Office of Information Technologies (OIT) Encrypting File System (EFS) November 14th, 2007 Contents Introduction ...................................................................................................................................................................1 Benefits .....................................................................................................................................................................1 How it works .............................................................................................................................................................1 Enabling EFS ...................................................................................................................................................................2 Step 1: Obtain an EFS key pair ..................................................................................................................................2 OPTION 1: Auto Enrollment .................................................................................................................................2 OPTION 2: Web Enrollment (not supported on Vista) .........................................................................................2 OPTION 3: Local Key Pair ......................................................................................................................................2 Step 2: Verification of Key Pair .................................................................................................................................2 Step 3: Encrypting Files/Folders................................................................................................................................3 Sharing Encrypted Files..................................................................................................................................................4 Sharing Encrypted Files on the Same Computer.......................................................................................................4 Sharing Encrypted Files over the Network ............................................................................................................... 4 Copying EFS Keys to another Computer ........................................................................................................................5 Step 1: Export the Existing EFS Key Pair ....................................................................................................................5 Step 2: Import the EFS key pair on the destination computer .................................................................................6 Recovering Encrypted Files ............................................................................................................................................7 OPTION 1: Key Recovery ...........................................................................................................................................7 OPTION 2: Data Recovery Agent (DRA)..................................................................................................................... 7 Introduction This document is meant to aid campus IT administrators in understanding the Encrypting File System (EFS) on Microsoft Windows and how it is implemented at PSU. All of the procedures necessary to get started with EFS are provided in the sections that follow. Benefits EFS is a great way to help protect sensitive information stored on your Windows based desktop or laptop computer. It is especially useful in the event of lost or stolen equipment. Without EFS, if a computer’s hard drive is removed from the original system, the data can be easily extracted using another machine. If EFS is properly configured then the data will be much more difficult to obtain. How it works In Windows XP Service Pack 1 (SP1) and later, EFS utilizes the Advanced Encryption Standard (AES) algorithm with a 256-bit key to encrypt data. When a file is designated for encryption, EFS uses what’s referred to as the file encryption key (FEK) to encrypt the data. The FEK is then encrypted using at least two RSA key pairs. One of these RSA key pairs is used by the user for normal encryption/decryption of the data. The other RSA key pair is used by the data recovery agent (DRA). The DRA key pair is used by administrators to recover encrypted information when the user’s key pair has been lost or damaged. There can be several user and DRA key pairs associated with a single file. Note: The DRA is only available as a recovery option for PSU domain attached workstations. For more information on EFS see the following article: http://technet.microsoft.com/en-us/library/bb457065.aspx Encrypting File System Page 1 Enabling EFS Follow the steps outlined below to use EFS on a PSU domain attached workstation. Step 1: Obtain an EFS key pair There are several ways a user’s EFS key pair can be created for workstations joined to the PSU domain. The first two options described below will generate EFS key pairs through PSU’s public key infrastructure (PKI). These options are preferred and have several advantages. First, should your key pair become lost or damaged you can request a copy from OIT. This is the easiest way to recover encrypted files if the user’s key pair is unavailable. Second, options one and two make it easier to share encrypted files with others. OPTION 1: Auto Enrollment This is the easiest way to get an EFS key pair and requires that the user be added to the “OIT_EFSwithKeyArchive_AutoEnroll_LG” Active Directory security group. The next time members of this group logon to their domain attached workstation (Windows 2000 and above) they will automatically receive an EFS key pair. NOTE: Be sure the user does not logon to another domain attached workstation before they’ve received their EFS key pair or it may be installed on the wrong machine. Users can only auto-enroll for an EFS key pair once. OPTION 2: Web Enrollment (not supported on Vista) 1. Open Internet Explorer on Windows 2000 or XP (Vista is not currently supported) and go to https://ca.oit.pdx.edu 2. IMPORTANT: Be sure to logon as the end user who will be using EFS 3. Click the “Request a certificate” link 4. Click the “Create and submit a request to this CA” link 5. Choose the Certificate Template “PSU EFS with Key Archive” 6. Enter your full name in the “Friendly Name field 7. Click submit 8. Click OK on the warning 9. Click on the link to “Install this certificate” 10. Click Yes to install the certificate OPTION 3: Local Key Pair To use a local key pair for EFS skip to Step 3 and it will be generated automatically the first time a file or folder is encrypted. NOTE: This option doesn’t require as many steps, but offers fewer recovery options. If the key pair is lost or corrupted it cannot be recovered, and each encrypted file/folder must be located and then decrypted using the EFS data recovery agent (DRA). Additionally, sharing encrypted files with others is more difficult. Step 2: Verification of Key Pair 1. 