Now that you're confident that your e-mail is not being read by everyone on the Internet and everyone internally in the company, let's move on. You can use the Encrypting File System (EFS) to encrypt all the folders and files that you have to protect from prying eyes. You can use EFS to encrypt files stored on Windows 2003 NTFS-formatted drives. EFS uses key pairs in combination with a symmetric key to perform encryption and decryption.
Using EFS is simple from the user perspective. Certificate enrollment and implementation is completely hidden from the network user. In fact, the user doesn't even need a certificate for EFS in order to encrypt files. When the user sets the encryption attribute for a file or folder, EFS attempts to locate a certificate in the user's personal certificate store. If EFS finds a certificate with the EFS template or another template that allows file encryption, it uses that certificate. If the user does not have a certificate for EFS, EFS gets one. It tries to use auto-enrollment, if it has been set up as you did in Chapter 9. If EFS cannot automatically enroll a certificate, it creates its own self-signed certificate and begins the encryption process. Even though a self-signed certificate is not trusted, it is still valid for use to encrypt files.
If you are a proactive administrator, you will consider the needs for EFS in your company, and you will set up the automatic enrollment process for your enterprise-issuing CA. It is a good idea to do this, because you can also set up and configure recovery agents for EFS and have them ready. Without recovery agents, you can run into situations in which you can't recover encrypted data because the user's key is lost. You can avoid this problem through some planning and implementation work.
The process of encrypting files using EFS is illustrated in Figure 10.1. The steps are as follows:
1. A network user chooses to encrypt a file. When encryption is required, the user's computer generates a file encryption key (FEK).
2. The computer then uses the FEK and a symmetric encryption algorithm to encrypt the file. At this point, it has not used the certificate.
3. The file is now encrypted using the FEK. The computer attempts to retrieve the user's EFS certificate from the personal certificate store. If it finds the certificate, it extracts the public key from the certificate. If it can't find the certificate, it attempts to enroll one. If it can't find an Enterprise CA to enroll the certificate, it creates its own. Once EFS has the certificate, it extracts the public key.
4. The computer uses the public key to encrypt the FEK using an asymmetric algorithm. EFS then places the encrypted FEK in the data decryption field (DDF) located in the file's header. Windows XP Professional allows multiple entries in the DDF so that EFS files can be shared with other users.
5. The computer retrieves the EFS recovery agent certificate for each recovery agent and extracts its public key. The public key is used to encrypt the FEK, and the encrypted FEK is put into the data recovery field (DRF) located in the file's header. This process is repeated for each EFS recovery agent.
6. The encrypted file is stored with the DDF and the DRF entries in its header in the filesystem.
Was this article helpful?