Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Encrypting File System
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Operation== [[Image:EFSOperation.svg|thumb|right|300px|Operation of Encrypting File System]] EFS works by encrypting a file with a bulk [[symmetric key]], also known as the File Encryption Key, or FEK. It uses a symmetric encryption algorithm because it takes less time to encrypt and decrypt large amounts of data than if an [[asymmetric key]] cipher is used. The symmetric encryption algorithm used will vary depending on the version and configuration of the operating system; see [[#Algorithms used by Windows version|Algorithms used by Windows version]] below. The FEK (the symmetric key that is used to encrypt the file) is then encrypted with a [[public key]] that is associated with the user who encrypted the file, and this encrypted FEK is stored in the $EFS alternative data stream of the encrypted file.<ref>{{cite web |url=http://www.anvir.com/encrypting-file-system.htm |title=Encrypting File System }}</ref> To decrypt the file, the EFS component driver uses the private key that matches the EFS digital certificate (used to encrypt the file) to decrypt the symmetric key that is stored in the $EFS stream. The EFS component driver then uses the symmetric key to decrypt the file. Because the encryption & decryption operations are performed at a layer below NTFS, it is transparent to the user and all their applications. Folders whose contents are to be encrypted by the file system are marked with an encryption attribute. The EFS component driver treats this encryption attribute in a way that is analogous to the inheritance of file permissions in NTFS: if a folder is marked for encryption, then by default all files and subfolders that are created under the folder are also encrypted. When encrypted files are moved within an NTFS volume, the files remain encrypted. However, there are a number of occasions in which the file could be decrypted without the user explicitly asking Windows to do so. Files and folders are decrypted before being copied to a volume formatted with another file system, like [[File Allocation Table|FAT32]]. Finally, when encrypted files are copied over the network using the SMB/CIFS protocol, the files are decrypted before they are sent over the network. The most significant way of preventing the decryption-on-copy is using backup applications that are aware of the "Raw" APIs. Backup applications that have implemented these [http://msdn2.microsoft.com/en-us/library/aa363783.aspx Raw APIs] will simply copy the encrypted file stream and the $EFS alternative data stream as a single file. In other words, the files are "copied" (e.g. into the backup file) in encrypted form, and are not decrypted during backup. Starting with [[Windows Vista]], a user's private key can be stored on a [[smart card]]; Data Recovery Agent (DRA) keys can also be stored on a smart card.<ref>{{cite web |url = http://www.microsoft.com/technet/technetmag/issues/2006/05/FirstLook/ |title = First Look: New Security Features in Windows Vista |author = Chris Corio |date = May 2006 |access-date = 2006-11-06 |work = TechNet Magazine |publisher = Microsoft |archive-url = https://web.archive.org/web/20061110012420/http://www.microsoft.com/technet/technetmag/issues/2006/05/FirstLook/ |archive-date = 2006-11-10 |url-status = dead }}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)