An overview of the Encrypting File System

By: surender1

Encrypting File System (EFS) is the phenomenon which enables users to encrypt files and folders, and entire data drives on NTFS

formatted volumes. It is well suited for securing sensitive data on portable computers. It also works well for securing data when

computers are shared by multiple users.

The files that are encrypted are therefore always confidential because EFS utilizes strong encryption through industry standard

algorithms and public key cryptography.

EFS enables you to set permissions on files and folders on an NTFS formatted volume which controls access to these files and


Characteristics of EFS

• EFS is enabled by default and only users have the permission to use EFS through a public and private key pair.
• It requires a recovery agent certificate for it to work.
• It works only when the NTFS file system is being used.
• The encrypted files can be shared by multiple users
• Encryption is removed, when EFS files moves to a different file system,.
• The most important characteristic is when you copy a file to an encrypted folder, the file will be encrypted.
• Encryption is listed as a file attribute, and is therefore displayed with the remainder of the attributes of the file.
• EFS can encrypt and decrypt files on a remote computer, when offline or in roaming.
• Files that are encrypted can be stored in Web folders and take its backup.
• User cannot encrypt the System files and folders.

EFS is actually firmly integrated with NTFS, which supersedes the FAT file system as the preferred file system for Microsoft’s

Windows operating systems. The file encryption and decryption processes are transparent to the users, which means that when

users save a file, EFS encrypts data as the data is written to disk, and when users open a file, it is decrypted by EFS as data is

read from disk. If the user doesn't possess the key, they receive an "Access denied" error message.

There are some third party technologies that can provide file encryption capabilities but these programs are not completely

transparent to users.

EFS uses the following components to perform its functions:

1. EFS service: The EFS service communicates with the EFS driver through the local procedure call (LPC) port. The EFS service

passes the file encryption key (FEK), data recovery field (DRF), and data decryption field (DDF) to the EFS driver through the EFS

File System Run-Time Library (FSRTL).

2. EFS driver: The EFS driver requests file encryption keys, DDFs and DRFs from the EFS service. It then relays these to the


3. EFS File System Run-Time Library (FSRTL): The EFS FSRTL carries out a set of file system functions which include

encrypting, decrypting, and recovering file data when it is read from disk or written to disk.

4. Microsoft Cryptographic Application Programming Interface (CryptoAPI): CryptoAPI is utilized by EFS for cryptographic

functions which supports encryption, decryption, hashing, digital signatures and the verification thereof, key management, secure

storage, and key exchange operations.

Inadvertent Problems with EFS

1. EFS when improperly used, sensitive files may be inadvertently exposed, which is due to improper or weak security policies

and a failure to understand EFS.
2. The problem is made all the worse because users think their data is secure and thus may not follow usual precautionary

methods. For example, users copy encrypted files to FAT volumes; the files will be decrypted and thus no longer protected.
3. If users provide other people with their passwords, these people can log on using these credentials and decrypt the user's

encrypted files. So the user should maintain the privacy for the passwords.
4. Similarly if a person knows the recovery agent credentials can log on and transparently decrypt any encrypted files.
5. Till date the most frequent problem with EFS occurs when EFS encryption keys and/or recovery keys are not archived. It

means if keys are not backed up, they cannot be replaced and hence data can be lost.
6. Keys can be lost if the Windows is reinstalled due to a disk crash or/and a user's profile is damaged. Therefore a new iteration

of the OS means new user accounts which mean both user and revocation keys are absent and there is no backup, resulting in lost


EFS must be understood, implemented appropriately, and managed effectively to ensure that your experience and the data you wish

to protect are not harmed. EFS is a valuable addition to your information security tool chest. But it must be properly managed and

correctly used.

Article Directory:

| More

Please Rate this Article


Not yet Rated

Click the XML Icon Above to Receive Software Articles Articles Via RSS!

Powered by Article Dashboard