MCTS 70-680: Encrypting File System (EFS)

Author: itfreetraining
19410 View
15m 17s Lenght
70 Rating

The Encrypting File System (EFS) is used in Windows to encrypt files so they cannot be read even using an offline attack. In order to ensure you can always access encrypted files, Windows allows a DRA to be created. A DRA is anther user that can access any files encrypted. This video looks at how the encrypted file system works and how to configure a DRA. 03:11 demo on how to encrypt files 05:52 exporting the EFS certificate using cipher /r:filename 06:22 Configuring a DRA using group policy HKEY\Computer configuration\Windows Settings\Security Settings\Public Key Polices\Encrypting file system How EFS works A file is encrypted with a symmetric key. This is the same style of algorithm used to secure compressed files like zip. The same password or key is used to encrypt the file as decrypt the file. The symmetric key is randomized for each file and thus you need some where to store all these symmetric keys. The easiest place to store the symmetric key is in the file itself. That way if the file is moved to a different computer or hard disk the key is always present with the file. In order to make sure that the symmetric key is stored in the file can't be read, the symmetric key is encrypted using an EFS certificate. An EFS certificate is generated for the user when they encrypt there first file or by running the command cipher /k. In a domain environment you can also configure a certificate authority to create and manage these certificates. This essentially means the certificates are generated by Active Directory and store in Active Directory. A certificate uses asymmetric keys. Asymmetric keys are when you have two keys. One key to encrypt the file and one to decrypt the file. Neither key will perform both functions. This means that when the symmetric key is encrypted with the public key it can be read without the private key. This protects the symmetric key. In order to protect the EFS certificate stored on the computer it is encrypted using the users password. When the users logs on the users password is used to access the certificate and thus get access to the private keys in the certificate. This is why when changing the users password you should always be logged in as the user. This way Windows can access the EFS certificate and change the password. If you are logged in as anther user and you use the administrators tools to change the password the password will not be updated on the EFS certificate and access to the EFS certificate will be lost. In order to ensure you can always access encrypted files you can firstly backup your EFS certificates. Secondly you can configure a DRA. A DRA is anther user that has access to the encrypted files. EFS does this by adding another symmetric key to the file which is encrypted using the DRA's EFS public key. Setting up a DRA A DRA is anther user that has access to encrypted files. The DRA will only be able to access files that were encrypted after it was setup. In order to configure a DRA the certificate for the DRA user must be exported using the command cipher /r:filename. Once the cer and pfk files are exported, the certificates public key (cer file) can be added to the "HKEY\Computer configuration\Windows Settings\Security Settings\Public Key Polices\Encrypting file system". In order to read encrypted files, the pfk file needs to be added to the computer you want to read the files on. This case is done by double clicking the pfk file and finishing the wizard. See http://itfreetraining.com or http://youtube.com/ITFreeTraining for are always free training videos. This is only one video of the completely free course for the 70-680 exam available for free on you tube.