2. 3. If you used OPTION 1 in Step 1 above to auto enroll a certificate then you will need to wait up to eight hours or logoff/logon the machine for auto enrollment to take place. You may need to wait a few minutes after the logoff/logon for auto enrollment to complete. Open the certificate manager a. Click “Start” b. Click “Run…” c. Type “certmgr.msc” d. Click “OK” You should see your new certificate in two containers: a. Personal\Certificates b. Active Directory User Object\Certificates Encrypting File System Page 2 Step 3: Encrypting Files/Folders In this step you need to pick the files and folders to encrypt with EFS. Any important data that is stored locally on the desktop or laptop computer should be protected. Below is a list of common folders that may contain sensitive data: • %userprofile%\My Documents • %userprofile%\Desktop • Mail Client o %appdata%\Microsoft\Outlook o %appdata%\Thunderbird See the following URL for more detailed information on what should and can be encrypted using EFS: http://www.microsoft.com/technet/technetmag/issues/2007/03/SecurityWatch/ Follow these steps to enable encryption on a file or folder: 1. Right click on the file/folder and choose “Properties” 2. Click on the “Advanced…” button 3. Click on the check box for “Encrypt contents to secure data” 4. Click on “OK” NOTE: A file may not retain its encryption when moved out of a folder marked for encryption. Encrypting File System Page 3 Sharing Encrypted Files Files and folders encrypted using EFS can be shared amongst multiple users. If the EFS key pair was generated via the PSU PKI (auto-enrollment or web enrollment) then the public key will have been automatically published to Active Directory and the process is simplified. In the case of a self generated EFS key pair, the EFS public key may need to be manually exported / imported to another machine via the “certmgr.msc” tool. Sharing Encrypted Files on the Same Computer 1. 2. Choose the encrypted file that will be shared. NOTE: you can’t setup EFS sharing at the folder level; each individual file must be configured. Right-click the encrypted file -> Properties -> Advanced… -> Details 3. 4. Click “Add…” and choose the user to be granted access Be sure to setup NTFS file permissions as well Sharing Encrypted Files over the Network There are several important caveats to sharing encrypted files over the network. First, encrypted files cannot be shared via a CIFS/SMB network file share at PSU. Unfortunately this includes the most common method of accessing shared files via the “H:” and “I:” drives (see http://www.uss.pdx.edu/files/NetworkFileShares.pdf). Second, although encrypted files can be shared using WebDAV (https://myFiles.pdx.edu), it may be difficult to setup because of differences and quirkiness in the Microsoft WebDAV client. Following the steps below may or may not work depending on the version of your WebDAV client and Windows OS: 1. 2. 3. 4. 5. Connect to https://myfiles.pdx.edu and locate the file to be encrypted and shared Right-click on the file and chose Properties -> Advanced… -> Encrypt contents to secure data -> OK -> OK Right-click the encrypted file and choose Properties -> Advanced… -> Details Click “Add…” and choose the user to be granted access Be sure to setup NTFS file permissions as well NOTE: If you encrypt a file through https://myfiles.pdx.edu and attempt to open it via a regular CIFS/SMB network file share it will not be recognized as an encrypted file. Encrypting File System Page 4 Copying EFS Keys to another Computer Eventually you will find yourself needing to copy a user’s EFS key pair from one computer to another. This will most likely be necessary under one of three scenarios: 1. A user’s system needs to be rebuild from scratch 2. A user is being migrated to a new system 3. The user has EFS protected files/folders on a network file share and needs access to them from another computer Note: If you download another key pair from https://ca.oit.pdx.edu instead of copying it, the user’s public EFS key stored in Active Directory will not be updated. Step 1: Export the Existing EFS Key Pair 1. Click on Start -> Run… -> certmgr.msc -> OK 2. 3. Expand Personal -> Certificates Right-click on the EFS certificate you wish to export and choose All tasks -> Export… 4. Use the Certificate Export Wizard to export your certificate a. Click Next at the Welcome screen b. Select “Yes, export the private key” -> Next c. Keep the defaults and click Next on the Export File Format page d. Choose a password that will protect the export file containing the public and private keys -> Next e. Click on Browse… and specify a file name/location for the export file -> Save -> Next -> Finish Encrypting File System Page 5 Step 2: Import the EFS key pair on the destination computer 1. 2. Copy the PFX file from “Step 1: Export the Existing EFS Key Pair” to destination computer a. Double-click on the PFX file b. Click Next on the welcome screen c. Click Next on the File to Import screen d. Enter the password you used in the export process and check the box for “Mark this key as exportable…”-> Next e. Click Next on the Certificate Store screen -> Finish Verify the new key was successfully imported a. Click on Start -> Run… -> certmgr.msc -> OK b. Expand Personal -> Certificates Encrypting File System Page 6 Recovering Encrypted Files When a user’s EFS key becomes lost or damaged, there are two ways to recover the encrypted data for PSU domain attached workstations. Non-domain workstations will NOT be able to recover files encrypted with EFS using the data recovery agent (option 2). If non-domain workstations did not use https://ca.oit.pdx.edu to get their EFS key pair then they will have no OIT supported recovery options. OPTION 1: Key Recovery If the user’s EFS key was generated through PSU’s PKI (auto-enrollment or web enrollment) then OIT can recover a copy. Once the recovered EFS key is imported into the user’s profile all encrypted files will be immediately accessible. OPTION 2: Data Recovery Agent (DRA) For PSU domain attached workstations the DRA can be used to recover files encrypted with a lost or damaged EFS key. In this scenario each encrypted file/folder will need to be manually decrypted using the DRA. Once all files/folders have been decrypted by the DRA they can be re-encrypted with a new EFS key pair. NOTE: Campus administrators with their own organizational unit (OU) in Active Directory may request to have an OU specific DRA assigned to their OU. This allows sub-administrators to recover encrypted files/folders without involving OIT. Encrypting File System Page 7