<body>

Hands-on Project 11-2

Date: Monday, August 23, 2010


Hands-on Project 11-2 : Using Microsoft's Encrypting File System (EFS)

About Microsoft's Encrypting File System (EFS)
The Encrypting File System (EFS) on Microsoft Windows is a file system filter that provides filesystem-level encryption and was introduced in version 3.0 of NTFS[1]. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

Operation
EFS works by encrypting a file with a bulk symmetric key, also known as the File Encryption Key, or FEK. It uses a symmetric encryption algorithm because it takes a smaller amount of time to encrypt and decrypt large amounts of data than if an asymmetric key cipher is used. The symmetric encryption algorithm used will vary depending on the version and configuration of the operating system; see Algorithms used by operating system version below. The FEK (the symmetric key that is used to encrypt the file) is then encrypted with a public key that is associated with the user who encrypted the file, and this encrypted FEK is stored in the $EFS alternate data stream of the encrypted file.[citation needed] To decrypt the file, the EFS component driver uses the private key that matches the EFS digital certificate (used to encrypt the file) to decrypt the symmetric key that is stored in the $EFS stream. The EFS component driver then uses the symmetric key to decrypt the file. Because the encryption & decryption operations are performed at a layer below NTFS, it is transparent to the user and all their applications.
Folders whose contents are to be encrypted by the file system are marked with an encryption attribute. The EFS component driver treats this encryption attribute in a way that is analogous to the inheritance of file permissions in NTFS: if a folder is marked for encryption, then by default all files and subfolders that are created under the folder are also encrypted. When encrypted files are moved within an NTFS volume, the files remain encrypted. However, there are a number of occasions in which the file could be decrypted without the user explicitly asking Windows to do so.
Files and folders are decrypted before being copied to a volume formatted with another file system, like FAT32. Finally, when encrypted files are copied over the network using the SMB/CIFS protocol, the files are decrypted before they are sent over the network.
The most significant way of preventing the decryption-on-copy is using backup applications that are aware of the "Raw" APIs. Backup applications that have implemented these Raw APIs will simply copy the encrypted file stream and the $EFS alternate data stream as a single file. In other words, the files are "copied" (e.g. into the backup file) in encrypted form, and are not decrypted during backup.
Starting with Windows Vista, a user's private key can be stored on a smart card; Data Recovery Agent (DRA) keys can also be stored on a smart card.



Source:Wikipedia
I encountered a problem while trying to do this practical.
While half way through this practical, I realise I couldn't check the "Encrypt Contents to secure data” box.

;

So I did a search on web. And here's what I understand from the web.
But first of all, just let you know, I'm running Windows Vista Home Premium.
And according to the web,
Vista Home basic and premium do not deliver the capability to encrypt but just to decrypt folders and files.

Encrypting File System Supported operating systems
Windows
  • Windows 2000 Professional, Server, Advanced Server and Datacenter editions
  • Windows XP Professional, also in Tablet PC Edition, Media Center Edition and x64 Edition
  • Windows Server 2003 and Windows Server 2003 R2, in both x86 and x64 editions
  • Windows Vista Business, Enterprise and Ultimate editions[6]
  • Windows 7 Professional, Enterprise and Ultimate editions
  • Windows Server 2008 and Windows Server 2008 R2
    •                                                                      - Source: Wikipedia

So I did this practical in VMware instead, Windows 2003 servers.


To begin, I create a txt document with some content.
And I save it as "Encrypted.txt". I go on to create another document and save it as "Not Encrypted.txt".
(I'm suppose to create word document, but unfortunately, I didn't install Microsoft Office on my VMware, so I use text file as a replacement.)


The 2 text files I created.


I save the files on desktop, so I go to desktop and select "Encrypted.txt",
right click > Properties > Advanced.



Since I'm using Windows 2003 Server which supports Encrypting File System, I'm able to check the "Encrypt Contents to secure data” box.



There's a warning message, i select to encrypt the file only and clicked OK.



The encrpted file turns green after the above steps.


Reflection:
This practical allow me to turn on and use Mircrosoft's Encrypting File System (EFS). If not that I happen to be running Windows Vista Home Premium, I would not know that not all versions of Windows OS supports EFS. Besides that I also learnt that encrypted files or folder will appear in green in Windows Explorer and although unauthorized users will be able to view the list of files in an encrypted folder, any attempt to open one will be met by an Access Denied message. This is also something that the textbook did not mention.

Labels: ,


林小颍's work ^—^V