Step-by-Step Guide to Using the Encrypting File System

Published: September 17, 2004

This document provides sample procedures that demonstrate the end-user and administrative capabilities of the Encrypting File System (EFS) included with the Windows Server 2003 operating system. On This Page Introduction

Overview

User Scenarios

Administrative Scenarios

Additional Resources

Introduction
Step-by-Step Guides
The Windows Server 2003 Deployment step-by-step guides provide hands-on experience for many common operating system configurations. The guides begin by establishing a common network infrastructure through the installation of Windows Server 2003, the configuration of Active Directory, the installation of a Windows XP Professional workstation, and finally the addition of this workstation to a domain. Subsequent step-by-step guides assume that you have this common network infrastructure in place. If you do not want to follow this common network infrastructure, you will need to make appropriate modifications while using these guides. The common network infrastructure requires the completion of the following guides.

Part I: Installing Windows Server 2003 as a Domain Controller Part II: Installing a Windows XP Professional Workstation and Connecting It to a Domain

Once the common network infrastructure is configured, any of the additional step-by-step guides may be employed. Note that some step-by-step guides may have additional prerequisites above and beyond the common network infrastructure requirements. Any additional requirements will be noted in the specific step-by-step guide.

Microsoft Virtual PC
The Windows Server 2003 Deployment step-by-step guides may be implemented within a physical lab environment or through virtualization technologies like Microsoft Virtual PC 2004 or Microsoft Virtual Server 2005. Virtual machine technology enables customers to run multiple operating systems concurrently on a single physical server. Virtual PC 2004 and Virtual Server 2005 are

designed to increase operational efficiency in software testing and development, legacy application migration, and server consolidation scenarios. The Windows Server 2003 Deployment step-by-step guides assume that all configurations will occur within a physical lab environment, although most configurations can be applied to a virtual environment without modification. Applying the concepts provided in these step-by-step guides to a virtual environment is beyond the scope of this document.

Important Notes
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred. This common infrastructure is designed for use on a private network. The fictitious company name and Domain Name System (DNS) name used in the common infrastructure are not registered for use on the Internet. You should not use this name on a public network or Internet. The Active Directory service structure for this common infrastructure is designed to show how Windows Server 2003 Change and Configuration Management works and functions with Active Directory. It was not designed as a model for configuring Active Directory for any organization.
Top of page

Overview
The Encrypting File System (EFS) included with the Windows Server 2003 operating system is based on public-key encryption and takes advantage of the CryptoAPI architecture in Windows Server 2003. Each file is encrypted using a randomly generated file encryption key, which is independent of a user's public/private key pair. File encryption can use any symmetric encryption algorithm. The release of EFS uses the Data Encryption Standard X, or DESX (128 bit in North America and 40 bit outside of North America) as the encryption algorithm. Future releases will allow alternative encryption schemes. EFS supports encryption and decryption of files stored on local drives as well as those stored on remote file servers.

User Interaction
The default configuration of EFS allows users to start encrypting files with no administrative effort. EFS generates a public-key pair and a file encryption certificate the first time a user encrypts a file. File encryption and decryption is supported per file or for an entire folder, including all sub-folders. Folder encryption is transparently enforced. All objects created in a folder marked for encryption are automatically encrypted. Each file has a unique file encryption key, making it safe to rename the file. If you rename a file from an encrypted folder to an unencrypted folder on the same volume, the file remains encrypted. However, if you copy an unencrypted file to an encrypted folder, the file state will change. In this case, the file becomes encrypted. Command- line tools and administrative interfaces are provided for advanced users and recovery agents.

Data Recovery
EFS provides built-in data recovery support. The Windows Server 2003 security infrastructure enforces the configuration of data recovery keys. You can use file encryption only if the system is configured with one or more recovery keys. EFS allows recovery agents to configure public keys that are used to recover encrypted data if a user leaves the company. Only the file encryption key is

available using the recovery key, not a user's private key. This ensures that no other private information is revealed to the recovery agent. Data recovery is intended for organizations that require the ability to recover data encrypted by an employee. A recovery policy can be defined through Group Policy in a Windows Server 2003 domain. The policy is enforced on all domain computers and controlled by domain administrators who typically delegate control to designated data security administrator accounts. This provides strong control and allows flexibility regarding who is authorized to recover encrypted data. EFS supports multiple recovery agents by allowing multiple data recovery configurations. These features provide organizations with redundancy and flexibility in implementing their recovery procedures.

