I'll answer using your numbers.

1) What you are seeing is correct. On Windows XP, EFS will encrypt only the
contents of a drive--not the drive's root folder. On Vista, EFS will encrypt
the root folder.

2) EFS encrypts with one certificate per user; so all the files and folders
encrypted for that user should have the same certificate thumbprint. You can
confirm that by opening a file's properties dialog and clicking Advanced >
Details to see the thumbprint of the certificate used to encrypt that file.

3) You cannot email a file in an encrypted state. The system will decrypt
the file (usually under the covers) when you attach it to an email.

This posting is provided "AS IS" with no warranties, and confers no rights.

"Andy" wrote:

"Pat Hoffer [MSFT]" <pathoff@xxxxxxxxxxxxxxxxxxxx> wrote in message
You are right that EFS will protect the files from a malicious user who
access to the drive where the files are stored. The EFS certificate and
are stored in the laptop user's profile directory and protected with a
of the user's password. (Encourage your users to use strong logon
passwords.) The thief would need both to access the certificate and key
then the files.

Creating backups is very important. If for some reason the laptop user
loses access to the files, that user can regain access after importing the
certificate and key from a backup. If the laptops are under a domain
that has a recovery certificate and that policy has applied to the files,
files can also be recovered using that recovery certificate and key.

General information about EFS and data recovery:

Information about EFS on Windows XP (This includes the exporting and
importing of certificates. You can get directly to the user's
store by running certmgr.msc and expanding the Personal node. You can
get it by running mmc.exe, adding the Certificates snap-in for the current
user, and expanding the Personal node. EFS usually uses only one
per user for encrypting all files; but if there are multiple EFS
in the store, back up all to be safe.):



Thanks for taking the time to reply

Couple of question you might know the answer to, if you dont mind

1) Is it not posssible to to the whole D:/. We currently only see to be
able to do folders.
2) If we do folders does this create a cerificate for each one?
3) If i email you a file from a EFS enabled PC would you not be able to open
it?. Thus if the users need to send a file to someone else they need to
save it out and remove the EFS first?.

I am trying to setup a notebooks so they are secure if lost, but remain
useable and hassle free to our staff


Relevant Pages

  • RE: EFS File Share Help
    ... And your roaming profile cannot work properly. ... If user tries to encrypt a remote file/folder stored ... user, and subsequently requests, or generates a self-signed EFS ... The certificate and private key are loaded in a local profile ...
  • RE: EFS rollout using Active Directory
    ... I just have something to add to the Final Thought regarding laptop users: ... You can implement EFS on systems running Windows 2000 and Windows XP ... Stand-alone workstations generate their own public key certificate that you ... encrypt the contents of their files or folders. ...
  • Re: EFS Errors
    ... Disabling DFS can disrupt your Group Policy propagation which may be causing ... your EFS errors if you have changed your Recovery Agent Certificate. ... I am able to encrypt on the server but noone is able to encrypt ...
  • Re: Restoring Encrypted Files
    ... I'm using EFS because of Microsoft recommendation to do so on portable ... clients. ... >> If I encrypt files on an XP Pro client and backup those files using NT ... > corrupted or missing certificate, it is critical that you back up the ...
  • EFS: What am I doing wrong?
    ... here is what I want to do: I want to encrypt some files I have on my ... notebook so that if someone steals it from me, he would not be able to ... I created a separate folder named EFS on the C: ... Then I've exported my encryption certificate to a file on a diskette. ...