Encrypted File System

Files can be encrypted simply by checking the option in the Advanced Attributes dialog.

If a folder in encrypted then any new files created in that folder will by encrypted automatically. Encrypted files look normal to a users who owns the encrypted file.

Recovery Agents

Authorized security principals can decrypt a user's file if defined as a Recovery Agent. This is done in the following dialog which is activated by pressing the Details button in the Advanced Attribute dialog shown above. The administrator is a recovery agent by default. The recovery agent will recover a file if the user account is deleted or if the decryption mechanism fails.

Encryption Techniques

There are two basic types of encryption techniques, symmetric and asymmetric encryption.

Symmetric Secret Key Encryption

An example of symmetric encryption is to shift the letters of the alphabet based on some key like the number one. In this example, the decryption shifts the letters back based on the same number one as shown in the following diagram.

Asymmetric Public Key Encryption

Public Key encryption is much more complex and uses two keys

• One key to encrypt or lock the data and
• Another different key to decrypt or unlock the data.

The public key can be known by anyone because does not decrypt the data.

Encrypted File System

EFS files are encrypted with a randomly generated symmetric FEK File Encryption Key. The FEK is encrypted with the user's public key and attached to the encrypted file as the DDF Data Decryption Field. When a user access the file, the DDF is decrypted with the user's private key to produce the FEK which is used to decrypt the ciphertext. In case of emergency the FEK is also encrypted with the public key of the recovery agent, so that the recovery agent can also produce the FEK if necessary.