Application of EFS Technology

In Windows2000, Microsoft adopted an encrypted file system (EFS) based on public key encryption technology ). In Windows XP, the encrypted file system is further improved so that multiple users can access the encrypted file at the same time. However, while using EFS to encrypt files, it also creates a lot of trouble, such as reinstalling the system and failing to open EFS encrypted folders.

1. Backup and import keys for decryption

Click Start> Run. In the run dialog box, enter certmgr. MSC open the Certificate Manager, open the "personal> Certificate" under "Certificate> current user", as long as you have performed encryption operations, in the right window, there will be a certificate with the same name as the user name (if there are multiple certificates, select "expected purpose" as "encrypted file system.

Right-click the certificate and choose "all tasks> export". In the "Certificate export wizard" that appears, select "export private key ", enter a password as required by the Wizard to protect the exported private key and store it as a file with the pfx suffix.

When the encrypted file account encounters a problem or needs to access or decrypt the previously encrypted file after the system is re-installed, right-click the backup certificate and select "Install pfx ", the "Certificate import wizard" is displayed. Enter the password used to protect the backup certificate when you export the certificate. Then, select "automatically select the certificate storage area" in the Wizard. After that, you can access the previously encrypted file.

2. Reliable EFS encryption

In the absence of backup, it is almost impossible to decrypt EFS. Although many methods are popular on the Internet, the feasibility is minimal. We recommend that you do not waste time. In Windows 2000/XP, each user has a security identifier (Security Identifier) to distinguish their identities. each user's Sid is different and unique. When data is encrypted for the first time, the operating system generates the user's key based on the encrypted Sid, and saves the public key and key separately for data encryption and decryption. If the current key is not backed up before the system is reinstalled, it means that no previous user key can be generated in any case. decryption of a file requires both the public key and the password, therefore, you cannot open folders encrypted by EFS.

EFS encryption is secure and reliable. Can I re-create an identical user once a user account is deleted, as mentioned at the beginning? The answer is no. Although the re-created user has the same name as the previous user, the system does not allocate the same SID (Remember, it is impossible to have the same Sid! Unless it is a clone system), so the keys are different, and the encrypted file cannot be opened.

 

1. file encryption and certificate backup

1) We can encrypt and decrypt files in the resource manager. This operation is as convenient as setting file properties.

Select advanced in the file or folder attributes, select the encryption option, and click OK. You can select an encrypted file or a folder. We recommend that you encrypt the folder. This will be safer.

The encrypted file win2003 is green and remains unchanged in Win2000. The selected attribute is encrypted.

Note: The encryption and compression attributes cannot be selected at the same time! File decryption and encryption are the same 

 

2) use command lines to encrypt and decrypt files more conveniently and quickly. Suitable for advanced users.

The system uses the cipher command for encryption and decryption.

Display or change the encryption of the Directory [file] On the NTFS partition
Cipher [/E |/d] [/s: directory] [/A] [/I] [/F] [/q] [/h] [pathname [...]
Cipher/K
Cipher/R: Filename
Cipher/U [/n]
Cipher/W: Directory
Cipher

/X [: efsfile] [filename]
/A operates on files and directories. If the parent directory is not encrypted, after the encrypted file is modified
May be decrypted. We recommend that you encrypt the file and the parent directory.
/D: decrypts the specified directory. The directory will be marked so that the files subsequently added will not be encrypted.
/E encrypts the specified directory. The directory will be marked, so that the files subsequently added will be encrypted.
/F forces encryption on the specified object even if these objects have been encrypted. By default
To skip encrypted objects.
/H displays files with hidden or system properties. These files are ignored by default.
/I continues the specified operation even if an error occurs. By default, cipher
It stops when an error occurs.
/K creates a new encryption key for the user running cipher. If this option is selected
All other options.
/N this option can only be used with/U. This prevents key updates. This option is used to find a local disk.
.
/Q only reports the most important information.
/R generates an EFS recovery proxy key and certificate, and then writes them into a. pfx File
(Including the certificate and private key) and A. Cer file (including only the certificate ). The administrator can
Add. Cer content in the recovery policy, create a recovery proxy for the user, and import. pfx to restore individual files.
/S executes the specified operation in the known directory and all subdirectories.
/U tries to include all encrypted files on the local disk. If the user file encryption key or recovery generation
This will update the CMK to the current one. Except/N, this option cannot
Used with other options.
/W deletes data from all unused disk spaces on the entire volume. If this option is selected
Ignore other options. The specified directory can be anywhere on the local volume. If it is another
The mount point of a directory on a volume. The data on the volume will be deleted.
/X backs up the EFS certificate and key into the file name. If the EFS file is provided
Back up the current user's certificate used to encrypt this file. Otherwise, the current
EFS certificate and key.
Directory: A directory path.
Filename is a file name without an extension.
Pathname specifies a mode, file, or directory.
Efsfile is an encrypted file path.
When no parameter is required, cipher displays the encryption status of the current directory and the files it contains. You can use several directory names and wildcards. There must be spaces between multiple parameters.