Prerequisites

Part 1: Installing Windows Server 2003 as a Domain Controller Part II: Installing a Windows XP Professional Workstation and Connecting It to a Domain Step-by-Step Guide to Managing Active Directory Step-by-Step Guide to Understanding the Group Policy Feature Set
Top of page

User Scenarios
Encrypting a Folder or File
When encrypting a folder or file, you can use Windows Explorer or the command-line utility, Cipher.exe. This section describes both procedures. This guide assumes you are performing the User Scenario exercises on a computer running Windows XP Professional. To use Windows Explorer to encrypt a folder or file 1. 2. 3. 4. 5. On HQ-CON-WRK-01, log on as mike@contoso.com. If prompted, change Mikes password to pass#word2. Click the Start button, point to Programs, point to Accessories, and then click Windows Explorer. Right-click the folder or file name you wish to work with (in this example, a folder that was created under My Documents called Encrypted Files), and then choose Properties. On the General tab, in the Encrypted Files Properties dialog box, click Advanced. In the Advanced Attributes dialog box, select the Encrypt contents to secure data check box as shown in Figure 1, and then click OK.

Figure 1. Advanced Attributes

In the Encrypted Files Properties dialog box, click OK. 6. 7. You may be asked to choose between encrypting the folder and all its contents, or just the folder itself. If the folder is empty, you will not receive a prompt. If the folder contains objects, choose to encrypt the folder and its contents, and then click OK. 8. 1. A dialog box appears showing you the status of encrypting the folder or file. Click OK. To encrypt a folder, click the Start button, click Run, type cmd, and then click OK. For example, at the command prompt, type: cipher /e /s:"C:\Documents and Settings\Mike\My Documents\Encrypted Files" 2. Press Enter. The results should be similar to those shown in Figure 2. To use the command line to encrypt a folder or file

Figure 2. Encrypting from the Command Line See full-sized image

Decrypting a Folder or File

As with encryption, you can use Windows Explorer or a command-line utility to decrypt a folder or file. This section describes both procedures. Note that you do not need to decrypt a file to open the file and edit it. Decrypt a file that you want to make accessible to others. To use Windows Explore to decrypt a folder or file 1. Click the Start button, point to Programs, point to Accessories, and then select Windows

Explorer. 2. 3. 4. 5. 6. Right-click the folder or file name, and then choose Properties. On the General tab, in the Properties dialog box, click Advanced. In the Advanced Attributes dialog box, clear the Encrypt contents to secure data check box, and then click OK. In the Encrypted Files Properties dialog box, click OK. You are asked to choose between decrypting the folder and all its contents, or just the folder itself. Select the Apply changes to this folder, subfolders and files check box, and then click OK. Note: It is recommended that you encrypt folders and not individual files. This is because many existing applications are not aware of encryption and can therefore render the file in clear text. To use the command line to decrypt a folder or file 1. To decrypt a folder, click the Start button, click Run, type cmd, and then click OK. For example, at the command prompt, type: cipher /d /s:"C:\Documents and Settings\Mike\My Documents\Encrypted Files" 2. 3. Press Enter. Close the Command Prompt window.

Copying an Encrypted Folder or File

This section explains the procedures and limitations for copying encrypted folders or files on the same volume, and from one volume to another. To copy a file or folder on the same computer from one NT File System (FS) partition in a Windows Server 2003 location to another NTFS partition in a Windows Server 2003 location. Copy the file or folder as you would an unencrypted file. Use Windows Explorer or the command prompt. The copy is encrypted. To copy a file or folder on the same computer from an NTFS partition in a Windows Server 2003 volume to a File Allocation Table (FAT) partition. Copy the file or folder as you would an unencrypted file. Use Windows Explorer or the command prompt. Because the destination file system does not support encryption, the copy is in clear text. To copy a file or folder to a different computer where both use the NTFS partitions in Windows Server 2003. Copy the file or folder as you would an unencrypted file. Use Windows Explorer or the command prompt. If the remote computer allows you to encrypt files, the copy is encrypted; otherwise, it is in clear text. Note that the remote computer must be trusted for delegation; in a domain environment, remote encryption is not enabled by default. To copy a file or folder to a different computer from an NTFS partition in a Windows Server 2003 location to an FAT or NTFS in a Microsoft Windows NT 4.0 location. Copy the file or folder as you would an unencrypted file. Use Windows Explorer or the command prompt. Because the destination file system does not support encryption, the copy is in clear text.

Moving or Renaming an Encrypted Folder or File

This section explains the procedures and limitations for moving encrypted folders or files on the same volume, and from one volume to another. To move or rename a file or folder within the same volume. Move the file as you would an unencrypted file. Use Windows Explorer, the context menu, or the command prompt. The

destination file or folder remains encrypted.

