Encrypting File System (EFS) is a core file encryption technology used to store encrypted files on NTFS file system volumes. Encrypted files cannot be used unless the user has access to the keys required to decrypt the information.
You do not have to manually decrypt an encrypted file before you can use it. You can open and change the file as you normally do. Once you encrypt a file or folder, you work with the encrypted file or folder just as you do with any other file or folder.
Using EFS is similar to using permissions on files and folders. Both methods can be used to restrict access to data. However, an intruder who gains unauthorized physical access to your encrypted files or folders will be prevented from reading them. If the intruder tries to open or copy your encrypted file or folder, he or she receives an access denied message. Permissions on files and folders do not protect against unauthorized physical attacks.
You encrypt or decrypt a folder or file by setting the encryption property for folders and files just as you set any other attribute such as read-only, compressed, or hidden. If you encrypt a folder, all files and subfolders created in the encrypted folder are automatically encrypted. We recommend that you encrypt at the folder level.
You can also encrypt or decrypt a file or folder by using the Cipher command.
When you work with encrypted files and folders, consider the following information:
- Only files and folders on NTFS volumes can be
encrypted. However, you can use Web distributed authoring and
versioning (WebDAV), which also works with NTFS, to transfer files
in encrypted form.
- Files or folders that are compressed cannot
also be encrypted. If the user marks a file or folder for
encryption, that file or folder will be uncompressed.
- Encrypted files are decrypted if you copy or
move the file to a volume that is not an NTFS volume.
- Moving unencrypted files into an encrypted
folder will automatically cause those files to be encrypted in the
new folder. However, the reverse operation will not automatically
decrypt files. Files must be explicitly decrypted.
- Files marked with the System attribute cannot
be encrypted, nor can files in the system root directory
structure.
- Encrypting a folder or file does not protect
against the deletion or listing of files or directories. Anyone
with the appropriate permissions can delete or list encrypted
folders or files. For this reason, using EFS in combination with
NTFS permissions is recommended.
- You can encrypt or decrypt files and folders
located on a remote computer that has been enabled for remote
encryption, but the data that is transmitted over the network by
this process is not encrypted. Other protocols, such as Secure
Socket Layer/Transport Layer Security (SSL/TLS) or Internet
Protocol security (IPsec) must be used to encrypt data while it is
in transmission over the network. (You can also use WebDAV, as
described in the first bullet point, to transmit the file in
encrypted form.)
EFS policy settings
You can use Group Policy to configure a number of EFS policy settings. These policy settings are located in Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System.
Allow or disallow EFS
You can choose to allow or disallow the use of EFS altogether. If you do not configure any policy settings for EFS, it is allowed.
If you choose to allow EFS, you can also select a number of options, such as whether to automatically encrypt a user's Documents folder, to require a smart card for use with EFS, to cache keys created based on a smart card, to create a caching-capable user key from a smart card, or to notify users to make backup copies of their encryption keys.
Allow or disallow Elliptic Curve Cryptography encryption
You can choose to allow or disallow the use of Elliptic Curve Cryptography (ECC) encryption with EFS. If you do not configure any policy settings for EFS, ECC encryption is allowed. ECC encryption enables organization to be compliant with Suite B encryption standards.
Suite B is a set of cryptographic algorithms. Suite B's components are: Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits for symmetric encryption, Elliptic Curve Digital Signature Algorithm (ECDSA) for digital signatures, Elliptic Curve Diffie-Hellman (ECDH) for key agreement, and Secure Hash Algorithm (SHA-256 and SHA-384) for message digest.