EFS research application notes

1. Introduction to EFS 1.1. What is EFS?

To improve file security, Microsoft introduced the EFS encryption technology for NTFs in Windows 2000/XP/2003. EFS (encrypting
File System (Encrypted File System) is
The 2003 series provides transparent file encryption service, which is based on public key encryption and uses the CryptoAPI architecture in windows. EFS can make the file confidential, but does not mention
For full protection. EFS provides optional data recovery capabilities and data recovery proxy (recovery
Agent) to restore data encrypted by another user. EFS also allows multiple users (of course licensed users) to share and access encrypted data.

1.2. Advantages of EFS

It is very convenient for users to encrypt or decrypt files or folders.
It is fast and easy to access encrypted files. If the user holds the private key of an encrypted NTFS file, the user can open the file and use the file transparently as a common document. Otherwise, the user will be rejected.
Absolute file access does not require a password for each access, just like a third-party encryption software. In addition, EFS is passively encrypted. When a file is copied to a folder encrypted by EFS
Automatically encrypted by EFS, which simplifies the data encryption process. The encrypted data remains encrypted no matter how it is moved (the premise is to move under the NTFS partition, in Windows
In the 2000/XP system, if you try to move an EFS encrypted file or copy it to the fat/FAT32 partition, it will be decrypted first,
If the decryption fails, the file moving or copying operations will be rejected ).
EFS is closely integrated with NTFS. When a temporary file is created, the attributes of the original file will be copied to the temporary file as long as all the files are on the NTFS Volume. If an object is encrypted
The temporary files will also be encrypted. EFS resides in the operating system kernel and uses the non-Paging pool storage file encryption key to ensure that the key does not appear in the paging file. This prevents some applicationsProgramIn
Leakage occurs when a temporary file is created.
Encryption of sensitive files through EFS will increase multi-level security protection. When encrypting a file, the file is still protected even if the hacker has fully accessed the file storage body of the computer.
In Windows XP, EFS can process offline files and folders.

1.3. File Operations on EFS Encrypted Files

1.3.1. Copy encrypted folders or files

• Copy files or folders from an NT File System (FS) Partition in location 2003 of Windows server
  Another NTFS partition in Windows Server 2003. Copy files or folders just like copying unencrypted files. Use Windows
  Resource Manager or command prompt. The copy is encrypted.
• Copy files or folders from an NTFS partition in the Windows Server 2003 volume to the file allocation table on the same computer.
  (FAT) partition. Copy files or folders just like copying unencrypted files. Use Windows
  Resource Manager or command prompt. Because the target file system does not support encryption, the copy is in plain text format.
• Copy files or folders to another computer, and both computers use NTFS in Windows Server 2003
  Partition. Copy files or folders just like copying unencrypted files. Use Windows
  Resource Manager or command prompt. If the remote computer allows you to encrypt the file, the copy is encrypted; otherwise, the copy is in plain text format. Note: you must trust the remote computer delegation. In the domain environment
  Disable remote encryption.
• Copy a file or folder from the NTFS partition in location 2003 of Windows server to another computer.
  The fat or NTFS partition in the position of Microsoft Windows NT 4.0. Copy files or folders just like copying unencrypted files. Use
  Windows resource manager or command prompt. Because the target file system does not support encryption, the copy is in plain text format.

1.3.2. Move or rename an encrypted folder or file

• Move or rename a file or folder in the same volume. Move a file just like an unencrypted file. Use Windows Resource Manager, context menu, or command prompt. The target file or folder remains encrypted.
• Move files or folders between different volumes. This is actually a copy operation. Review the previous section "copying encrypted folders or files ".

1.3.3. Delete encrypted folders or files

• If you have the permission to delete files or folders, you can delete them like unencrypted files. Deleting an encrypted folder or file is not limited to users who initially encrypt the file.

1.3.4. Backup encrypted folders or files

• Back up data by copying data. As described in the previous section "Copy encrypted folders or files", backups created using the "copy" command or menu options can generate plaintext copies.
• Use the "backup" tool in window Server 2003 or support Windows Server 2003
  Function. This is the recommended backup method for encrypted files. Backup maintains the encryption of files. Backup Operators do not need to access the private key during backup. They only need to access the files or
  Folder.

