Regardless of whether your organization currently uses Encrypting File System (EFS), all IT professionals who support Windows 2000, or may support Windows 2000 in the future, should understand the basics of EFS. However, a recent Quick Poll revealed that nearly 20 percent of the 200 members who answered the poll didn’t even know what EFS was.

I decided it was a good time to test our members’ EFS knowledge and help those unfamiliar with EFS to learn more about Windows 2000 EFS. More than 600 TechRepublic members took our Windows 2000 EFS pop quiz, and these are the results. Would you have done better?

Supported drive formats

Figure A

The correct answer is Windows 2000 NTFS (Version 5), and an amazing 87 percent of those who took the quiz knew the answer, as shown in Figure A. Because EFS relies on NTFS reparse points and an installable NTFS file system filter that handles the encryption/decryption process, EFS is only supported on Windows 2000 NTFS (version 5.0) volumes, not FAT volumes.

What EFS can and cannot encrypt

Figure B

The correct answer is Microsoft Office documents, and again a high percentage of our quiz takers, 71 percent to be exact, knew the answer, as shown in Figure B. Windows 2000 EFS cannot encrypt the following:

  • Files on a FAT volume
  • A volume’s root folder
  • Compressed files
  • System files

Windows 2000 EFS can encrypt files on both local and remote (shared) drives. Data encrypted with EFS is also protected during the backup and restore process. Encrypted files are read from a disk, stored in their encrypted form, and restored as encrypted files.

A word of caution about encrypting data on shared drives: Information sent across a network is by default transmitted in an unencrypted format. Unless you are using IPSec—a set of protocols that encrypts data sent between two computers over an unsecured network—encrypting files on a shared drive might not provide as high a level of security as encrypting files on a local drive. You can learn more about IPSec by reading this article by Jeremy Smith.

Who can access an EFS encrypted file?

Figure C

The correct answer is False, and this time 66 percent of those who took our quiz knew the answer, as shown in Figure C. If a user’s private key is lost or the user leaves the organization, a designated recovery agent can access EFS encrypted files. The recovery agent is designated via the Encrypted Data Recovery Policy (EDRP). Stand-alone Windows installations create the EDRP automatically with the Administrator account selected as the default recovery agent. In an Active Directory domain, the EDRP is created via domain policy, with the Domain Administrator set as the default recovery agent. To better understand this answer, let’s examine how EFS works.

Windows 2000 EFS uses the Data Encryption Standard X, or DESX encryption algorithm (128-bit in North America and 40-bit International). The first time a user encrypts a file, EFS generates a public key, a private key, and a file encryption certificate for that user. This information is stored within the user’s profile. For each file that is encrypted, Windows then generates a bulk symmetric encryption key—called a File Encryption Key (FEK)—that is actually used to encrypt the file.

EFS then encrypts the FEK with the user’s public key and stores that data within the encrypted file as an attribute called the Data Decryption Field (DDF). EFS also encrypts the bulk encryption key using the recovery agent’s public key. This FEK is stored in the Data Recovery Field (DRF) of the file. The DRF can contain data for multiple recovery agents. Each time EFS saves the file, it generates a new DRF using the current recovery agent list, which is based on the EDRP.

Moving, copying, renaming, and sharing encrypted files

Figure D

The correct answer is False, and 64 percent of our quiz takers got the answer right, as shown in Figure D. Here’s an excerpt from Jim Boyce’s TechProGuild article that explains how EFS handles moving, copying, renaming, and sharing encrypted files.

Moving, copying, and renaming encrypted files
If you copy or move encrypted folders or files to an unencrypted NTFS folder on the same computer, the copies are encrypted regardless of the folder’s encryption attribute. When you copy or move encrypted files to another computer, those folders and files are encrypted only if the other computer supports encryption. The target volume must be NTFS, and the domain or local security policy affecting the target computer must allow encryption. When you copy or move unencrypted folders or files to encrypted volumes or folders, Windows 2000 encrypts the folders and files. This occurs for both local and remote operations.

