Being bored, I decided to compress the long winded topic that is 'If you use NTFS Encryption, read this'.
Please tell me if I got anything wrong or would like something added.
Could someone sticky this?
============================================
Compression of ANANDTECH FORUMS > OPERATING SYSTEMS > 'If you use NTFS Encryption, read this'
As of July 24, 2004
---First Post---
Andy Hui:
Every day, I get one or two emails, or every now and again I see in the forums, someone has encrypted their files, reinstalled Win2K or WinXP and then lost access to their encrypted files.
And it saddens me to tell them that their files are lost. Usually they don't believe me at first. They try to log in as Administrator, try to move the files around and say to me, "But there must be a way around this!".
Well, sorry, there isn't a way around this, unless you can get back into your original installation. Your files are gone.
"But it's Microsoft!", they say. "Microsoft hasn't managed to write one piece of software that works!".
NTFS version 5's Encryption is an example of something that DOES work, and work too well at times.
Fortunately, there is a way to get access to your files.
If you backup your Private Key (or perform a backup of your system state), then you can still get access to your files the next time you forget to
decrypt them before formatting/reinstalling.
Please read the FAQ: How to use EFS and back up your Private Key
If you value your data (and I'm sure that you do if you are going to encrypt it), please back up your Private Key NOW.
---
It's possible to brute force anything given enough computing power and time, but the probability of brute forcing a 128-bit key in a lifetime is so
small that it is impractical to even attempt it.
"You can just claim ownership of the folder..." Wrong, ownership and encryption are separate attributes. You might be able to take ownership, but
you can only DECRYPT the files with the keys.
...[encryption] requires NTFS. You can't have the NTFS file system on a CD or floppy. When burn a file to a CD or copy it to a floppy it will be
decrypted.
"Nope, doesnt work that way. For one thing that would be an obvious first attempt everyone would try [to steal files], lol." The files would only move
and be decrypted with the key. If you weren't logged in as the correct user, no secret files for you.
XP Professional Service Pack 1 uses AES (Advanced Encryption Standard) 256 bit encryption. AES is the Rijndael algorithm which was selected by NIST (National Institute of Standards and Technology) to become the new standard for encryption.
MS NTFS EFS (Microsoft NT File System Encrypting File System) works by combining your password and different random numbers associated with your account and the current installation of the Operating System. The key created will encrypt and decrypt the File Encryption Key which is different for every file. Cracking a single file's encryption will not give you access to every file encrytped, but cracking the Public Key will.
Reinstalling the Operating System WILL REMOVE your keys, and you won't be able to access the files again.
Big thing to remember about EFS: It is a transparent encryption system. It was made for ease of use, so it decrypts and encrypts things on the fly.
It would be hasslesome for it to ask permission to decrypt every file and ask for a password, so you being logged on correctly is all the permission it needs. If you leave your account logged in and someone comes by the computer, your files aren't safe.
Again, you MUST have your keys. Moving files around without the keys won't help you.
"So, all someone need do to get at your encrypted file is put it into a compressed folder?" STILL NEED THE KEYS (and permission) to decrypt, although it is a fact that these attributes are mutually exclusive of one another.
Public Key algorithms are weaker than Private Key ones because they allow one key to encrypt and a second to decrypt, so there are 2 keys to keep separate instead of 1. It has been theorized that this could be a weakness in the system, but the matter is not settled.
You must choose to use the encryption in NTFS, so remember what you've encrypted.
Go to the Microsoft Knowledge Base for lots of information on creating .pfx (password) and .cer (verification certificates) files. A lot of interaction will occur with the cipher command, the Local Security Policy, Computer Management Console, and Certificates plug in to the Microsoft Management Console.
PGP, GNUPG, SiFEU, and others like them are great alternative 3rd party encryption programs.
There are programs out there that can recover EFS and XP and NTFS keys, but they all require some starting information from when you could decrypt the files.
10782897524556318080696 = Trillion Instructions per Second years required to guarantee crack of the key.
Apple: "...Assuming that one could build a machine that could recover a DES key in a second, it would take that machine approximately 149 trillion years to crack a 128-bit AES key." (Note that XP uses 256-bit AES.)
---
"[read section on moving across file systems]
...
[read section on 'compression and encryption']
...
3. If the data is already "lost" - ie you cannot find a way to restore it, you can try converting the partition to FAT32 using partition magic or some such, however that may just corrupt the file."
Wrong -
"All incorrect. If you have the encryption keys, then yes the file will be decrypted if you move it to a fat32 volume or compress it. But the whole point is having the keys. If you dont have the keys, you cant decrypt it, and you wont be able to move it or compress it."
