- From: Pat Hoffer [MSFT] <pathoff@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 5 Apr 2007 13:52:01 -0700
I'll answer using your numbers.
1) What you are seeing is correct. On Windows XP, EFS will encrypt only the
contents of a drive--not the drive's root folder. On Vista, EFS will encrypt
the root folder.
2) EFS encrypts with one certificate per user; so all the files and folders
encrypted for that user should have the same certificate thumbprint. You can
confirm that by opening a file's properties dialog and clicking Advanced >
Details to see the thumbprint of the certificate used to encrypt that file.
3) You cannot email a file in an encrypted state. The system will decrypt
the file (usually under the covers) when you attach it to an email.
This posting is provided "AS IS" with no warranties, and confers no rights.
"Pat Hoffer [MSFT]" <pathoff@xxxxxxxxxxxxxxxxxxxx> wrote in message
You are right that EFS will protect the files from a malicious user who
access to the drive where the files are stored. The EFS certificate and
are stored in the laptop user's profile directory and protected with a
of the user's password. (Encourage your users to use strong logon
passwords.) The thief would need both to access the certificate and key
then the files.
Creating backups is very important. If for some reason the laptop user
loses access to the files, that user can regain access after importing the
certificate and key from a backup. If the laptops are under a domain
that has a recovery certificate and that policy has applied to the files,
files can also be recovered using that recovery certificate and key.
General information about EFS and data recovery:
Information about EFS on Windows XP (This includes the exporting and
importing of certificates. You can get directly to the user's
store by running certmgr.msc and expanding the Personal node. You can
get it by running mmc.exe, adding the Certificates snap-in for the current
user, and expanding the Personal node. EFS usually uses only one
per user for encrypting all files; but if there are multiple EFS
in the store, back up all to be safe.):
Thanks for taking the time to reply
Couple of question you might know the answer to, if you dont mind
1) Is it not posssible to to the whole D:/. We currently only see to be
able to do folders.
2) If we do folders does this create a cerificate for each one?
3) If i email you a file from a EFS enabled PC would you not be able to open
it?. Thus if the users need to send a file to someone else they need to
save it out and remove the EFS first?.
I am trying to setup a notebooks so they are secure if lost, but remain
useable and hassle free to our staff
- Re: EPS
- From: Andy
- Re: EPS