It's deceptively simple to encrypt and decrypt files in Windows Small Business Server 2003. Of course, anything that's sensitive enough to be encrypted should be treated very carefully, so take time to plan before implementing file and folder encryption. You need to have a clear and well-understood recovery policy, as described in this section, to prevent irreversible data loss. Make sure also that your vendors for any affected line of business applications will fully support encryption.
Encryption of stored files in SBS is accomplished through the use of the Encrypting File System (EFS). Using public-key encryption, EFS allows files and directories stored on NTFS partitions to be encrypted and decrypted transparently. The user's EFS public and private keys are used to perform self-encryption transparently to the user, whose access to the files is the same as if they weren't encrypted. Other users, however, are denied access to the file. If files that are encrypted with EFS are saved to another computer, the user's key information must be imported to that computer for decryption to occur.
Files' encryption keys are automatically encrypted by the recovery agent key. In the event of the loss of the user's encrypting key, the recovery agent can decrypt the files. EFS encrypts the bulk of the file with a single symmetric key. The symmetric key is then encrypted twice: once with the user's EFS public key to allow decryption, and once with the recovery agent's public key to allow data recovery.
Was this article helpful?