the folder.
  • ·        /D decrypts the specified directories. This clears the encryption attribute, and new files are not encrypted, but existing encrypted child objects are unaffected.
  • ·        /S performs the specified operation on directories in the given directory and all subdirectories.
  • ·        /A performs the specified operation for files as well as directories.
  • ·        /I continues the specified operation even if errors occur. By default, CIPHER stops when an error is encountered.
  • ·        /F forces the encryption operation on all specified objects, including those already encrypted. Objects already encrypted are skipped by default.
  • ·        /Q is quiet mode, which reports only essential information.
  • ·        /H displays files with hidden or system attributes; these files are omitted by default.
  • ·        /K creates a new file encryption key for the user. All other options are ignored if any are specified in conjunction with this switch.
  • ·        Pathname specifies a file or directory.

Use the CIPHER command without any parameters or switches to view the current encryption state of files in the current folder or in the folder specified by the pathname parameter.

Moving, copying, and renaming encrypted Files
If you’re familiar with NTFS compression, you know that copying and moving files has implications for compression. Copy a compressed file to an uncompressed folder, for example, and the copy of the file is not compressed. Encryption works similarly with a few differences. Windows 2000 uses the encryption attribute of the target folder to determine how to process the file.

If you copy or move encrypted folders or files to an unencrypted NTFS folder on the same computer, the copies are encrypted regardless of the folder’s encryption attribute. When you copy or move encrypted files to another computer, those folders and files are encrypted only if the other computer supports encryption. The target volume must be NTFS, and the domain or local security policy affecting the target computer must allow encryption. When you copy or move unencrypted folders or files to encrypted volumes or folders, Windows 2000 encrypts the folders and files. This occurs for both local and remote operations.

If you move or copy encrypted folders or files to a FAT volume, Windows 2000 does not encrypt the folder or files because FAT does not support encryption. However, you can use the Windows 2000 Backup applet to back up encrypted folders and files to a backup file on a FAT volume, and the files remain encrypted within the backup file set.

Renaming a folder or file essentially has no effect on its encryption status. If you rename an encrypted object, it remains encrypted. This is true even if you rename it to a different NTFS folder and that target folder does not have its encryption attribute set.

Sharing encrypted files
Users can share encrypted files and work with encrypted files on computers other than those on which they were encrypted. However, each computer must have the certificate and associated private key that was used to encrypt the data. If you use a roaming profile, your certificates follow you, so you can work with your own encrypted data on any computer that has access to your profile. In order for you or others to share encrypted data in other situations, including when working from a remote location, you must export the certificate and key from the computer where the files were encrypted and then import the certificate and key to the other computers.

To use certificate services to share encrypted data, you need to install a public key infrastructure (PKI) and set up a certificate authority, both of which are beyond the scope of this article. However, you can export and import the certificate and key manually.

To do so, log on to the computer where the files were encrypted, using the account credentials that were used to encrypt the data. Open the Certificates console focused on the user account, and then open the Personal/Certificates branch. Scan the Intended Purposes column and locate the certificate(s) issued for EFS. Right-click the certificate and choose All Tasks | Export to start the Certificate Export wizard. Export the certificate to a file using the default settings and options offered by the wizard. (Don’t delete the private key on completion.) Next, log on at the other computer(s) where you need to use the encrypted files, open the Certificates console, and import the certificate. Or, if you’re using a roaming profile and are importing a certificate from another user, simply log on to any workstation with your roaming profile and import the certificate. The additional certificate(s) will be added to your roaming profile and will be available in future logon sessions from other computers.

Even though the Windows 2000 EFS is a very powerful feature, putting it to use is quite easy. However, you must be aware of a few things to make sure that your files remain encrypted as they are being used and to ensure that your users can still share files while leaving them encrypted.

Editor's Picks