If you move or copy encrypted folders or files to a FAT volume, Windows 2000 does not encrypt the folder or files because FAT does not support encryption. However, you can use the Windows 2000 Backup applet to back up encrypted folders and files to a backup file on a FAT volume, and the files remain encrypted within the backup file set.

Renaming a folder or file essentially has no effect on its encryption status. If you rename an encrypted object, it remains encrypted. This is true even if you rename it to a different NTFS folder and that target folder does not have its encryption attribute set.

Sharing encrypted files
Users can share encrypted files and work with encrypted files on computers other than those on which they were encrypted. However, each computer must have the certificate and associated private key that was used to encrypt the data. If you use a roaming profile, your certificates follow you, so you can work with your own encrypted data on any computer that has access to your profile. For you or others to share encrypted data in other situations, including when working from a remote location, you must export the certificate and key from the computer where the files were encrypted and then import the certificate and key to the other computers.

To use certificate services to share encrypted data, you need to install a public key infrastructure (PKI) and set up a certificate authority, both of which are beyond the scope of this article. However, you can export and import the certificate and key manually.

To do so, log on to the computer where the files were encrypted, using the account credentials that were used to encrypt the data. Open the Certificates console focused on the user account, and then open the Personal/Certificates branch. Scan the Intended Purposes column and locate the certificate(s) issued for EFS. Right-click the certificate and choose All Tasks | Export to start the Certificate Export wizard. Export the certificate to a file using the default settings and options offered by the wizard. (Don’t delete the private key on completion.) Next, log on at the other computer(s) where you need to use the encrypted files, open the Certificates console, and import the certificate. Or, if you’re using a roaming profile and are importing a certificate from another user, simply log on to any workstation with your roaming profile and import the certificate. The additional certificate(s) will be added to your roaming profile and will be available in future logon sessions from other computers.

Using EFS from the command prompt

Figure E

This correct answer is Cipher, but only 47 percent of those who took our quiz knew this one, as shown in Figure E. Although the most common way to use EFS is through Windows Explorer, you can also manage encryption using the Cipher command from an MS-DOS prompt. With the Cipher command, you can encrypt and decrypt files and display the encryption status of files and folders.

The following is the Microsoft Knowledge Base Article syntax for using Cipher:
CIPHER [/E | /D] [/S:dir] [/A] [/I] [/F] [/Q] [/H] [/K] [pathname]

You can also use several option switches with Cipher. To view a list of these switches and their definitions, enter the following at an MS-DOS prompt:

Doing so will display the following switches and definitions:

  • /E—Encrypts the specified directories; directories will be marked so that files added afterward will be encrypted.
  • /D—Decrypts the specified directories; directories will be marked so that files added afterward will not be encrypted.
  • /S—Performs the specified operation on directories in the given directory and all subdirectories.
  • /A—Operation for files as well as directories; the encrypted file could become decrypted when modified if the parent directory isn’t encrypted; it’s recommended that you encrypt the files and the parent directory.
  • /I—Continues to perform the specified operation even after errors have occurred; by default, Cipher stops when an error is encountered.
  • /F—Forces the encryption operation on all specified objects, even those that are already encrypted; already-encrypted objects are skipped by default.
  • /Q—Reports only the most essential information.
  • /H—Displays files with the hidden or system attributes; these files are omitted by default.
  • /K—Creates new file encryption key for the user running Cipher; if this operation is chosen, all the other options will be ignored.
  • Pathname—Specifies a file or directory.

When used without an option switch, Cipher displays the encryption status of the current directory and any files in that directory. Cipher also allows you to use multiple directory names and wildcards.

Send us your quiz topics

If you have a topic you’d like us to cover in an upcoming pop quiz, we want to hear about it. Drop us a line and share your suggestions for both quiz topics and questions. If you’d like to comment about this quiz, please post a comment to this article. Good luck on our next quiz!