Do I need AD to use EFS?, part 2

In the answer to the question: Do I need AD to use EFS? I think an important part is missing. The computer must not only be delegated for trust, but must also be able to access the public key of the user to be able to decrypt after receiving the file.
You are correct. The answer was not a tutorial on how to set up this type of storage, but of course the users' EFS public key must be available. This can be accomplished either by using roaming profiles, or by exporting and importing. If no key is available, however, a new EFS certificate may be generated on the server. (This, of course, can be a problem, since the users' local private key will be different than that on the server and now two keys need to be backed up.) If, however, there is no delegation and no key on the server, the file is encrypted locally in a temporary file using the user's EFS public key, then it is sent to the server. When the user next accesses the file, it is downloaded into a temp file and then decrypted using his local keys.

Dig Deeper on Windows applications

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.