Introduction to Raytheon's security template for Microsoft platform

Microsoft's file encryption system (EPS) is one of the safest and least widely used technologies I have ever seen so far when I have been using Microsoft infrastructure and enterprise deployment for so many years. It is rarely used in enterprise-level or medium-scale development, and is used independently by individuals and teams in security control ). Because the EPS is easy to set and use independently, authentication, recovery proxy management, backup, storage, and detailed plans for implementing access models are required during large-scale deployment. Incorrect deployment of EPS may cause data loss. Although it can be solved through physical means, in order to be more specific, for example, it is assumed that an unreasonable EPS control is designed in a failed scenario, leading to the blocking of file decryption by encrypted files.

The simplest form of EPS is a Windows-based feature that allows users (administrators or other users) to encrypt folders or individual files. The most typical application is encryption at the folder level through EPS, which ensures that all files added to the encrypted folder are automatically encrypted. The example in this chapter is based on creating folders under the directory. When you select to encrypt a folder, the folder is marked as encrypted. As described above, when a folder is encrypted, all the files in this folder will be encrypted by its owner. It is very easy to encrypt a folder. You only need to click Advanced properties and select encrypted content to protect data. 2.1

EPS is a user-based encryption control. Basically, this method is as follows: when a user encrypts a file or folder, EPS generates a certificate for the user and places its private key in the user's configuration file. The Public Key is stored together with the files created by the user. Only in this way can the user decrypt these files. Because of this, the recovery proxy certificate is usually associated with different user accounts and the user's public key is also embedded in this file. Because of this, even if the user loses the certificate used to encrypt the file and restores the proxy user or the holder of a clearer private key, the file can be decrypted, similarly, the recovery proxy's public key is automatically stored together with the encrypted file. You can also assign another user's public key to the file to allow them to decrypt the file. This allows multiple users to share an encrypted file. When an EPS certificate is assigned by a CA or the first request of an EPS operation in a domain, the Public Key is stored in AD. This is also true for recovering proxy authentication. In fact, the Public Key is automatically included in the domain. The method for creating an EPS file is to extract it directly from the configured ad. I will describe this in more detail later.

Let's take a moment to detail the encryption process. When multiple users share an encrypted file, understanding how these files work and the encryption process helps us better understand how EPS works in an enterprise or a smaller ad environment. There is nothing magical about the EPS certificate. It is a private public key group generated by the RSA algorithm, through which the EPS performs simple X.509 authentication. 2.2

When creating these certificates for users, the RSA algorithm is used to generate public and private keys and store them in the User Certificates. Only the public key is stored in AD. Data is encrypted by using the public key and decrypted by the private key. This is why the public key is made public, so that other users can encrypt the data for you. Only users with the private key can decrypt the data. In this way, data cannot be decrypted immediately after being encrypted by some users using the public key.

Most of the people I know have the impression that they use keys to encrypt or decrypt an encrypted file. In fact, this method not only applies to user EPS, but also to people and RSA-based encryption processes. The actual situation is that a strong random key has been generated before file encryption. By default, this key is based on the Advanced Encryption Standard (AES) password. The RSA algorithm encrypts keys instead of data itself. The public RSA key is used to encrypt the AES key, while the AES key is used to encrypt the actual data.