Encrypting and decrypting data
With Encrypting File System (EFS), you can store data securely. EFS does this by encrypting data in selected NTFS files and folders.
Because EFS is integrated with the file system, it is easy to manage, difficult to attack, and transparent to the user. This is particularly useful for securing data on computers that may be vulnerable to theft, such as mobile computers.
Files and folders cannot be encrypted or decrypted on FAT volumes. Also, EFS is designed to store data securely on local computers. As such, it does not support the secure transmission of files over a network. Other technologies, such as Internet Protocol security (IPSec), can be used in conjunction with EFS to provide an alternate solution. For more information, see Internet Protocol Security (IPSec)
Using encryption keys
Once a user has specified that a file should be encrypted, the actual process of data encryption and decryption is completely transparent to the user. The user does not need to understand this process. However, the following explanation of how data encryption and decryption works might be useful for administrators.
Encryption of files works as follows:
For steps on how to encrypt a file or folder, see To encrypt a file or folder
The EFS certificate and private key used can be issued by a number of sources, including automatically-generated certificates, certificates created by Microsoft certification authorities (CAs), or other CAs. For more information about certificates from other parties and EFS, see article 273856, "Third-Party Certificate Authority Support for Encrypting File System," in the Microsoft Knowledge Base.
Decryption of files works as follows:
For steps on how to decrypt a file or folder, see To decrypt a file or folder
Private keys are securely held in a protected key store, and not in the Security Accounts Manager (SAM) or in a separate directory.
Storing encrypted files on remote servers
If users in your Windows XP computing environment want to store encrypted files on remote servers, it is useful to know the following:
Before users can encrypt files that reside on a remote server, an administrator must designate the remote server as trusted for delegation. This allows all users with files on that server to encrypt those files. For more information, see To enable a remote server for file encryption and To encrypt a file or folder on a remote computer