Encrypting File System

EFS stands for Encrypting File System, featuring a system of file encryption on NTFS volumes on Windows NT -based operating systems such as Windows 2000, Windows XP, Windows Vista, Windows 7 and Windows 8

This extension makes it possible for file contents even remain confidential when foreign people - eg by insufficient set or invalid access rights or by the theft of data carriers - get access to this, as it can only be decrypted with the correct key.

Operation

When a file is encrypted using EFS, the system first generates a random key, called the File Encryption Key (FEK ), with which the file is then encrypted using the symmetric encryption method DES or Windows XP SP1 with AES. The FEK is then encrypted using the RSA asymmetric algorithm using the user's public key and saved with the file together. If you want to read the file, the FEK is decrypted using the private key of the user to thereby recover the plaintext of the encrypted file.

Data recovery

A loss of the secret key of course, takes the loss of encrypted data by itself. To address this problem, there is the possibility of the FEK save additionally encrypted with the public key of another user. This user, called the Key Recovery Agent is, by default, the administrator of the Windows installation used ( Windows 2000 only). From Windows XP, the KRA must subsequently be reconfigured (cipher / R: EFS RA). However, it is also possible to configure other settings: So you can for example set up a central Key Recovery Agent in an entire Windows network domain, or also set no Key Recovery Agent.

Multi-user use of encrypted files

Just as for the purpose of data recovery, it is also possible to save the FEK encrypted with the public keys of each of several users, so that in a network or on a computer with multiple user accounts of concurrency allows to encrypted files.