Encrypting and decrypting data

With Encrypting File System (EFS), you can store data securely. EFS does this by encrypting data in selected NTFS files and folders.

Because EFS is integrated with the file system, it is easy to manage, difficult to attack, and transparent to the user. This is particularly useful for securing data on computers that may be vulnerable to theft, such as mobile computers.

Files and folders cannot be encrypted or decrypted on FAT volumes. Also, EFS is designed to store data securely on local computers. As such, it does not support the secure transmission of files over a network. Other technologies, such as Internet Protocol security (IPSec), can be used in conjunction with EFS to provide an alternate solution. For more information, see Internet Protocol Security (IPSec) 

Using encryption keys

Once a user has specified that a file should be encrypted, the actual process of data encryption and decryption is completely transparent to the user. The user does not need to understand this process. However, the following explanation of how data encryption and decryption works might be useful for administrators.

Encryption of files works as follows:

Each file has a unique file encryption key, which is later used to decrypt the file's data.

The file encryption key is itself encrypted; it is protected by the user's public key corresponding to the user's EFS certificate.

The file encryption key is also protected by the public key of each additional EFS user that has been authorized to decrypt the file and each recovery agent 

For steps on how to encrypt a file or folder, see To encrypt a file or folder

The EFS certificate and private key used can be issued by a number of sources, including automatically-generated certificates, certificates created by Microsoft certification authorities (CAs), or other CAs. For more information about certificates from other parties and EFS, see article 273856, "Third-Party Certificate Authority Support for Encrypting File System," in the Microsoft Knowledge Base.

Decryption of files works as follows:

To decrypt a file, the file encryption key must first be decrypted. The file encryption key is decrypted when the user has a private key that matches the public key.

The original user may not be the only person that can decrypt the file encryption key. Other designated users or recovery agents can also decrypt the file encryption key by using their own private key.

For steps on how to decrypt a file or folder, see To decrypt a file or folder

Private keys are securely held in a protected key store, and not in the Security Accounts Manager (SAM) or in a separate directory.

Storing encrypted files on remote servers

If users in your Windows XP computing environment want to store encrypted files on remote servers, it is useful to know the following:

Windows XP supports the storage of encrypted files on remote servers.

Users can use EFS remotely only when both computers are members of the same Windows XP forest.

Encrypted data is not encrypted when in transit over the network, but only when stored on disk. The exceptions to this are when your system includes Internet Protocol security (IPSec) or Web Distributed Authoring and Versioning (WebDAV) IPSec encrypts data while it is transported over a TCP/IP network. If the file is encrypted before being copied or moved to a WebDAV folder on a server, it will remain encrypted during the transmission and while it is stored on the server.

Encrypted files are not accessible from Macintosh clients.

Storing EFS certificates and private keys on smartcards is not currently supported.

Strong private key protection for EFS private keys is not currently supported.

Before users can encrypt files that reside on a remote server, an administrator must designate the remote server as trusted for delegation. This allows all users with files on that server to encrypt those files. For more information, see To enable a remote server for file encryption and To encrypt a file or folder on a remote computer 



© 2017 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies