Windows XP EFS

[Psych]

I've read some light papers on the subject, but I am still wondering whether or not Windows XP EFS is good, safe encryption.

It supposedly uses AES 256 after SP1, and the algorithm itself should be very secure. But some problems come to mind. First of all, I've heard that moving encrypted files around might cause them to lost their encryption status without you knowing. The encryption doesn't seem to protect your files when you are using the computer, though because it is on-the-fly transparent encryption. What if a virus gets on my computer and scans for password files, and the system decrypts them for the virus to read???

There is also the problem of moving the encrypted files. I'm not exactly sure of the best way to move an encrypted NTFS file to a FAT file system without having the system decrypt it. I am also unsure of exactly how the certificates work in EFS. Are these certificates generated when you log on with your password, or are they just sitting there on your hard drive, tied to you and recovery agents and anyone who has access to your hard drive? (I seriously doubt MS would be so stupid as to let this happen, but the EFS certificates aren't generated unless you do it with the cipher command, right?)

If EFS is not secure, then what program do you suggest I use?

 

[spyordie007]

moving encrypted files around might cause them to lost their encryption status without you knowing.

Yes this is possible if you move the files to a location that doesnt support encryption such as a CD or FAT filesystem, likewise if you have NTFS permission setup and you move them you're going to loose the permissions.

The encryption doesn't seem to protect your files when you are using the computer, though because it is on-the-fly transparent encryption. What if a virus gets on my computer and scans for password files, and the system decrypts them for the virus to read???

The files are encrypted/decrypted "on the fly" for your user account, so any process that's running under you're account is going to have the same access to the files that you do.

I'm not exactly sure of the best way to move an encrypted NTFS file to a FAT file system without having the system decrypt it.

You cant; EFS is file-level encryption so the files have to be in a location where the filesystem supports it (NTFS).

I am also unsure of exactly how the certificates work in EFS. Are these certificates generated when you log on with your password, or are they just sitting there on your hard drive, tied to you and recovery agents and anyone who has access to your hard drive? (I seriously doubt MS would be so stupid as to let this happen, but the EFS certificates aren't generated unless you do it with the cipher command, right?)

How EFS uses certificates

If EFS is not secure, then what program do you suggest I use?

For what it does EFS is very secure, but it's kind of sounding like you might want to be doing something differant with your encrypted files. If that's the case you would need to look into a 3rd party application.
Overview of EFS

 

[groovin]

as you probaly know, any encryption is useless if your key is compromised. Thats what I dont like about transparent encryption. yeah, its a pain to constantly load your key from a card or disk to gain access to your file system, but not taking that measure (and going through that hassle) in some ways defeats the purpose of encryption.

 

[Psych]

MS says that the private key is stored in the profile. What if someone has access to my profile?? The only way I know of to make copies of the encrypted NTFS files without losing their encryption is to back them up, but there must be a better way; perhaps there is a simple program out there that will read the encrypted information and make a copy?

 

[Woodie]

The private key(s) are stored in the user profile on that particular machine.
The (default) RECOVERY key is stored in the ADMINISTRATOR profile on that particular machine, or in a Domain Administrator profile (on the first DC in the domain), if the client is a member of a domain.

I only know of two ways to move EFSed files from one machine to another and keep the encryption:
1. Both machines are part of the same domain
The file system on the target is NTFS
The computer account for the target is "Trusted for Delegation"
The user's EFS cert has been published to his account in the AD
The target computer system has not had EFS disabled
The logged in user MUST have a decryption key loaded
Use the Windows Explorer GUI to copy/move the files.

2. The source computer runs the MS Backup utility, and backs up (the encrypted files) to a file.
The BACKUP file can be moved to any FS (FAT, NTFS, Network, etc...)
Note: The BACKUP file is NOT encrypted...but the files inside it are (if they were before backup).
The user logged in at time of backup does NOT need a decryption key, just NTFS permissions.

Other BACKUP utilities may successfully back up encrypted files, I've never had the need to test them.
YMMV!

 

[spyordie007]

Note: for option 1 you must be running Windows XP Pro. AFAIK this wont work under 2K

 

[Woodie]

Originally posted by: spyordie007
Note: for option 1 you must be running Windows XP Pro. AFAIK this wont work under 2K

Hmmm. I know the option is there is a W2K native mode domain. We don't use it, so I never tested it. (we use the MS Backup utility, on an as needed basis).