And yes, reformatting the encrypted files will probably corrupt them.
---
Please tell me if I got anything wrong or would like something added.
Could someone sticky this?
============================================
Compression of ANANDTECH FORUMS > OPERATING SYSTEMS > 'If you use NTFS Encryption, read this'
As of July 24, 2004
---First Post---
Andy Hui:
Every day, I get one or two emails, or every now and again I see in the forums, someone has encrypted their files, reinstalled Win2K or WinXP and then lost access to their encrypted files.
And it saddens me to tell them that their files are lost. Usually they don't believe me at first. They try to log in as Administrator, try to move the files around and say to me, "But there must be a way around this!".
Well, sorry, there isn't a way around this, unless you can get back into your original installation. Your files are gone.
"But it's Microsoft!", they say. "Microsoft hasn't managed to write one piece of software that works!".
NTFS version 5's Encryption is an example of something that DOES work, and work too well at times.
Fortunately, there is a way to get access to your files.
If you backup your Private Key (or perform a backup of your system state), then you can still get access to your files the next time you forget to
decrypt them before formatting/reinstalling.
Please read the FAQ: How to use EFS and back up your Private Key
If you value your data (and I'm sure that you do if you are going to encrypt it), please back up your Private Key NOW.
---
It's possible to brute force anything given enough computing power and time, but the probability of brute forcing a 128-bit key in a lifetime is so
small that it is impractical to even attempt it.
"You can just claim ownership of the folder..." Wrong, ownership and encryption are separate attributes. You might be able to take ownership, but
you can only DECRYPT the files with the keys.
...[encryption] requires NTFS. You can't have the NTFS file system on a CD or floppy. When burn a file to a CD or copy it to a floppy it will be
decrypted.
"Nope, doesnt work that way. For one thing that would be an obvious first attempt everyone would try [to steal files], lol." The files would only move
and be decrypted with the key. If you weren't logged in as the correct user, no secret files for you.
XP Professional Service Pack 1 uses AES (Advanced Encryption Standard) 256 bit encryption. AES is the Rijndael algorithm which was selected by NIST (National Institute of Standards and Technology) to become the new standard for encryption.
MS NTFS EFS (Microsoft NT File System Encrypting File System) works by combining your password and different random numbers associated with your account and the current installation of the Operating System. The key created will encrypt and decrypt the File Encryption Key which is different for every file. Cracking a single file's encryption will not give you access to every file encrytped, but cracking the Public Key will.
Reinstalling the Operating System WILL REMOVE your keys, and you won't be able to access the files again.
Big thing to remember about EFS: It is a transparent encryption system. It was made for ease of use, so it decrypts and encrypts things on the fly.
It would be hasslesome for it to ask permission to decrypt every file and ask for a password, so you being logged on correctly is all the permission it needs. If you leave your account logged in and someone comes by the computer, your files aren't safe.
Again, you MUST have your keys. Moving files around without the keys won't help you.
"So, all someone need do to get at your encrypted file is put it into a compressed folder?" STILL NEED THE KEYS (and permission) to decrypt, although it is a fact that these attributes are mutually exclusive of one another.
Public Key algorithms are weaker than Private Key ones because they allow one key to encrypt and a second to decrypt, so there are 2 keys to keep separate instead of 1. It has been theorized that this could be a weakness in the system, but the matter is not settled.
You must choose to use the encryption in NTFS, so remember what you've encrypted.
Go to the Microsoft Knowledge Base for lots of information on creating .pfx (password) and .cer (verification certificates) files. A lot of interaction will occur with the cipher command, the Local Security Policy, Computer Management Console, and Certificates plug in to the Microsoft Management Console.
PGP, GNUPG, SiFEU, and others like them are great alternative 3rd party encryption programs.
There are programs out there that can recover EFS and XP and NTFS keys, but they all require some starting information from when you could decrypt the files.
10782897524556318080696 = Trillion Instructions per Second years required to guarantee crack of the key.
Apple: "...Assuming that one could build a machine that could recover a DES key in a second, it would take that machine approximately 149 trillion years to crack a 128-bit AES key." (Note that XP uses 256-bit AES.)
---
"[read section on moving across file systems]
...
[read section on 'compression and encryption']
...
3. If the data is already "lost" - ie you cannot find a way to restore it, you can try converting the partition to FAT32 using partition magic or some such, however that may just corrupt the file."
Wrong -
"All incorrect. If you have the encryption keys, then yes the file will be decrypted if you move it to a fat32 volume or compress it. But the whole point is having the keys. If you dont have the keys, you cant decrypt it, and you wont be able to move it or compress it."
And yes, reformatting the encrypted files will probably corrupt them.
---
