Encrypting File System
Encrypting File System ( EFS ) features a system of file encryption on NTFS - disks under Windows NT -based operating systems such as Windows 2000 , Windows XP , Windows Vista , Windows 7 , Windows 8 and Windows 10 .
This extension enables file contents to remain confidential even if strangers - e. B. through insufficiently set or ineffective access rights or through the theft of data carriers - get access to these, as they can only be decrypted with the appropriate key.
functionality
When a file is encrypted via EFS, the system first generates a random key , the so-called File Encryption Key (FEK), with which the file is then encrypted using the symmetrical DES encryption method or, from Windows XP SP1, AES . The FEK is then encrypted by means of the asymmetrical RSA algorithm using the public key of the user and stored together with the file. If the file is to be read, the FEK is decrypted using the secret key of the user in order to restore the plain text of the encrypted file.
Data recovery
A loss of the secret key naturally leads to the loss of the encrypted data. In order to counter this problem, there is the possibility of additionally storing the FEK encrypted with the public key of another user. This user, the so-called Key Recovery Agent (KRA), is by default the administrator of the Windows installation used (Windows 2000 only). From Windows XP this KRA must be set up later (cipher / R: EFS-RA). However, it is also possible to make other settings: For example, a central key recovery agent can be set up in an entire Windows network domain or no key recovery agent can be set.
Multi-user use of encrypted files
Just as for the purpose of data recovery, it is also possible to save the FEK encrypted with the public keys of several users, so that joint access to encrypted files is possible in a network or on a computer with several user accounts .