Problem solve Get help with specific problems with your technologies, process and projects.

EFS benefits and limitations

I work as a consultant for systems planning. Most of our production systems are based on OS/390 (with RACF) and we are moving slowly but surely to WinTel for Web-based application structure.

We are now trying to get the building blocks correctly set, which includes the use of EFS (Encrypting File System) or its equivalent to protect network transmissions. I am looking for some guidelines for interpreting what Kerberos-based EFS can give us and the expectations that we should have for its limitations.

Then, assuming we want (for example) an RSA-based solution, how do I get into the price performance evaluation of such third-party solutions that we will need to plug into Windows 2000 Advanced Server, Active Directory and so on? Funny as it might seem, I do not want to be submitting the result of this initial work as a blooper later down the road! Any advice would be very welcome.

I'm glad that you are doing your upfront research. It's the only way to ensure a smooth and secure transition. First of all, though, I am confused by your choice of Kerberos-based EFS. The Encrypting File System is not Kerberos-based. Kerberos is the default authentication system for Windows 2000, and EFS is a built-in file encryption service. EFS is a very good encryption program and is very easy to use. However, you need to pay special attention to the archival of user encryption keys, and ensure the existence of file recovery agents (and archive their keys!). Otherwise, it is possible to lose data, because once encryption keys are lost or corrupted, it is impossible to decrypt the data. (That is, of course, exactly what you want for a file encryption program.) You might think that this is obvious -- that we need to back up encryption keys as well as data -- but I routinely get requests to help someone whose data is gone forever.

You can read some excellent papers on EFS on Microsoft's Web site. The first one to read is Encrypting File System for Windows 2000; you should also refer to this white paper on Windows 2000 Public Key Infrastructure and this one on PKI enhancements in XP Pro and .NET. While EFS does not require you to establish a PKI, these white papers detail many facets of its use, including how to improve management of EFS. I recently wrote an article and did a webcast on the issue of recovery and how it will be improved in Windows .NET server. Many important Windows 2000 issues are reviewed as well.

If you are considering an RSA-based solution, your best bet is to contact both RSA and Microsoft. Microsoft has a new team that specializes in security services.

Dig Deeper on Windows legacy operating systems