Windows Vista: Encrypting File System redesigned

The Encrypting File System (EFS) has always been one of Windows XP's more popular features, but it did have its shortcomings. The Windows XP version was somewhat difficult to manage, and you could experience data loss if you accidentally lost the keys. In Windows Vista, Microsoft completely redesigned EFS to make it a little bit easier to use. In this article, I will tell you about what's new with Encrypting File System.

Encryption in Vista End-to-end encryption for Windows Vista systems: BitLocker Creating your own Windows digital certificates: The risks and benefits

Probably the biggest change to EFS is that it now supports smart cards. If a user logs on using smart cards, then the user's EFS keys can be stored on their smart cards. This is a fantastic feature because in the past, user's keys resided on the system volume. If this volume was damaged, then the keys were often lost.

Administrators can also store recovery keys on smart cards. This means that if an administrator needs to perform a recovery operation on a workstation, they can simply plug in the smart card, and they are in business.

There are also some new management tools associated with EFS. One of these tools, which I will explain in a moment, is the Certificate Manager. The Certificate Manager, which is similar to the one used in Windows Server 2003, allows users to export their EFS keys. There is also a new policy management component that can be used to set the encryption strength or to require the use of smart cards.

Backing up EFS certificates

Being that I have written so many articles and white papers on such a wide variety of topics, my inbox is flooded every single day with hundreds of questions from readers. By far the question that is asked the most often involves the need to recover encrypted data in Windows XP when the keys have been lost or destroyed.

In Windows XP there isn't a whole lot that you can do if your EFS key and the recovery key have been destroyed, and in a way, the same could be said for Windows Vista. The good news, though, is that Vista allows you to create a backup of your EFS keys.

Begin the process by opening the Certificate Manager console. You can access this console by entering CERTMGR.MSC at a command prompt. When the console opens, expand the Personal container and then click on the Certificates container. When you do, you should see a list of all of the certificates that are installed on the machine. Scroll to the right if necessary so that you can see the certificate's Intended Purpose column. Now, look for a certificate where the intended purpose is Encrypting File System.

Once you have located the necessary certificate, right click on it and select the All Tasks|Export commands from the resulting shortcut menu. Windows will now launch the certificate export wizard. Keep in mind that the wizard only allows you to export one certificate at a time. If your machine contains multiple EFS certificates, you must export each one individually.

Click Next to bypass the wizard's welcome screen. On the following screen, choose the Yes, Export the Private Key option, and click Next again. On the following screen, choose the Personal Information Exchange option, and click Next once more. You will now be prompted to enter a password that can be used to protect the key that you are exporting. Enter and confirm the password. You should now be prompted for the location where Windows should save the exported key. Select your location, and click Finish to complete the export process.

What about BitLocker?

The Windows Vista encryption feature that seems to be getting the most press lately is BitLocker. In case you aren't familiar with it, BitLocker uses a machine's TPM chip to back up the entire system volume. The reason why this is such a big deal is because EFS can back up some folders on the system volume, but it can't encrypt the entire volume. If the folder containing the Windows system files is EFS encrypted, then Windows won't even be able to boot.

This begs the question, why do we even need EFS? Believe it or not, Encyrpting File System does have its place. One reason why EFS is still a viable option is because BitLocker, in most cases, requires the use of a computer equipped with a TPM chip. Today, the vast majority of computers are not TPM equipped, however, there are ways to use BitLocker without a TPM.

Even if your system is capable of running BitLocker, you may still have to use EFS. BitLocker is only capable of encrypting the system partition. If your computer contains other partitions, excluding the 1.5 GB BitLocker partition, then your only means of encrypting the data on those partitions without using third party tools is to use EFS. This is true even if the additional partitions reside on the boot drive.

It is also important to understand that BitLocker and EFS are two vastly different technologies. BitLocker is a volume level encryption utility, whereas EFS works at the file system level. EFS encryption is based on PKI keys associated with individual user accounts, where as BitLocker is completely oblivious to users or to PKI keys. As such, EFS is a far more granular encryption solution than BitLocker.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Microsoft Windows Vista operating system Windows 7 launches, offers salvation from Vista An intro to Windows 7's Deployment Image Servicing and Management tool Guide to converting from Windows XP to Windows 7 Choosing the best way to install images Has Microsoft corrected Vista annoyances in Windows 7? Microsoft's August patches run the gamut Your questions answered: The Windows 7 upgrade quandary Windows Vista users get little pricing relief on Windows 7 Combining folder redirection with roaming profiles IPv6 protocol, Windows Vista features simplify peer ad-hoc networking Endpoint security management tools The right security tools for finding Windows desktop weaknesses Using BitLocker in Windows 7 20 days to a more secure enterprise How to get -- and keep -- user support with security MDOP for Windows 7 available now Microsoft's Online Desktop Manager caters to small IT shops Monitoring user activity with network analyzers Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance Windows desktop security tips The right security tools for finding Windows desktop weaknesses Using BitLocker in Windows 7 20 days to a more secure enterprise Improvements to offline file synchronization in Windows 7 How to get -- and keep -- user support with security Structuring patch management in seven steps Underlying causes of inconsistent patch management Monitoring user activity with network analyzers Microsoft's Patch Tuesday brings a bumper crop of security fixes Using third-party technologies with Microsoft's NAP RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary desktop management  (SearchEnterpriseDesktop.com) Vista  (SearchEnterpriseDesktop.com) Vista glossary  (SearchEnterpriseDesktop.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.