DRAFT

The Windows Encrypting File System (EFS)

Windows' EFS feature allows you to easily encrypt and decrypt files and/or folders on your Windows NTFS drives. Once you’ve encrypted files with this tool, other people won’t be able to access them unless they have your password. This document explains how EFS works and why you should not use it, but even disable this feature on your users’ computers.

Encrypt Files and Folders with EFS

EFS enables transparent encryption and decryption of files.. Any individual or app that doesn't possess the appropriate file encryption key cannot open any encrypted files and folders.

• When you encrypt a file or folder with EFS in Windows 11, its icon will have a lock overlay at the top right corner to indicate that it's an EFS encrypted file or folder.
• When you encrypt a folder, any new file saved or moved into the folder will automatically be encrypted by EFS.
• If you compress or ZIP an EFS encrypted file or folder, the file or folder will no longer be encrypted afterwards.
• If you try to copy or move an EFS encrypted file or folder to a location that does not support encryption, you will be prompted with a "Do you want to copy this file without encryption" type dialog like below.

 

Follow these steps to encrypt files and/or folders with EFS:

1. Select a folder or individual files in the File Explorer window.
2. Right-click on it and click Properties in the pop-up menu.
3. Click the Advanced button under Attributes.
4. Activate the Encrypt contents to secure data option.
5. Click the Apply button.
6. For files only, choose either Encrypt the file and its parent folder (recommended) or Encrypt the file only. You can also choose to Always encrypt only the file.
7. Now, you can only use this file or folder after you have logged into your account. It’s encrypted for all others, including the local administrator if in a Workgroup.

Backup Encrypting File System Certificate and Key

• Creating a backup of your file encryption certificate and key to a PFX file helps you avoid permanently losing access to your encrypted files and folders if the original certificate and key are lost or corrupted.
• You will be required to enter a password used to protect the private key to maintain the security.
• No one will be able to restore the backed up file encryption certificate and key to gain access to your encrypted files and folders unless they are able to enter this password.
• Be sure to also keep the PFX file backup of your file encryption certificate and key saved in a safe and secure location in case you need to restore your backed up file encryption certificate and key.

You will see the EFS notification and icon () in your taskbar whenever a new file encryption certificate and key has been created.

1. Either click on the EFS notification or taskbar icon.
2. Click on Back up now.
3. Click on Next. Click Next again.
4. Check the Password box and enter a password you want to protect the private key backup with, enter this password again to confirm, and click on Next.
5. Click on the Browse button, navigate to where you want to save the backup to, enter a file name you want for the backup, click on Save, and click on Next.
6. Click on Finish.
7. When the export has successfully finished, click on OK.

 

Once you've exported the certificate, the wizard is no longer available in the taskbar. But you can. But you can run it again by searching for cert and choosing "Manage file encryption certificates".

Import Encrypting File System Certificate and Key

If you lose access to your encrypted files and folders, you will not be able to open them again unless you are able to restore your file encryption certificate and key used with EFS.

No one will be able to restore the backed up file encryption certificate and key to gain access to your encrypted files and folders unless they are able to enter this password.

It is extremely important that you do not lose this password. Keep it written down in a safe secure location in case you need to restore your backed up file encryption certificate and key.

Be sure to also keep the PFX file backup of your encryption certificate and key saved in a safe and secure location in case you need to restore your backed up file encryption certificate and key.

To Import PFX file to Restore your EFS File Encryption Certificate and Key from PFX file:

 

1. Double click on the backed up PFX file, or right click or press and hold on the PFX file and click on Install PFX.
2. Click on Next.
3. Click on Next
4. Enter the password for the private key included in the PFX file , check Mark this key as exportable, check Include all extended properties, and click on Next.
5. Select (dot) Automatically select the certificate store based on the type of certificate, and click on Next.
6. Click on Finish.
7. Click on OK.

Set you admin account as recovery agent

A recovery agent can use certificates and public keys to decrypt files.