Comments

  1. thanks for the video. In my case the recovery agent is the domain administrator. How can I recover my files with that ?
  2. Hi,
    I wanted to say thank you for the fantastic tutorial on EFS. It is quite well done. I recently went through an EFS disaster of my own. I have been using Windows professionally since the early 80's. In my personal business, I used 2000 pro, then XP pro, then 7. then Windows 10. Windows 10 was not my choice, it was a forced upgrade by Windows
    "update".
    I did not know what EFS was, or how it got enabled on all my files, until windows 10 forced "upgrade" from windows 7. I noticed padlocks on my files after the upgrade, and they seemed to be different looking. Being a very busy professional, I looked up the padlocks, and the Windows hepl desk, and I use that term lightly, said it was to protect files from outside attack. Thinking this was some kind of thing that Microsoft added to Windows 10, I shrugged it off, and went on my way with work. Windows 10 seemed to work well for about 6 months. Unfortunately, not knowing anything about EFS, I had no back up of the keys or certificates. I corrupted my file system and lost the keys
    doing one of the following, not sure which one; using a register utility "cleaning up" "de-fragging" my registry and running command from the Powershell to refresh corrupt files in windows in order to restore my Windows 10 start menu, which disappeared. Incidentally, I made no back up of the registry either, another ignorant move on my part. I believed the software vendor that all changes to the registry were reversible.
    Microsoft "help desk" told me the certificates are not backed up in my 11 backups I had on another drive, nor in the system image I had on my backup drive. So basically, I had a 2Tb door stop, because the EFS encrypted all my backup files as well. I wanted to share this with those like me, who are shocked that there is "no way" to get your encrypted
    files back if did not make a backup of the keys. That is statement is simply false in so many ways.
    First, If your file system or disk is not corrupted like mine was , the keys and certificates are recoverable by software called Elcomsoft, or Diskinternals. These programs will recover forgotten passwords along with the keys and certificates. There are youtube videos of the process. Both programs scan the hard disk to find the certificates in the deleted areas of the disk, kind of like an un-delete software. Unfortunately, my system was not so lucky.
    With the de-frag process I ran, or windows utility that I ran, apparently overwriting files, the Diskinternals and Elcomsoft could not find the keys and thus, could not un-encrypt the files. So after weeks of scanning with these programs, (a single Tb drive takes 7 to 8 hrs each, if there are no other disk problems), reading, watching youtube videos on the subject, and feeling generally helpless, I decided to try the backup of the system image anyway. However, I was afraid to overwrite the encrypted file system with the data, as that would surely eliminate any hope of recovery using one of the recovery programs.
    I bought a new hard drive, and did a fresh "recovery" to a blank hard drive, using the system image from my backup. The system image restored, and low and behold, the certificate was there, the file system unencrypted for the original use, and I was thrilled to have my business records back! Now, I am not saying, don't back up those keys. If you are using EFS to encrypt, then by all means back the Keys up, several times in different places, feed a usb to your dog for safe temporary keeping (just kidding, don't do that). However, I believe it is wiser to NOT use the encryption in the first place. After my experience, I believe it is a farce. Only the most inept hacker will be kept out. The risk is not worth the "security". With tools like Elcomsoft, and Diskinternals available, if your system is in a healthy state, these tools can find the keys, and the passwords, and get to the files anyway! The only thing EFS encryption is guaranteed to do, is harm you in the event of corruption of the EFS certificate system. It will not protect anything with the tools available today. If I can use them, then it's not too difficult.
    Since Microsoft was so "helpful" to me, and in effect caused me to loose 2 LARGE accounts so far in my business, by giving me false information from their "Help Desk" by not one, but THREE different "Help Desk" persons, I have decided to help them like they helped me. In the past month of solving this ridiculous issue, I have educated myself to the open source community of Linux software, and have a replacement OS up and running in the meantime. I am giving a well deserved reward to Microsoft, and Windows 10! I am switching to Linux.
    I hope this long winded response remains on your page because it is one of the few EFS videos out there, and I watched it many times looking for a solution. I hope my response will help someone just say no to EFS encryption, and maybe no to Microsoft as well.
  3. nice! just do not delete my user name! ohh back up the certificates offline.
  4. Thank you for the Video
  5. Did you import it under the user section? If you import it under computer or service it will not work.
  6. how i could share encripted files to another computer? i exported the private certificate and imported in the other computer but still appears the masage that say "access denied" What am I doing wrong?
  7. We have two videos on this. File and folder access and NTFS Special Permissions. You essentially need to make sure that inheritance is switch off and then remove all other permissions. I would however suggest leaving the administrators group and system user in the permission list.
  8. Could you tell me, how to protect a folder with NTFS permissions so nobody can acess it but me? So if new accounts are created on pc they still cant view it.
  9. The keys in the EFS certificate are scrambled using the users password. If you login into the computer as that user and press control alt delete and then select change password, this will change the EFS certificate for that user with the new password. If you use the admin tools to change the users password, the admin tool will not know what the users password is and therefore cannot update the EFS certificate. The idea is to prevent people using the certificate without the user password.
  10. Ok. But how is a certificate tied to users password? What if i change my password, does the certificate change too?
  11. Pretty much. The certificate does contain keys which are used to obtain the encryption key stored in the file. In Windows the EFS certificate is protected with the users password. That is why you get a warning if you try to change the password using the admin tools. So in order to use the certificate, you would need to copy it to another machine and know the user password used on the certificate.
  12. So a certificate is basically a key-file? Its used to decrypt the file encryption keys? If so, if other people get acess to the key, they can copy it, install it to a newle created user and decrypt all files encrypted by other user?
  13. No problem at all. Thanks for watching.
  14. Awesome video, thanks again.
  15. EFS let's you encrypt a single file or multiple files. BitLocker encrypts the whole hard disk.
  16. What's the difference between EFS and bitlocker?