1.3.5. Restore encrypted files or folders

• Restore by copying. As described in the previous section "Copy encrypted folders or files", restored files created using the "copy" command or menu options can generate plaintext copies.
• Use the "backup" tool in window Server 2003 or support Windows Server 2003
  Function. This is a recommended method for restoring encrypted files. The restore operation keeps the file encrypted, and the restore agent does not need to access the private key to restore the file. After the restore operation is complete
  Users with private keys can use the file normally.

1.3.5.1. Restore the file to another computer

• If you want to use the encrypted file on any computer other than the computer on which the file is encrypted, make sure that the encrypted certificate and the associated private key are available in the system. You can use the roaming configuration file or manually move the key to achieve this purpose.
• Use the roaming configuration file. If you do not have a roaming configuration file, apply to the Administrator to create a roaming configuration file. After a roaming configuration file is created, the encryption key you use is
  The computer is the same. Note that even if the roaming configuration file is used, you may still need to back up the encrypted certificate and private key. However, if you lose the key required to decrypt the file, you can restore it to the specified
  The proxy (local or domain administrator by default) applies to restore the encrypted file.
• Manually move the key. Back up your encryption certificate and private key before attempting to manually move the key. In this way, you can restore the certificate and key in another system.

1.4. Technical Structure and principles of EFS 1.4.1. Key and Certificate

EFS uses a public key-based solution to encrypt or decrypt data. It uses a standard X509 Certificate. Each protected file is encrypted with a certain length of file encryption key (fek ).
Fast symmetric encryptionAlgorithmEncrypted (the length of fek is determined by algorithms or rules ). To access an encrypted file, a user must have a private key that is compatible with the public key.
Encryption and decryption
File conversion is the process of encrypting and decrypting files. It requires a special interface. Even if a serious failure occurs, the data will not be lost during the conversion process. Therefore, EFS will back up the original data that has not been encrypted.
The data is still fully converted. When an EFS receives a conversion file request, it first performs a series of checks, including whether the file can be encrypted and whether there is sufficient disk space to add
Password. System files or files in the system directory cannot be encrypted by EFS. If you check that the instruction file can be encrypted, EFS generates a file encryption key (fek ).
Then, EFS creates a temporary file in the corresponding folder. Each source file data stream is copied to this temporary file for backup purposes. The source file is shortened and EFS reads the number of this temporary file.
And write them to the original file. Because EFS encryption is transparent, EFS has encrypted data before it is actually written to the disk. When all data is written to the original file and EFS proves that the file is encrypted
Then, EFS will delete this temporary file. If the conversion fails or an error occurs during the conversion process, EFS will restore the files attempting to be encrypted to the original state before deleting the temporary files.

1.4.2. Open and read/write principles

EFS has four main operations: Opening, reading, writing, and converting files. Because EFS is designed to be transparent, there is no partition between opening, reading, and writing encrypted files and operating common files.
Do not: the application still uses the common Win32
APIS. The application uses createfile () or openfile () to open encrypted files; readfile (), readfileex (), and
Readfilescatter () to read encrypted files; Use writefile (), writefileex (), writefilescatter ()
To write encrypted files.
Data Recovery

EFS provides data recovery capabilities. When your key is damaged or lost, EFS data recovery can restore encrypted files. The system administrator can restore proxy policies and empty recovery policies.
And select a recovery policy from the no-recovery policy. In the domain, when the first domain controller is set, Windows executes the default fault recovery policy for this domain. To restore a proxy policy, the system administrator adds one or more
Restore proxy. These proxies can respond to any encrypted data in the management scope. An empty recovery policy means that the system administrator deletes all the recovery agents and their public key certificates (EFS cannot be managed ).
Member in
Select this setting in Windows2000 ). The so-called "no recovery policy" means that the system administrator deletes the private key of the recovery policy. If no private key is available, it is impossible to use the recovery agent.
Recovery of EFS is also unavailable. On an independent machine, there is no recovery policy initially. The system administrator of the independent computer can modify the EFS recovery policy and add or create a recovery certificate to the recovery policy.
Books.

2. EFS User Guide

2.1. encrypted files or folders

Before you encrypt a file or folder,
Make sure that the hard disk format of the file or folder is NTFS. If not, use (convert volume/Fs: NTFS [/V]
[/Cvtarea: Filename] [/nosecurity] [/X]) to NTFS format.

2.1.1. EFS encryption file or folder steps

1. Create the c: \ secret \ file1 file in Windows Explorer, right-click file1, and click Properties.
   Windows XP Professional displays the Properties dialog box, and the General tab is open.
2. Click Advanced. The advanced Attributes dialog box is displayed.
3. Select the encrypt contents to secure data check box, and then click
4. Click OK to close the file1 Properties dialog box. The encryption warning dialog box is displayed, prompting you to encrypt files in an unencrypted folder. By default, folders and files are encrypted, but only files can be encrypted.

1. Click Cancel to close the encryption warning dialog box, and then click Cancel to close the file1 Properties dialog box. The file1 file is not encrypted.
2. In Windows Explorer, right-click c: \ secret and click Properties.
3. Click Advanced. The advanced Attributes dialog box is displayed.
4. Select the encrypt contents to secure data check box and click OK.
5. Click OK to close the secret Properties dialog box. The displayed confirm attribute change dialog box prompts you to encrypt a folder. There are two options: You can only encrypt folders, or you can encrypt folders and all subfolders and files in them.

1. Select Apply changes to this folder, subfolders and files, and click OK.
2. In the secret folder, right-click file1 and click Properties. The file1 Properties dialog box appears.
3. Click Advanced. The advanced Attributes dialog box is displayed. Note that the encrypt content to secure data check box has been selected.

1. Close the advanced Attributes dialog box.
2. Close the Properties dialog box.
3. Close all windows and log out. Now you will find that the colors of the encrypted files and folders have changed to green.

If you do not like graphic interface operations, you can also use the "cipher" command in command line mode to encrypt and decrypt data, for more detailed usage of the "cipher" command, you can enter "cipher /?" And press Enter.

Note: If you copy unencrypted files to folders with encryption properties, these files will be automatically encrypted. If the encrypted data is moved out and the data is moved to the NTFS partition
Encryption attribute; if you move to the FAT partition, the data will be automatically decrypted. Data encrypted by EFS cannot be directly shared in windows. If the EFS-encrypted
Data, which will be transmitted in plain text on the network. Data stored on the NTFS partition can also be compressed, but a file cannot be compressed and encrypted at the same time. Last, Windows systems
The system file and system folder cannot be encrypted.

2.1.2. Add the "encryption" command to the right-click menu

To encrypt a file in a traditional way, you must open the layers menu and confirm it in sequence. This is very troublesome, but you only need to modify the registry, you can add encryption and decryption options to the right-click menu.
Enter "Regedit" in the running process and press enter to open the Registry Editor and locate HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \
Windows \ CurrentVersion
\ Explorer \ Advanced branch, new-DWORD value, and enter "encryptioncontextmenu" as the key name, set the key value to "1 ".
Exit the Registry Editor, select any file or folder on an NTFS partition, right-click the folder, and you can find the corresponding options in the right-click menu to complete encryption and decryption operations.
.

2.1.3. Disable encryption of a folder

If you want to disable encryption for a folder, you can create a file named "desktop. ini" in this folder, open it in notepad, and add the following content:
[Encryption] After disable = 1, save and close the file. In this way, you will receive an error message when you want to encrypt the folder later, unless the file is deleted.
If you want to completely disable EFS encryption on the local machine, you can modify the registry. Open Registry Editor and go to HKEY_LOCAL_MACHINE \ SOFTWARE \
Microsoft \ Windows
NT \ CurrentVersion \ EFS branch, new-DWORD Value, enter "efsconfiguration" as the key name, and set the key value to "1 ".
The EFS encryption on the local machine is disabled. If you want to use it again later, you only need to change the key value to "0.

2.2. ensure the security and reliability of EFS encryption

We have learned that in the EFS encryption system, data is encrypted by fek, and fek is encrypted and stored together with the user's public key. The order of decryption is the opposite, first, use the private key to decrypt the data.
And then use fek to decrypt the data. It can be seen that users' keys play a major role in EFS encryption. How did the key come from? In Windows
In 2000/XP, each user has a SID (Security
Identifier, security identifier) to distinguish their identities. each user's Sid is different and unique. During the first data encryption, the operating system will
Sid generates the user's key and saves the public key and private key separately for the user to encrypt and decrypt data. Secondly, the EFS mechanism is designed to take into account the emergence of multiple emergencies.
In the encryption system, the recovery agent concept is also available. For Windows
2000 in standalone and workgroup environments, the default recovery proxy is administrator; windows
XP does not have the default recovery proxy in standalone and workgroup environments. In the domain environment, all the windows
On the 2000/XP computer, all the default recovery agents are domain administrators. This ensures the security of encrypted data.