Decryption is similar, so we will not do it here. Please operate on your own. In addition to encryption and decryption, the cipher command can also back up keys and generate DRA certificates.

Note: After using EFS, make sure to back up the user certificate and Dra certificate.

 

TIPS: DRA-data recovery proxy, data recovery proxy is a very important role that helps you decrypt encrypted files that cannot be opened due to the loss of User Certificates. For the sake of security, the EFS system does not work when no DRA policy exists. By default, the local administrator is the DRA in standalone mode, and the domain administrator is the DRA in the domain environment by default.

 

3) backup method: Use the certificate management tool certmgr. MSC to export the certificate,

Note: You must remember to export the private key; otherwise, certificate backup is meaningless.

A certificate with a private key is called a digital ID and can be accessed only with a password.

apart from backing up your own certificate, you also need to back up the DRA certificate created when the system is installed. This is the final dependency after you lose the user certificate. The backup method is the same as above.

2. share encrypted files

encrypted files can only be accessed by the encryptor by default. Note that transparent visitors to encrypted files are encrypted users, instead of the owner of the encrypted folder, in other words, if a file is created in the folder you set as encrypted, the file is only accessible to me and you cannot access it. (Encrypted folders do not deny access by unencrypted users.) At the same time, although encrypted files can restrict access by unauthorized users, however, users with access rights cannot be deleted or renamed. Therefore, encryption must be used together with NTFS permissions. What if you need to share the encrypted file with your friends for special reasons?

first, your friends also need to have an EFS Certificate (the EFS certificate was created by the system when encrypted files were used for the first time ). Then your friend needs to back up the certificate to you (the certificate backed up may not contain the private key). After you get the certificate, install it in the system, and use the detailed information in the encrypted file to add a friend EFS certificate.

Disable the Encrypted File System

Because the encrypted file system depends on the user certificate, users often create or set up encrypted files in some network shared folders. Once the user certificate is lost, it will cause irreparable losses, therefore, some enterprises usually require to shut down the EFS system. Here are some methods to shut down the EFS system:

1) encryption is disabled for a single folder.

It is easy to disable encryption for a single folder. Copy the following content to notepad and save the desktop. ini file to the folder where encryption is to be disabled.

[Color = Red]
[Encryption]
Disable = 1
[/Color]


After the encryption is completed, you will see that the subdirectories under the directory are encrypted, but the directory itself does not.

2) Disable encryption in a DC or ou,You need to create the following key values in the registry:

HKLM \ SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ EFS \ efsconfiguration
Disable: 0x00000001

3. How high is the security of EFS?

The EFS encrypted file system works under the certificate mechanism (PKI) and is highly secure. Because the EFS system uses the user's Sid and its password to encrypt the master key, therefore, the encryption strength of EFS depends largely on the password strength of the encrypted user. We recommend that you use a strong password strength to improve the security of EFS. In addition, the EFS certificate is stored in the user configuration file. Before re-installing the system or upgrading the DC, you must export the certificate and try not to destroy the original user configuration file. Practice has proved that if a copy of the user certificate is lost and the user configuration file is damaged, restoring EFS files is almost impossible.

4. Handling of loss of EFS file certificates

Once the EFS user certificate is lost, you can import the original backup user certificate to the personal certificate area to decrypt it. If there is no certificate backup, you can import the system's DRA certificate, the system's DRA certificate should be backed up and deleted from the operating system after the system is installed, just in case.

Note: The Dra certificate is unrelated and can be imported to any user's personal certificate area.

If you cannot find an appropriate DRA certificate or decrypt the file, the EFS encrypted file cannot be moved or copied. You can use the backup tool provided by the system to back up the EFS file and save it for future decryption.

Note: Although EFS encrypted files cannot be moved or copied, they can be deleted or renamed.

5. Notes

A) do not encrypt system folders.

B) do not encrypt the temporary directory

C) always encrypt the personal folder

D) The appropriate DRA must be defined before EFS deployment.

E) The user certificate and Dra certificate must be backed up.

F) after using EFS, try to avoid re-installation of the system, and decrypt the file before re-installation.

G) The encrypted file system does not encrypt the transmission process.