To move a file or folder between volumes. This is essentially a copy operation. Review the previous section, Copying an Encrypted Folder or File.

Deleting an Encrypted Folder or File

If you have access to delete the file or folder, you can delete it as you would an unencrypted file. Deleting an encrypted folder or file is not restricted to the user who originally encrypted the file.

Backing Up an Encrypted Folder or File

Backing up by copying. Backup created using the Copy command or menu selection can result in clear text, as explained previously in the section, Copying an Encrypted Folder or File. Backing up using the Backup utility in Windows Server 2003 or any backup utility that supports Windows Server 2003 features. This is the recommended way to back up encrypted files. The backup will maintain the file encryption, and the backup operator does not need access to private keys to do the backup; only access to the file or folder is needed to complete the task.

Restoring an Encrypted File or Folder

Restore operations parallel those used for backing up encrypted files. This section explains the procedures and limitations for restoring backed up encrypted files to the computer where the backup was performed, and to a computer other than the one where the files were backed up. Restoring by copying. Restored files created using the Copy command or menu selection can result in clear text, as explained previously in the section, Copying an Encrypted Folder or File. Restoring using the Backup utility in Windows Server 2003 or any backup utility that supports Windows Server 2003 features. This is the recommended way to restore encrypted files. The restore operation maintains the file encryption, and the restoring agent does not need access to private keys to restore the files. After the restoration is complete, the user with the private key can use the file normally.

Restoring Files to a Different Computer

If you want to be able to use encrypted files on a computer other than the one the files were encrypted on, you need to ensure that your encryption certificate and associated private key are available on the other system. You can do this either by using a Roaming Profile or by manually moving your keys. Using a Roaming Profile. Request that your administrator set up a roaming profile for you if you do not already have one. Once you have a roaming profile, the encryption keys you use are the same on all computers that you sign on to with that user account. Note that even if you use roaming profiles, you may want to back up your encryption certificate and private key. However, if you lose the keys that enable you to decrypt a file, you can request the designated recovery agent (by default, the local or domain administrator) to recover your encrypted files. Manually moving keys. Before you contemplate moving your keys manually, you should back up your encryption certificate and private key. You can then restore your certificate and key on a different system. To back up your encryption certificate and private key 1. 2. 3. To start the Microsoft Management Console (MMC), click the Start button, click Run, type mmc in the Open box, and then click OK. On the Console menu, click File, click Add/Remove Snap-in, and then click Add. Locate and click the Certificates snap-in, and then click Add. Click Close, and then click OK.

4.

Locate the EFS certificates in your Personal certificate store. Click the plus sign (+) next to Certificates - Current User. Expand the Personal folder, and then click Certificates. Note: The Intended Purposes column for the appropriate certificate will say Encrypting File System as shown in Figure 3.

Figure 3. Locating EFS Certificates See full-sized image

Right-click your certificate, click All Tasks, and then click Export. This starts the Certificate 5. 6. 7. 8. 9. Export Wizard. Click Next. Select the Yes, export the private key check box, and then click Next. The export format available is Personal Information Exchange- PKCS#12 (.PFX). Ensure the Enable strong protection checkbox is selected, and then click Next. Provide and confirm a password to protect the exported certificate, and then click Next. Provide the path and file name where the exported certificate should be stored. Click Next, and then click Finish to complete the certificate export. Click OK to acknowledge the export was successful. 10. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Close the MMC console. Copy the .pfx file created previously to a diskette or network share. On a different system, click the Start button to start the Certificates snap-in, click Run, type mmc, and then click OK. On the Console menu, click File, click Add/Remove Snap-in, and then click Add. Locate and click the Certificates snap-in, and then click Add. If prompted, select the My user account check box, and then click Finish. Click Close, and then click OK. Click the plus sign (+) to expand Certificates Current User. Right-click the Personal folder, click All Tasks, and then click Import. Click Next. This will start the Certificate Import wizard. Provide the path to the .pfx file created previously, and then click Next. Provide the password to access the certificate data, and then click Next. Click the Place all certificates in the following store (default) check box, and then click Next. Click Finish. When the import is complete, click OK to close the wizard. Once you have the same keys available, you can transparently use encrypted files that may have been backed up on a different computer. To restore your encryption certificate and private key on a different system

