Re: Seting up encryption HOWT

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 10/07/05 

Date: Fri, 7 Oct 2005 09:51:55 -0500

If you do not have a Certificate Authority EFS certificates will be
generated automatically and EFS certificates can be exported/imported [.cer
file and .pfx file which contains private key] via the mmc snapin for
certificates for user account. The links below should explain about all you
need to do and be VERY careful with EFS as it is possible for users to
permanently lose access to their encrypted files. You should understand the
concept of a Recovery Agent, decide if you want to use one, and have all
users trained to export their EFS private keys to a password protected .pfx
file in case of a disaster such as if the user's profile becomes corrupt or
the operating system is reinstalled. If a user encrypts data on multiple
computers then he will have a different EFS certificate/private key on each
computer [without roaming profiles or importing current EFS
certificate/private key] which can really complicate things and increase the
risk. Also EFS encryption is only as strong as the user's password as long
as the EFS private key used to encrypt the files is on the computer. ---
Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sharefilesefs.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 -- a MUST
read for EFS users.

"NewsGr" <craig@nospam.net> wrote in message
news:usya2ZpyFHA.464@TK2MSFTNGP15.phx.gbl...
> We have a 2003 domain with 2 DCs and about 20 workstations. A client
> wants us to encrypt all of their work.
> This will need to be shared by about 5 internal people. I was looking
> at windows EFS encryption but setting up certificates
> is relatively new to me so I was wondering if there is a good guide on
> setting this up. Most of our workstations are XP Pro
> and the data will reside on a server -not a DC
>
> thansk
>
> Greg
>
>
>

Relevant Pages

  • Re: Corrupted Admin Profile
    ... > My view on EFS: ... > Do not to use encryption unless you are in a domain and you know ... as well not having created a Recovery Agent (with backup of the ... > Q241201 How to Back Up Your Encrypting File System Private Key ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS Private Keys
    ... It's possible to have a cluster that was in use that couldn't be wiped. ... > syskey was to EFS in W2K, ... >>> the private keys are protected however the key to the private key is ... >>> stronger encryption available for EFSfiles permanently if you don't. ...
    (microsoft.public.win2000.security)
  • Re: Corrupted Admin Profile
    ... > My view on EFS: ... > Do not to use encryption unless you are in a domain and you know ... as well not having created a Recovery Agent (with backup of the ... > Q241201 How to Back Up Your Encrypting File System Private Key ...
    (microsoft.public.windowsxp.security_admin)
  • Re: efs and "encryption" overall... help?
    ... What I referred to was that the only way to make totally sure that the EFS ... encrypted files are safe is to export/delete the certificate and private key ... require the user to enter the password used to protect the private key. ... >> uses much stronger encryption to encrypt EFS files, ...
    (microsoft.public.windows.server.networking)
  • Re: decrypting files from XP - tough question
    ... EFS uses a hybrid asymmetric/symmetric encryption scheme. ... It is to those keys which EFS encrypted the ... That session key can only be retrieved by those same certificates. ...
    (microsoft.public.security)