πŸ”

EFS Features and Operations

Jun 20, 2025

Overview

This lecture covers the main features of the Encrypting File System (EFS) in Windows 2000, focusing on privacy, transparency, integration with NTFS, and the data recovery process.

Privacy

  • EFS protects sensitive data so only the user and designated recovery agents can decrypt it.
  • Other system accounts, including those with Take Ownership, cannot access an encrypted file without the encryptor's private key.
  • EFS is effective on shared and portable computers, protecting files even if the hard drive is stolen.

Transparent Operation

  • EFS encryption and decryption occur automatically when files are accessed, requiring no user intervention.
  • Users do not need to manually decrypt or re-encrypt files for each use, reducing the risk of leaving files unprotected.

Integration with the File System

  • EFS is tightly integrated into NTFS; encryption is set like other file attributes.
  • Encrypting a folder automatically encrypts all new files, copied plaintext files, and optionally, existing files and subfolders within it.
  • Temporary and backup files in encrypted folders remain encrypted if saved on Windows 2000 NTFS volumes.
  • Moving or copying EFS files to non-NTFS file systems removes encryption, except when using Windows 2000 Backup.

Data Recovery System

  • EFS requires designated recovery agents with recovery agent certificates and private keys for file recovery.
  • By default, the highest-level Administrator is the recovery agent; different policies can assign different agents.
  • Multiple recovery agents can exist for one EFS file, each with a unique private key.
  • If no recovery agent certificate exists, EFS is disabled, and encryption cannot be used.
  • Destroying the recovery agent’s private key prevents future data recovery.

Additional EFS Information

  • EFS operates only on Windows 2000 NTFS volumes.
  • You cannot encrypt system or compressed files/folders (must decompress first).
  • Encrypting entire folders ensures all temporary files within are encrypted.
  • Copying files into an encrypted folder encrypts them; moving maintains their original state.
  • Administrators can still delete encrypted files, but cannot open them without the key.

Key Terms & Definitions

  • EFS (Encrypting File System) β€” A Windows feature that provides file-level encryption for data protection.
  • NTFS (New Technology File System) β€” A Windows file system supporting file attributes like encryption.
  • Recovery Agent β€” An account with special privileges to recover encrypted EFS files.
  • Recovery Agent Certificate β€” A certificate containing a public/private key pair for EFS data recovery.

Action Items / Next Steps

  • Review EFS recovery policy configuration and requirements for NTFS volumes.
  • Practice encrypting and moving files to observe EFS behavior on NTFS vs. non-NTFS systems.

View note sourcehttps://technet.microsoft.com/en-us/library/cc962100.aspx