Encrypting File System - Computing Infrastructure Services

advertisement
Office of Information Technologies (OIT)
Encrypting File System (EFS)
November 14th, 2007
Contents
Introduction ...................................................................................................................................................................1
Benefits .....................................................................................................................................................................1
How it works .............................................................................................................................................................1
Enabling EFS ...................................................................................................................................................................2
Step 1: Obtain an EFS key pair ..................................................................................................................................2
OPTION 1: Auto Enrollment .................................................................................................................................2
OPTION 2: Web Enrollment (not supported on Vista) .........................................................................................2
OPTION 3: Local Key Pair ......................................................................................................................................2
Step 2: Verification of Key Pair .................................................................................................................................2
Step 3: Encrypting Files/Folders................................................................................................................................3
Sharing Encrypted Files..................................................................................................................................................4
Sharing Encrypted Files on the Same Computer.......................................................................................................4
Sharing Encrypted Files over the Network ............................................................................................................... 4
Copying EFS Keys to another Computer ........................................................................................................................5
Step 1: Export the Existing EFS Key Pair ....................................................................................................................5
Step 2: Import the EFS key pair on the destination computer .................................................................................6
Recovering Encrypted Files ............................................................................................................................................7
OPTION 1: Key Recovery ...........................................................................................................................................7
OPTION 2: Data Recovery Agent (DRA)..................................................................................................................... 7
Introduction
This document is meant to aid campus IT administrators in understanding the Encrypting File System (EFS) on
Microsoft Windows and how it is implemented at PSU. All of the procedures necessary to get started with EFS are
provided in the sections that follow.
Benefits
EFS is a great way to help protect sensitive information stored on your Windows based desktop or laptop
computer. It is especially useful in the event of lost or stolen equipment. Without EFS, if a computer’s hard drive
is removed from the original system, the data can be easily extracted using another machine. If EFS is properly
configured then the data will be much more difficult to obtain.
How it works
In Windows XP Service Pack 1 (SP1) and later, EFS utilizes the Advanced Encryption Standard (AES) algorithm with a
256-bit key to encrypt data. When a file is designated for encryption, EFS uses what’s referred to as the file
encryption key (FEK) to encrypt the data. The FEK is then encrypted using at least two RSA key pairs. One of these
RSA key pairs is used by the user for normal encryption/decryption of the data. The other RSA key pair is used by
the data recovery agent (DRA). The DRA key pair is used by administrators to recover encrypted information when
the user’s key pair has been lost or damaged. There can be several user and DRA key pairs associated with a single
file. Note: The DRA is only available as a recovery option for PSU domain attached workstations. For more
information on EFS see the following article:
http://technet.microsoft.com/en-us/library/bb457065.aspx
Encrypting File System
Page 1
Enabling EFS
Follow the steps outlined below to use EFS on a PSU domain attached workstation.
Step 1: Obtain an EFS key pair
There are several ways a user’s EFS key pair can be created for workstations joined to the PSU domain. The first
two options described below will generate EFS key pairs through PSU’s public key infrastructure (PKI). These
options are preferred and have several advantages. First, should your key pair become lost or damaged you can
request a copy from OIT. This is the easiest way to recover encrypted files if the user’s key pair is unavailable.
Second, options one and two make it easier to share encrypted files with others.
OPTION 1: Auto Enrollment
This is the easiest way to get an EFS key pair and requires that the user be added to the
“OIT_EFSwithKeyArchive_AutoEnroll_LG” Active Directory security group. The next time members of this group
logon to their domain attached workstation (Windows 2000 and above) they will automatically receive an EFS key
pair. NOTE: Be sure the user does not logon to another domain attached workstation before they’ve received their
EFS key pair or it may be installed on the wrong machine. Users can only auto-enroll for an EFS key pair once.
OPTION 2: Web Enrollment (not supported on Vista)
1. Open Internet Explorer on Windows 2000 or XP (Vista is not currently supported) and go to
https://ca.oit.pdx.edu
2. IMPORTANT: Be sure to logon as the end user who will be using EFS
3. Click the “Request a certificate” link
4. Click the “Create and submit a request to this CA” link
5. Choose the Certificate Template “PSU EFS with Key Archive”
6. Enter your full name in the “Friendly Name field
7. Click submit
8. Click OK on the warning
9. Click on the link to “Install this certificate”
10. Click Yes to install the certificate
OPTION 3: Local Key Pair
To use a local key pair for EFS skip to Step 3 and it will be generated automatically the first time a file or folder is
encrypted.
NOTE: This option doesn’t require as many steps, but offers fewer recovery options. If the key pair is lost or
corrupted it cannot be recovered, and each encrypted file/folder must be located and then decrypted using the EFS
data recovery agent (DRA). Additionally, sharing encrypted files with others is more difficult.
Step 2: Verification of Key Pair
1.
2.
3.
If you used OPTION 1 in Step 1 above to auto enroll a certificate then you will need to wait up to eight
hours or logoff/logon the machine for auto enrollment to take place. You may need to wait a few minutes
after the logoff/logon for auto enrollment to complete.
