The Encrypting File System (EFS) has always been one of Windows XP's more popular features, but it did have its shortcomings. The Windows XP version was somewhat difficult to manage, and you could experience data loss if you accidentally lost the keys. In Windows Vista, Microsoft completely redesigned EFS to make it a little bit easier to use. In this article, I will tell you about what's new with Encrypting File System.
Administrators can also store recovery keys on smart cards. This means that if an administrator needs to perform a recovery operation on a workstation, they can simply plug in the smart card, and they are in business.
There are also some new management tools associated with EFS. One of these tools, which I will explain in a moment, is the Certificate Manager. The Certificate Manager, which is similar to the one used in Windows Server 2003, allows users to export their EFS keys. There is also a new policy management component that can be used to set the encryption strength or to require the use of smart cards.
Backing up EFS certificates
Being that I have written so many articles and white papers on such a wide variety of topics, my inbox is flooded every single day with hundreds of questions from readers. By far the question that is asked the most often involves the need to recover encrypted data in Windows XP when the keys have been lost or destroyed.
In Windows XP there isn't a whole lot that you can do if your EFS key and the recovery key have been destroyed, and in a way, the same could be said for Windows Vista. The good news, though, is that Vista allows you to create a backup of your EFS keys.
Begin the process by opening the Certificate Manager console. You can access this console by entering CERTMGR.MSC at a command prompt. When the console opens, expand the Personal container and then click on the Certificates container. When you do, you should see a list of all of the certificates that are installed on the machine. Scroll to the right if necessary so that you can see the certificate's Intended Purpose column. Now, look for a certificate where the intended purpose is Encrypting File System.
Once you have located the necessary certificate, right click on it and select the All Tasks|Export commands from the resulting shortcut menu. Windows will now launch the certificate export wizard. Keep in mind that the wizard only allows you to export one certificate at a time. If your machine contains multiple EFS certificates, you must export each one individually.
Click Next to bypass the wizard's welcome screen. On the following screen, choose the Yes, Export the Private Key option, and click Next again. On the following screen, choose the Personal Information Exchange option, and click Next once more. You will now be prompted to enter a password that can be used to protect the key that you are exporting. Enter and confirm the password. You should now be prompted for the location where Windows should save the exported key. Select your location, and click Finish to complete the export process.
What about BitLocker?
The Windows Vista encryption feature that seems to be getting the most press lately is BitLocker. In case you aren't familiar with it, BitLocker uses a machine's TPM chip to back up the entire system volume. The reason why this is such a big deal is because EFS can back up some folders on the system volume, but it can't encrypt the entire volume. If the folder containing the Windows system files is EFS encrypted, then Windows won't even be able to boot.
This begs the question, why do we even need EFS? Believe it or not, Encyrpting File System does have its place. One reason why EFS is still a viable option is because BitLocker, in most cases, requires the use of a computer equipped with a TPM chip. Today, the vast majority of computers are not TPM equipped, however, there are ways to use BitLocker without a TPM.
Even if your system is capable of running BitLocker, you may still have to use EFS. BitLocker is only capable of encrypting the system partition. If your computer contains other partitions, excluding the 1.5 GB BitLocker partition, then your only means of encrypting the data on those partitions without using third party tools is to use EFS. This is true even if the additional partitions reside on the boot drive.
It is also important to understand that BitLocker and EFS are two vastly different technologies. BitLocker is a volume level encryption utility, whereas EFS works at the file system level. EFS encryption is based on PKI keys associated with individual user accounts, where as BitLocker is completely oblivious to users or to PKI keys. As such, EFS is a far more granular encryption solution than BitLocker.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.
This was first published in April 2007