Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

EFS

advertisement 
What Is Public Key Encryption?
Definition
Public key encryption, also called asymmetric encryption, is an encryption
method that uses a public key and private key pair to encrypt data. Public keys
are available to anyone. Private keys must be kept secret by the account that has
encrypted the file.
Public key
characteristics
Public key encryption has the following characteristics:
How encryption works

Anyone can encrypt data by using a public key, which is available as public
information. However, only the account possesses the corresponding private
key, so only that account can decrypt the data.

The account that uses the private key generates the key pair.

A key pair is created by using a program that generates keys. For example,
EFS can be used to create a key pair to encrypt files on your domain.

The private key is never exposed to network users, and is protected either in
a user or computer profile, or on a physical device such as a smart card.

The public key, an attribute of the certificate, is widely distributed, in
locations such as the Active Directory® directory service, to ensure that
other users can obtain the public key for both encryption and digital signing
of data.
EFS encryption uses a public-private key pair and a per file encryption key to
encrypt and decrypt data. The following paragraphs show the process that is
used to encrypt and decrypt data.
1. When a user encrypts a file, EFS generates a file encryption key (FEK) to
encrypt the data. The FEK is encrypted with the user's public key, and the
encrypted FEK is then stored with the file. After a user encrypts a file, the
file remains encrypted for as long as it is stored on the disk.
2. To decrypt files, the user opens the file, removes the encryption attribute, or
decrypts the file by using the cipher command. EFS decrypts the FEK by
using the user's private key, and then decrypts the data by using the FEK.
Note You can either encrypt or compress a file, but you cannot do not both on
the same file. When a file has been compressed, and a user tries to encrypt it,
the file will decompress. Encryption and compression are mutually exclusive.
Last Saved: 2/16/2016 1:46:00 AM
2
Error! No text of specified style in document.
How EFS Uses Certificates
Introduction
Each user who logs on can encrypt files. EFS generates a unique certificate and
key pair for each user. Unless a user shares the encrypted files for others to
access, no user can access another user's files.
What is a certificate?
A certificate is a digital statement issued by an authority that vouches for the
identity of the certificate holder. A certificate binds a public key to the identity
of the person, computer, or service that holds the corresponding private key.
Certificates are used by a variety of public key security services and
applications that provide authentication, data integrity and secure
communications across networks such as the Internet.
How EFS Uses
Certificates
EFS must find a certificate for a user before it will allow the user to access an
encrypted file. How EFS finds and uses certificates to open an encrypted file is
described below.
1. When a user sets the encrypted attribute for a file or folder, EFS attempts to
locate the user's certificate in the personal certificate store.
2. If the user does not have a certificate that has been authorized for use with
EFS, EFS requests a certificate from an available enterprise certification
authority (CA).
3. If an enterprise CA is not available, EFS automatically generates its own
self-signed certificate for the user.
If the EFS user certificate expires, EFS ensures that the certificate is renewed if
possible or if not, that a new public-private key pair and a new public key
certificate are issued for the user the next time an EFS operation is performed
for that user.
Note Certificates that EFS generates are self-signed rather than signed by a
CA. Therefore, the certification path is the same as for root CA
certificates, which are also self-signed. EFS certificates that are self-signed are
identified as "not trusted" because the certifying authority does not have a
certificate in the Trusted Root Certification Authorities store. Nevertheless,
self-signed EFS certificates are valid for use by EFS.
Last Saved: 2/16/2016 1:46:00 AM
Last Printed: 2/16/2016 1:46:00 AM
Error! No text of specified style in document.
3
Why Share an Encrypted Folder?
Introduction
You can share your encrypted files with other users on your network. Using
encrypted files is a great way to protect your data while still sharing it with
other, authorized, users on your computer or file servers.
Shared EFS not file
shares
Shared EFS files are not file shares. However, if authorized users need to access
