Encrypted File System – Do it right or not at all!

Some notes from the field! And it´s about EFS.. Most of my customers don´t have a clue if they are using EFS. And if they are, how to handle it!

Encrypted File system (EFS), do you want it or not? It´s really up to you to make a decision, but I´m gone give you some advice from a key management point of view.

First question: Do you want you users to encrypt files and folders with EFS?

If your answer is NO, simply disable the feature in your default domain policy (or any matching GPO) and you are done!
The setting is located here: Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System

Is the answer YES and you belive its a good thing to use EFS? Well, then my advice is to make sure you got the infrastructure in place to use it the right way. Because there are a few pitfalls you need to be aware of. And it involves certificates and key management.

I´m not going to do a EFS deepdive here, but I´ll try to explain what might go wrong.

When a file or folder is encrypted using EFS, a key pair with a corresponding certificate, including the Enhanced Key Usage: Encrypting File system (OID –, is created. The public key of that certificate is used to encrypt the file/folder. And the private key is used to decrypt the file. (It´s actually more complex then that, but no deepdive right). So where do the certificate come from?
If a CA in the enterprise got a template with the correct EKU available to the user, it will issue the certificate. If no CA or template exists the local machine, where the encryption is initiated, will create the certificate. So if a file is encrypted on a local PC the certificate is issued locally and the keys are stored in the users profile on that computer. If a file is encrypted on a file server from a PC the certificate is also stored on the PC, not on the file server.

So what happens then if usersprofile is deleted or the PC is reinstalled? The private key is lost and the files stays encrypted. The way to solve this is to make sure you got a EFS recovery agent certificate published. If a key recovery agent certificate is available when the file is encrypted that certificate works as a “master key”. And since the public key of the key recovery agent is embedded in the encrypted file the corresponding private key can decrypt the files.

So where do you find the private EFS Recovery key then? Well it´s created in the profile of the user that does DC promo on the first DC in the domain. Do you till got access to it? Great!

So what do we need to remeber about EFS?

Use it?
NO! Disable and forget..
YES! Make sure your infastructure is set up correct!

Well that´s my 2 cents! 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *