Like Windows BitLocker, the Encrypting File System (EFS, Encrypting File System) is a set of public key-based encryption mechanisms built into windows that can encrypt files and folders on NTFS partitions, enabling real-time, Transparently encrypts the data on the disk.
Cryptographic operations
Encryption method The user is transparent, after the file encryption, do not have to manually decrypt, the user can automatically open the encrypted file, and other users will not be able to open the encrypted file.
The encryption method is simple, under the directory or file of any NTFS partition, right-click the file or folder you want to encrypt, and then clicking Properties, on the General tab, click the Advanced button, and in the pop-up window, tick the "Encrypt content to protect data" check box, and click OK to The file is encrypted when the file is closed.
By default, EFS-encrypted files or folders appear in the Explorer as green, which means that the file or folder has been encrypted by EFS.
If you no longer want to encrypt a file, clear the check box in the properties of the file.
Backup key
ESF encryption operation is simple, but if the user re-installed the system, even after the use of the original user name and password, you can not open the EFS encrypted file (folder), so users should back up the key in time, so that even if the system is re-installed, you can open the encrypted file.
After the encryption operation, the Windows System status bar will automatically prompt the user to back up the encryption key, click on the "Backup file encryption certificate and key" dialog box, select "Backup Now", the Certificate Export Wizard appears.
Click Next to export file format options, select the default "personal Information exchange".
Then click Next to enter the password, which is the password to recover the certificate to use, then click Next, select Save Address, then you can successfully export the certificate file.
If the user does not have the point status bar picture Instant Backup key, also does not have the relationship, but also can make the key backup by the way of the manual backup: Click the Menu "Start"-"Run", type certmgr.msc to open the Certificate manager, click "Personal"-"certificate", as long as the previous encryption operation, The right window will have a certificate with the same name as the username, if there are multiple certificates, select "Intended purpose" as "Encrypting File System", right click on "Certificates" and select "All Tasks"-"export" from the menu.
A "Certificate Export Wizard" window will appear, select "Export Private key" in the window, and follow the wizard's requirements, enter the password to protect the exported private key, select the directory to save the certificate, and finally complete the export work of the certificate file.
Advantages of encryption
EFS encryption is based on the public key cryptography policy, which uses a fast symmetric encryption algorithm to encrypt a file or folder with a randomly generated file encryption key (Files encryption Key,fek), and to encrypt different files or folders using the same key.
The EFS-encrypted user authentication process occurs when you log on to Windows, and you can open any of the encrypted files that are authorized as long as you log on to Windows. So that's why EFS encrypts a folder or file, and the user can barely feel the encryption effect.
From the convenience of operation, because of the integration of EFS password and user login Windows password, it is convenient to decrypt the file without entering the password.
Disadvantages of encryption
However, EFS encryption has several significant drawbacks compared to BitLocker.
First, if you do not back up the encryption certificate before reloading the system, the files inside the EFS-encrypted folder will not open, even if the user is logged on with the original password and cannot decrypt the file.
Second, for multi-user operation of the same computer, while another user cannot see the encrypted file content, but still can see the encrypted folder name and file name, so as to obtain some information, in addition, if you encrypt the use of default permissions, Other users can also delete EFS-encrypted files and folders, so users need to set up access to files or folders in the Properties-security option when using EFS encryption to prevent others from viewing or deleting them.
For multi-user use of the same computer there is an interesting situation, if more than one user has administrator rights, then modify another user's password, and the user's identity to log into the system, and can not access the EFS encrypted files, because the user password is modified by others, but if the user's own password modification ( If you need to enter an old password to modify it), users can still open EFS-encrypted files.
For EFS encrypted files that do not have access rights set, the precondition is that you know the login password of the user account, the profile of the deleted account must exist, because the encrypted private key and the master key (also including the certificate and public key), are saved in the configuration file, if the above two conditions are satisfied, Then get the SID of the deleted account from the old configuration file (in the configuration file directory \application Data\microsoft\crypto\rsa A folder named after the SID of the account, and then create a new user, Use the NewSID tool to change the SID and the same as the original, and then log in with a new user, arbitrarily encrypt a file, and then log off, the old configuration file overwrites the new user's profile, and then log in with the new user can be decrypted other files.
Comparison of BitLocker and EFS
BitLocker is primarily used to encrypt an entire drive, external hard disk, USB flash drive, and so on, and EFS is primarily used to encrypt individual files or folders.
BitLocker does not rely on user accounts and is the same for all users (on or off), EFS encrypts the user account, and if the computer has multiple users, each user can encrypt his or her own files independently.
BitLocker must be an administrator user to use, and EFS does not require administrator privileges.
File encryption using Windows EFS (how to encrypt a folder)