Microsoft KB Archive/288183

= Plain-Text Version of Encrypted Files May Exist on Disk =

PSS ID Number: 288183

Article Last Modified on 11/20/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server SP1
 * Microsoft Windows 2000 Advanced Server SP1
 * Microsoft Windows 2000 Professional SP1

-



This article was previously published under Q288183



SUMMARY
When you are using the Encrypting File System (EFS) features of Windows 2000, you should always create encrypted files in folders that have the encrypted attribute set, rather than creating plain-text files and encrypting them later. If you do not, plain-text versions of the files will exist on the disk before encryption is implemented.

For many programs, it is appropriate to set the encryption attribute on the My Documents folder and to save new documents in this folder if the files are to be encrypted. It is also a good idea to turn on encryption for any folders that are used by programs to store temporary files, so that the temporary files are also encrypted.



MORE INFORMATION
When you delete a file on a partition that uses the NTFS file system, the sectors on which that file's data resides are not erased. Instead, these sectors are marked as &quot;reusable&quot; by the file system, but the data in the sectors is not overwritten. Therefore, it is possible to recover data from a deleted file until the sectors on which that data resides are reused by the file system.

If plain-text files on an NTFS partition are later encrypted, it could be possible for someone to recover a plain-text version of the file. This is possible because plain-text versions may exist prior to encryption, and can be created through program usage or by using tools such as Disk Defragmenter. Also, when EFS encrypts a file, a backup copy of the plain-text file is created during the encryption process. After the file is encrypted, both the original plain-text file and the backup file are deleted. As described earlier, the disk sectors with these files' data are not erased until the file system reuses these sectors.

Until the disk sectors that held the plain-text versions of the new encrypted file are reused, it may be possible to use a disk-editing tool to find a plain-text version of the encrypted file. Note that in Windows 2000, this would require either administrative permissions on the computer, or it would require the user who is attempting to recover the file to mount the partition in a different operating system.