Folders and Files on a Remote Server

You can transparently encrypt and decrypt files and use encrypted files stored on a remote server. This works whether you access those files remotely or log on to the other computer locally. However, you must remember that when you move encrypted files using backup and restore mechanisms, you must ensure that the appropriate encryption certificate and private keys are also moved to allow you to use the encrypted files in their new destinations. Without correct private keys, you cannot open or decrypt the files. Note: If you open the encrypted file over the network, the data that is transmitted over the network by this process is not encrypted. Other protocols, such as Secure Sockets Layer/Personal Communication Technology (SSL/PCT) or Internet Protocol Security (IPSec) must be used to encrypt data over the wire.
Top of page

Administrative Scenarios
Ensuring Data Recovery on a Stand-alone Computer
For the following examples, log on as Administrator to the local computer (in the example, this is the machine named HQ-CON-WRK-01). Be sure you log on to the computer locally (as opposed to logging on to the domain). To create a default recovery certificate (when a Certificate Authority does not exist) 1. 2. 3. 4. 1. 2. 3. 4. 5. On HQ-CON-WRK-01, click the Start button, click Run, type cmd in the Open box, and then click OK. In the command promptwindow, type cipher.exe /r:dra, and then press Enter. When prompted, type password to secure the .PFX file, and then type password again to confirm the setting. Close the Command Prompt window. Click the Start button, click Run, type MMC in the Open box, and then click OK. On the File menu, click Add/Remove Snap-In. Click Add, scroll down, and then double-click Group Policy. Accept the default of Local Computer, click Finish, click Close, and then click OK. Click the plus sign (+) next to Local Computer Policy to expand the tree. Expand Computer Configuration, Windows Settings, Security Settings, and Public Key Policies. Click Encrypting File System. 6. 7. Right-click Encrypting File System, and then click Add Data Recovery Agent. On the Add Recovery Agent Wizard screen, click Next, click Browse Folders, and then navigate to the Administrators Documents and Settings folder. Double-click the DRA.CER file, and then click Next, and then click Finish. When finished, your screen should appear as shown in Figure 4. To define a data recovery policy

Figure 4. Default Recovery Agents

Close the MMC console. 8. Note: You should follow the procedures detailed in To back up your encryption certificate and private key to create a protected backup (.PFX) of the recovery certificate.

Securing the Default Recovery Key for the Domain

A default recovery policy is configured for the domain when the first domain controller is set up. The default recovery policy uses a self-signed certificate to make the domain administrator account the recovery agent. Note: You should follow the procedures detailed in To back up your encryption certificate and private key to create a protected backup (.PFX) of the recovery certificate.

Requesting a File Recovery Certificate

If you decide to use the default recovery policies, you never need to request a file recovery certificate. In circumstances where multiple recovery agents are needed for the domain, or where the recovery agent needs to be different from the domain administrator due to legal or corporate policy, you may need to identify certain users as recovery agents. These users must be issued file recovery certificates. To accomplish this, the following procedures must be completed.

An Enterprise Certificate Authority (CA) must be available. The policy on the Enterprise CA must allow the designated user/agents to request and obtain a file recovery certificate. Each user must request a file recovery certificate.

To set up an Enterprise CA 1. 2. 3. 4. Log on to HQ-CON-DC-01 as the domain administrator. Click the Start button, point to Control Panel, and then click Add or Remove Programs. Click Add/Remove Windows Components. Click Certificate Services. You will receive a warning that once Certificate Services are installed, the computer cannot be renamed, and the computer cannot join or be removed from a domain. Click Yes to continue, and then click Next. 5. 6. Verify that the Enterprise root CA radio button is selected, and then click Next. On the CA Identifying Information screen, type ContosoCA for Common name, and then

click Next. 7. 8. 9. 10. Click Next to accept the default data storage location. If Internet Information Server (IIS) is not installed, you are warned that Web-based certificate enrollment will not be available. Click OK to acknowledge this warning. If IIS is running, you are prompted to temporarily shut down that service. Click OK. After the Windows Components Wizard completes, click Finish. Close the Add/Remove Programs. To create a Security Group for users designated as recovery agents 1. 2. 3. 4. Click the Start button, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers. Right-click Groups, click New, click Group, type Domain Recovery Agents, and then click OK. To add users to that group, right-click Domain Recovery Agents under the Groups OU, click Properties, and then click the Members tab. Click Add, type Administrator, and then click OK twice. Close the Active Directory Computers and Users snap-in. To add the Domain Recovery Agents group to the EFS Recovery Template. This procedure allows users in the Domain Recovery Agents group to request recovery certificates. 1. 2. 3. 4. 5. 6. 7. Click the Start button, point to All Programs, point to Administrative Tools, and then click Active Directory Sites and Services. Click Active Directory Sites and Services, and then, on the View menu, click Show Services Node. Click the plus sign (+) next to Services in the left pane. Repeat this process to expand the Public Key Services folder. Click Certificate Templates in the left pane, and then double-click EFSRecovery in the right pane. Click the Security tab, and then click Add. In the Enter the object names to select dialog box, type Domain Recovery Agents, and then click OK. Click Domain Recovery Agents in the Group or user name results pane. In the Permissions for Domain Recovery Agents pane, select the Allow check boxes for Read and Enroll as shown in Figure 5.