By default in Workgroup, no one is a recovery agent. It is best to add the local administrator as a recovery agent. Do this before files are encrypted by the user:

- In command line run: cipher /R:admrecup and type in a password that you can provide later. This generates two files: admrecup.cer (public key) and admrecup.pfx (public and private key) in C:\Windows\System32.

- Add the admrecup.cer as a recovery agent certificate: run secpol.msc, go to “Public Key policies, right-click on "Encrypting File System" on select “Add Data Recovery Agent” and select the file admrecup.cer

- Import the file admrecup.pfx into the personal certificate store of the admin account. Double click the PFX file. Enter the password you typed when you used the cipher command before.

 

When using AD, the domain admin has a recovery certificate by default.

Prohibit use of EFS

There is a high risk of data loss in case someone encrypts files using EFS and then leaves the organization.

!!! Be aware that, if you force the password change of a local user and the person has encrypted his data using EFS, he will lose access to his data !!!

Because of this it is better to disable the EFS feature and solely rely on BitLocker.

To disable EFS open run secpol.msc. Right-click on the Encrypting File System folder, on the left. Select Properties and choose "Don't allow", Click OK.

 

Why BitLocker is Superior to EFS

BitLocker is the way to go, if you're going to encrypt your hard drive to protect sensitive data from falling into the wrong hands. It'll encrypt the entire drive (i.e. every single user account) and you won't have to think about which files are encrypted and which aren't. BitLocker's full-disk encryption is superior to EFS, and you should be using BitLocker if you need encryption.

So why does EFS even exist? One reason is that it's an older feature of Windows. BitLocker was introduced along with Windows Vista. EFS was introduced back in Windows 2000.

You can however use both BitLocker and EFS at once, as they're different layers of encryption, although there's not much reason to do so.

You can use EFS to encrypt individual files and directories, one by one. Where BitLocker is a "set it and forget it" system, EFS requires you manually select the files you want to encrypt and change this setting.

Encrypted files can only be accessed by the particular user account that encrypted them. The encryption is transparent, so the logged in user will be able to access the files without any additional authentication.

The encryption key is stored in the operating system itself rather than using the computer's TPM hardware, so it's possible an attacker could extract it.

It's also possible that the encrypted files could "leak" out into unencrypted areas such as a temporary cache file that has sensitive data.

More Technical Details on EFS

EFS encrypts your files and folder using a symmetrical algorithm. 

By symmetric algorithm we mean that the same key is used to encrypt and decrypt. 

A symmetric algorithm is by definition strong and fast. 

Windows uses AES (256 or 512 bit). It generates a random key for each encrypted file. This key is called FEK (for File Encryption Key).

The key is stored with the file. But it is not stored in clear text.

The key itself is encrypted with an asymmetric algorithm.

 

By asymmetric algorithm we mean that a different key is used to encrypt and decrypt.

There is a public key that is exchanged, and a private key that is not communicated.

Windows uses RSA (2048 or 4096 bit).

 

These public and private keys are stored in a certificate.

When working in Workgroup, the certificates are stored locally !!! In case of a system crash, we lose access to the encrypted data, even if they are on another partition.

They can be listed via certmgr.msc. They appear under Personal, if encryption is used.

 

The FEK is encrypted with the public key found in the certificate, which is itself kept up to date with password changes.

If an admin forces a password change on the user account, the certificate is no longer up to date and he can no longer open the file.The only way to solve the situation is for the admin to restore the user’s Windows password in use when the certificate was created.

It is always necessary to export a certificate (to be stored in a safe place) to keep access to the data in case of a system crash. To do this go to certmgr.msc, select the certificate and choose export .pfx (public and private key) and enter a password to protect the certificate. This .pfx can be imported via certmgr.msc in the personal certificates of the user who will need access to the files.

 

It is possible to add a user to the certificate to give him access with the same certificate (on the file: Properties\Advanced\Details\Add).

 

In the end an encrypted document looks like this:

 

Encrypted document (Document chiffré in the screenshot above) = content of the encrypted doc

DDF = FEK (AES) encrypted by public key (RSA) - the zone can host other users' keys

DRF = recovery agent