2.2.1. Backup key

Enter "certmgr. msc" in the run and press enter to open the Certificate Manager. You can export and import keys here.
After you encrypt files or folders, open the Certificate Manager, in the "current user → personal → Certificate" branch, you should be able to see a certificate named by your user name (if you have not encrypted any data, there will be no certificate here ).

Right-click the certificate and choose "all tasks> export. A certificate export Wizard will pop up. After you click "Next", select
"Yes, export private key" option. If other options are set by default, click "continue" continuously. Finally, enter the user's password and the path to be saved and confirm, finally, export a certificate file with the suffix pfx (
You can choose to delete the private key when exporting the certificate. Once this option is selected, the private key will be deleted and cannot be exported ).
This certificate file can be imported to other user environments (you can import it when you reinstall the operating system). After importing this certificate file in other user environments, you will be able to access the encrypted file, so this certificate file
It can be used for restoring encrypted files. In addition, once the certificate is stolen, encrypted data may leak. Therefore, the exported Certificate file must be properly saved.

2.2.2. Restore the key

Find the exported pfx file, right-click it, and select "Security
Install the pfx command, and an import Wizard will appear later. Follow the instructions in the import Wizard to complete the operation (Note: If you have selected password to protect the certificate before exporting the certificate, when you import this certificate here
You need to provide the correct password, otherwise it will not be able to continue), and all the previously encrypted data can be correctly opened.

2.2.3. Restore proxy

Create a temporary file on the hard disk. The file type is not limited. Here we take an encrpted folder under the root directory of the E disk as an example. After the folder is created, enter "cmd" in the running directory and press enter to open
Prompt line window. Enter "Cipher
/R: e: \ encrypted ". After you press enter, the system will ask you if you want to use the password to protect the certificate. You can decide based on the actual situation, if you do not need password protection, press Enter. After completion, I
You can find the encrypted. CER and encrypted. pfx files in the root directory of the E drive.
For the encrypted. pfx file, you also need to right-click it, select the "Install pfx" command, and install it as prompted by the wizard.
For the encrypted. Cer file, enter "gpedit. msc" in "run" and press enter to open the Group Policy Editor. In "Computer Configuration> Windows Settings> Security Settings ",
Set → Public Key Policy → Encrypted File System ", right-click this option, select the" All commands → add data recovery proxy "command, and then the" Add fault recovery proxy wizard "appears ", follow the instructions in this wizard
Encrypted. CER file. If everything is correct, you can view the "add data recovery agent" command in the right-click menu. This indicates that the current user has been set as the recovery agent.

Note: If the encrypted. pfx and encrypted. Cer used to import the certificate are generated after logon, the certificate restoration proxy is the user.
After a valid recovery proxy is set, log on to the system using the recovery proxy to directly decrypt the file. However, if you encrypt the data before setting the recovery proxy, the data recovery proxy cannot be enabled.
Windows 2000 is simpler. Windows 2000 has a recovery proxy. Therefore, you only need to log on to the system with the recovery proxy (Administrator by default) account to decrypt the file.

2.3. Share encrypted files or folders

1. Use the restore Proxy account or EFS to encrypt the Creator account to log on to Windows, and then open the encrypted folder (because EFS is encrypted to the file, not encrypted to the folder, so other users can also open the folder ), right-click the encrypted file to be shared and select "properties" to open the file Properties dialog box.
2. On the "General" tab, click "advanced", click "details" in the "Advanced properties" dialog box, and then click "add, add another user's EFS certificate in the user certificate Column
   Select a certificate in the table, and click "OK" to add the certificate (This certificate will be created only when EFS is used for the first time, therefore, to allow other users to view files encrypted by EFS
   Create this certificate first, that is, other users must use EFS encryption first ).
3. Click "OK" to exit the all dialog box to complete the sharing of EFS encrypted files.

2.4. access remote shared EFS Encrypted Files

1. ensure that the Windows Account accessing the remote computer can access EFS encrypted files on the remote computer. For specific settings, refer to the preceding settings to restore the proxy and share the encrypted folder
2. set the trust computer for the computer where the folder is located
   the delegation attribute. The specific settings are in the and Manager> Active Directory users and
   computers-> computers group, right-click the target computer and choose Properties> General> trust
   Computer for delegation. After the settings are complete, the target computer needs to be restarted.