Figure 5. EFS Recovery Certificate Template

Click OK, and then close the Active Directory Sites and Services snap-in. 8. To request a file recovery certificate 1. 2. 3. 4. 5. 6. 7. Click the Start button, click Run, type mmc, and then click OK. On the File menu, select Add/Remove Snap-in, and then click Add. Double-click Certificates, select My user account, and then click Finish. Click Close, and then click OK. Click the plus sign (+) next to Certificates - Current User to expand the folder. Right-click Personal in the left pane, click All Tasks, and then click Request New Certificate. This starts the Certificate Request wizard. The first page of the wizard is informational. Click Next to continue. A list of certificate templates is displayed. Click EFS Recovery Agent as shown in Figure 6, and then click Next.

Figure 6. Selecting a Certificate Type

Type a friendly name to distinguish this certificate from others, and add a description if you 8. 9. wish. Click Next, and then click Finish to request the certificate. Click OK to acknowledge the successful certificate request.

To create a domain-wide EFS Recovery Policy, the EFS Recovery Agent certificate created previously needs to be exported in a .CER format. You should also follow the procedures detailed in To back up your encryption certificate and private key to create a protected backup (.PFX) of the recovery certificate. To export the certificate to a .CER format for assignment through a domain-wide policy 1. 2. 3. 4. 5. 6. 7. In the MMC Console, expand the Personal folder. In the right pane, right-click the certificate you just created, click All Tasks, and then click Export. Click Next to begin the export process. Select the No, do not export the private key check box, and then click Next. Leave the default .cer file format, and then click Next. Provide a file path and name, and then click Next. To perform the export, click Finish, and then click OK. Close the MMC Console.

Establishing a Recovery Policy for the Entire Domain Once recovery agents have been identified and issued certificates, the domain administrator can add these certificates to the recovery policy. To add certificates to the recovery policy 1. 2. 3. 4. 5. Click the Start button, point to All Programs, point to Administrative Tools, and then select Domain Security Policy. Click the plus sign (+) next to Public Key Policies, and then click Encrypting File System. Right-click Encrypting File System, and then click Add Data Recovery Agent. When the wizard starts, click Next. Click Browse Folders, and then navigate to and open the .CER file created in the previous section. Click Next, and then click Finish.

Setting a Recovery Policy for a Specific Organizational Unit

You may be required to establish a unique recovery policy for a subset of computers in your domain. You can accomplish this through Group Policy Objects (GPOs) by repeating the steps described previously at an organizational unit (OU) level rather than a domain level.

Recovering a File or Folder

Recovery agents may need to recover files or folders if users lose their keys or leave the company, or if there is a legal requirement to do so. The process of recovery is similar to decryption once the recovery key is available on the system. To recover a file or folder 1. 2. 3. 4. Back up the files or folder to a .bkf file from the system where they currently exist. Copy the .bkf file to the secured recovery agent's computer. The recovery agent should restore the files or folder in the .bkf file locally on a secured system. With a recovery key installed, the recovery agent can simply open each file, or use the Windows Explorer Properties dialog box to decrypt individual files or entire folders.

Disabling EFS for a Specific Set of Computers

In some cases, you may need to ensure that a stand-alone computer or some computer in an OU has EFS disabled. The best way to disable EFS is to set an empty recovery policy. You can do this locally on the computer using the local Group Policy snap-in or by defining a GPO at the OU level with an empty recovery policy. Note: There is a difference between an empty policy and no policy. In Active Directory where the effective policy is an accumulation of GPOs defined at various levels in the directory tree, the absence of a recovery policy at higher-level nodes (for example, at the domain node) allows policies at a lower level to take effect. An empty recovery policy at higher-level nodes disables EFS by providing no effective recovery certificates. On a given computer (stand-alone or joined to the domain), an effective policy must have at least one valid recovery certificate to enable EFS on that computer. Therefore, on a given computer, the absence of a recovery policy or an empty recovery policy has the same effectEFS is disabled.