shared EFS files over the network, a file share or a Web folder is required.
Alternatively, users could establish remote sessions with computers that store
encrypted files.
Who can authorize user
access?
Any user who is authorized to decrypt a file can authorize other users to access
the file. Caution users to share files only with trusted accounts, because those
accounts can authorize other accounts. Removing the Write permission from a
user or group of users can prevent this problem, but it also prevents the user or
group from modifying the file. You can add authorized individuals to files, but
not folders
Requires EFS
certificates
EFS sharing requires that the users who are authorized to access the encrypted
file have EFS certificates. These certificates can be located in roaming profiles
or in the user profiles on the computer on which the file to be shared is stored,
or they can be stored in and retrieved from Active Directory.
Last Saved: 2/16/2016 1:46:00 AM
Last Printed: 2/16/2016 1:46:00 AM
4
Error! No text of specified style in document.
What Is an EFS Recovery Agent?
Definition
A recovery agent is an individual authorized to decrypt data that was encrypted
by another user. Recovery agents do not need any other permissions to function
in this role.
Uses of data recovery
Data recovery is important when you need to be able to recover data encrypted
by an employee after the employee leaves, or when a user loses the private key.
Data recovery is available through the Encrypting File System (EFS) as a part
of the overall security policy for the system. For example, if you should ever
lose your file encryption certificate and associated private key through disk
failure, damage, or any other reason, the person who is the designated recovery
agent can recover the data.
Special certificate and
private key
Each recovery agent has a special certificate and associated private key that
allows data recovery wherever the recovery policy applies. If you are the
recovery agent, you should be sure to use the Export command in Certificates
in the Microsoft Management Console (MMC) to back up the recovery
certificate and the associated private key to a secure location.
After backing them up, you should use Certificates in MMC to delete the
recovery certificate. Then, when you need to perform a recovery operation for a
user, you should first restore the recovery certificate and associated private key
using the Import command from Certificates in MMC. After recovering the
data, you should again delete the recovery certificate. You do not have to repeat
the export process.
Last Saved: 2/16/2016 1:46:00 AM
Last Printed: 2/16/2016 1:46:00 AM
Error! No text of specified style in document.
5
What Are Recovery Policies?
Introduction
EFS uses recovery policies to provide built-in data recovery. A recovery policy
is a public key policy that provides for one or more user accounts to be
designated as recovery agents.
Recovery policies
A recovery policy is configured locally for stand-alone computers. For
computers that are part of a network, a recovery policy is configured at the
domain, organizational unit, or individual computer level. These recovery
policies apply to all Windows 2000, Windows XP and Windows Server 2003
family-based computers. A certification authority (CA) issues recovery
certificates, and you use Certificates in Microsoft Management Console (MMC)
to manage them.
Tools for recovery
policy
You can use the Group Policy snap-in to define a data recovery policy for
domain member servers, or for stand-alone or workgroup servers. You can
either request a recovery certificate, or export and import your recovery
certificates.
Who can administer the
recovery policy?
You may want to delegate administration of the recovery policy to a designated
administrator. Although you should limit who is authorized to recover
encrypted data, allowing multiple administrators to act as recovery agents
provides you with an alternate source if recovery is necessary.
Last Saved: 2/16/2016 1:46:00 AM
Last Printed: 2/16/2016 1:46:00 AM
Related documents
Lesson 4: Managing Applications, Services, Folders, and Libraries
Lesson 4: Managing Applications, Services, Folders, and Libraries
Encrypting File System
Encrypting File System
Curriculum Review Checklist for Department Chairs
Curriculum Review Checklist for Department Chairs
Description - Charles Sturt University
Description - Charles Sturt University
cheddar medical centre private fees
cheddar medical centre private fees
the Job Description - Chester County Human Resources Association
the Job Description - Chester County Human Resources Association
SCHOOL BOARD RECOGNITION
SCHOOL BOARD RECOGNITION
Child Protection study day 12th June 2007
Child Protection study day 12th June 2007
Download
advertisement