Open the certificate manager
a. Click “Start”
b. Click “Run…”
c. Type “certmgr.msc”
d. Click “OK”
You should see your new certificate in two containers:
a. Personal\Certificates
b. Active Directory User Object\Certificates
Encrypting File System
Page 2
Step 3: Encrypting Files/Folders
In this step you need to pick the files and folders to encrypt with EFS. Any important data that is stored locally on
the desktop or laptop computer should be protected. Below is a list of common folders that may contain sensitive
data:
• %userprofile%\My Documents
• %userprofile%\Desktop
• Mail Client
o %appdata%\Microsoft\Outlook
o %appdata%\Thunderbird
See the following URL for more detailed information on what should and can be encrypted using EFS:
http://www.microsoft.com/technet/technetmag/issues/2007/03/SecurityWatch/
Follow these steps to enable encryption on a file or folder:
1. Right click on the file/folder and choose “Properties”
2. Click on the “Advanced…” button
3. Click on the check box for “Encrypt contents to secure data”
4. Click on “OK”
NOTE: A file may not retain its encryption when moved out of a folder marked for encryption.
Encrypting File System
Page 3
Sharing Encrypted Files
Files and folders encrypted using EFS can be shared amongst multiple users. If the EFS key pair was generated via
the PSU PKI (auto-enrollment or web enrollment) then the public key will have been automatically published to
Active Directory and the process is simplified. In the case of a self generated EFS key pair, the EFS public key may
need to be manually exported / imported to another machine via the “certmgr.msc” tool.
Sharing Encrypted Files on the Same Computer
1.
2.
Choose the encrypted file that will be shared. NOTE: you can’t setup EFS sharing at the folder level; each
individual file must be configured.
Right-click the encrypted file -> Properties -> Advanced… -> Details
3.
4.
Click “Add…” and choose the user to be granted access
Be sure to setup NTFS file permissions as well
Sharing Encrypted Files over the Network
There are several important caveats to sharing encrypted files over the network. First, encrypted files cannot be
shared via a CIFS/SMB network file share at PSU. Unfortunately this includes the most common method of
accessing shared files via the “H:” and “I:” drives (see http://www.uss.pdx.edu/files/NetworkFileShares.pdf).
Second, although encrypted files can be shared using WebDAV (https://myFiles.pdx.edu), it may be difficult to
setup because of differences and quirkiness in the Microsoft WebDAV client. Following the steps below may or
may not work depending on the version of your WebDAV client and Windows OS:
1.
2.
3.
4.
5.
Connect to https://myfiles.pdx.edu and locate the file to be encrypted and shared
Right-click on the file and chose Properties -> Advanced… -> Encrypt contents to secure data -> OK -> OK
Right-click the encrypted file and choose Properties -> Advanced… -> Details
Click “Add…” and choose the user to be granted access
Be sure to setup NTFS file permissions as well
NOTE: If you encrypt a file through https://myfiles.pdx.edu and attempt to open it via a regular CIFS/SMB network
file share it will not be recognized as an encrypted file.
Encrypting File System
Page 4
Copying EFS Keys to another Computer
Eventually you will find yourself needing to copy a user’s EFS key pair from one computer to another. This will
most likely be necessary under one of three scenarios:
1. A user’s system needs to be rebuild from scratch
2. A user is being migrated to a new system
3. The user has EFS protected files/folders on a network file share and needs access to them from another
computer
Note: If you download another key pair from https://ca.oit.pdx.edu instead of copying it, the user’s public EFS
key stored in Active Directory will not be updated.
Step 1: Export the Existing EFS Key Pair
1.
Click on Start -> Run… -> certmgr.msc -> OK
2.
3.
Expand Personal -> Certificates
Right-click on the EFS certificate you wish to export and choose All tasks -> Export…
4.
Use the Certificate Export Wizard to export your certificate
a. Click Next at the Welcome screen
b. Select “Yes, export the private key” -> Next
c. Keep the defaults and click Next on the Export File Format page
d. Choose a password that will protect the export file containing the public and private keys -> Next
e. Click on Browse… and specify a file name/location for the export file -> Save -> Next -> Finish
Encrypting File System
Page 5
Step 2: Import the EFS key pair on the destination computer
1.
2.
Copy the PFX file from “Step 1: Export the Existing EFS Key Pair” to destination computer
a. Double-click on the PFX file
b. Click Next on the welcome screen
c. Click Next on the File to Import screen
d. Enter the password you used in the export process and check the box for “Mark this key as
exportable…”-> Next
e. Click Next on the Certificate Store screen -> Finish
Verify the new key was successfully imported
a. Click on Start -> Run… -> certmgr.msc -> OK
b.
Expand Personal -> Certificates
Encrypting File System
Page 6
Recovering Encrypted Files
When a user’s EFS key becomes lost or damaged, there are two ways to recover the encrypted data for PSU
domain attached workstations. Non-domain workstations will NOT be able to recover files encrypted with EFS
using the data recovery agent (option 2). If non-domain workstations did not use https://ca.oit.pdx.edu to get
their EFS key pair then they will have no OIT supported recovery options.
OPTION 1: Key Recovery
If the user’s EFS key was generated through PSU’s PKI (auto-enrollment or web enrollment) then OIT can recover a
copy. Once the recovered EFS key is imported into the user’s profile all encrypted files will be immediately
accessible.
OPTION 2: Data Recovery Agent (DRA)
For PSU domain attached workstations the DRA can be used to recover files encrypted with a lost or damaged EFS
key. In this scenario each encrypted file/folder will need to be manually decrypted using the DRA. Once all
files/folders have been decrypted by the DRA they can be re-encrypted with a new EFS key pair.
NOTE: Campus administrators with their own organizational unit (OU) in Active Directory may request to have an
OU specific DRA assigned to their OU. This allows sub-administrators to recover encrypted files/folders without
involving OIT.
Encrypting File System
Page 7
Download