SUMMARY

This article describes how to manage Encrypting File System (EFS) in a Windows Server 2003 Enterprise Server environment. When you use EFS, you can store data securely because EFS encrypts data in selected NTFS file system files and folders.

Because EFS is integrated with the file system, it is easy to manage, difficult to attack, and transparent to the user. EFS is particularly useful for securing data on computers that may be vulnerable to theft, such as mobile computers.

You cannot encrypt or decrypt files and folders on FAT volumes. Additionally, EFS is designed to store data securely on local computers. As such, it does not support the secure transmission of files over a network. You can use other technologies, such as Internet Protocol Security (IPSec), in conjunction with EFS to provide a larger solution.

back to the top

Encrypt or Decrypt Files

Encrypt a File or Folder

1. Click Start, point to All Programs, point to Accessories, and then click Windows Explorer.
2. Right-click the file or the folder that you want to encrypt, and then click Properties.
3. On the General tab, click Advanced.
4. Click to select the Encrypt contents to secure data check box.

NOTES:

• You can only encrypt files and folders on NTFS volumes. You cannot encrypt files or folders that are compressed. If you encrypt a compressed file or folder, that file or folder will become uncompressed. You cannot encrypt files that are either marked with the System attribute or files that are in the SystemRoot folder.
• When you encrypt a single file, you are asked if you want to encrypt the folder that contains it. If you do so, all files and subfolders that are added to the folder in the future are encrypted when they are added.
• When you encrypt a folder, you are asked if you want all files and subfolders within the folder to be encrypted as well. If you do so, all files and subfolders that are currently in the folder are encrypted and any files and subfolders that are added to the folder in the future are also encrypted. If you choose to encrypt the folder only, all files and subfolders that are currently in the folder are not encrypted. However, any files and subfolders that are added to the folder in the future are encrypted when they are added.

back to the top

Decrypt a File or Folder

1. Click Start, point to All Programs, point to Accessories, and then click Windows Explorer.
2. Right-click the encrypted file or folder, and then click Properties.
3. On the General tab, click Advanced.
4. Clear the Encrypt contents to secure data check box.

NOTE: When you decrypt a folder, you are asked if you want all of the files and subfolders in the folder to be decrypted. If you choose to decrypt the folder only, the encrypted files and folders in the decrypted folder remain encrypted. However, new files and folders that you create in the decrypted folder are not automatically encrypted.

back to the top

Configure a Remote Server for File Encryption

1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
2. Locate and then right-click the remote server name, and then click Properties.
3. Click Delegation.
   

NOTE: You only see this tab is your domain is running in Windows Server 2003 native mode.

1. Click Trust this computer for delegation to any service (Kerberos only).

NOTES:

• To perform this procedure, you must be a member of the Administrators group on the local computer. If the computer is joined to a domain, members of the Domain Admins group may be able to perform this procedure. As a security best practice, you may want to use the run as command to perform this procedure.
• If you are not running your domain in Windows Server 2003 native mode, make sure that the Trust computer for delegation check box on the General tab is selected.
• When you encrypt files on a WebDAV server, the computer does not have to be trusted for delegation.
• You cannot configure a computer in another forest for encryption, even if a trust relationship is established.

back to the top

Encrypt a File or Folder on a Remote Computer

1. Click Start, point to All Programs, point to Accessories, and then click Windows Explorer.
2. On the Tools menu, click Map Network Drive, and then follow the instructions in the Map Network Drive dialog box.
3. Right-click the file or the folder that you want to encrypt, and then click Properties.
4. On the General tab, click Advanced.
5. Click to select the Encrypt contents to secure data check box.

NOTES:

• You can only encrypt files and folders on NTFS volumes. You cannot encrypt files or folders that are compressed. If you encrypt a compressed file or folder, that file or folder will become uncompressed. You cannot encrypt files that are either marked with the System attribute or files that are in the SystemRoot folder.
• By default, remote encryption is not configured in a domain environment. To configure encryption for a specific computer, your network administrator can make that computer trusted for delegation. For more information, ask your network administrator.
• When you encrypt a folder, you are asked if you want all files and subfolders in the folder to be encrypted. If you choose to do so, all future files and subfolders that are added to the folder are automatically encrypted.
• Programs that create temporary work files can compromise file encryption security. When you work with these kinds of programs, encrypt the folder instead of the individual files.

back to the top

Copy or Move Encrypted Files or Folders

Copy an Encrypted File or Folder

1. Click Start, point to All Programs, point to Accessories, and then click Windows Explorer.
2. Click the encrypted file or folder that you want to copy.
3. On the Edit menu, click Copy.
4. Open the folder or the disk where you want to store the copy.
5. On the Edit menu, click Paste.

NOTE: An encrypted file or folder is decrypted if you copy it to a volume that is not an NTFS volume. The exception to this is when you are copying to a WebDAV folder on a server.

back to the top

Move an Encrypted File or Folder

1. Click Start, point to All Programs, point to Accessories, and then click Windows Explorer.
2. Click the encrypted file or folder that you want to move.
3. On the Edit menu, click Cut.
4. Open the folder where you want to move the file or folder.
5. On the Edit menu, click Paste.

NOTE: An encrypted file or folder is decrypted if you move it to a volume that is not an NTFS volume.

back to the top

Recover Files or Folders

Recover an Encrypted File or Folder as a Designated Recovery Agent

You can use Backup (or another backup tool) to restore a user's backup version of the encrypted file or folder to the computer where your file recovery certificate and recovery key are located.

1. Click Start, point to All Programs, point to Accessories, and then click Windows Explorer.
2. Right-click the file or the folder, and then click Properties.
3. On the General tab, click Advanced.
4. Click to clear the Encrypt contents to secure data check box.
5. Make a backup version of the decrypted file or folder, and then return the backup version to the user.

NOTE: You can return the backup version of the decrypted file or folder to the user as an e-mail attachment, on a floppy disk, or on a network share.

As another way to recover an encrypted folder, you can physically transport the recovery agent's private key and certificate, import the private key and certificate, decrypt the file or folder, and then delete the imported private key and certificate. This procedure exposes the private key more than the procedure that is described in this section, but it does not require any backup or restore operations or file transportation.

If you are the recovery agent, use the export command from Certificates in Microsoft Management Console (MMC) to export the file recovery certificate and private key to a floppy disk. Keep the floppy disk in a secure location. If the file recovery certificate or private key on your computer is damaged or deleted, you can use the import command from Certificates in MMC to replace the damaged or deleted certificate and the private key with the ones that you have backed up on the floppy disk.

back to the top

Recover an Encrypted File or Folder Without Using the File Encryption Certificate

1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Backup.
2. Use Backup to make a copy of the file in case of loss or damage.
3. Send the original encrypted file to the designated recovery agent.
4. Have the recovery agent use their recovery certificate and private key to decrypt the file.
5. Have the recovery agent send the decrypted file back to you by using any file transfer method that they choose.

NOTES:

• There is no default recovery agent on a local computer unless the computer is in an Active Directory domain environment. In an Active Directory domain environment, the administrator that initially logged on to the first domain controller is the default recovery agent.
• You can use many methods to send the file to the designated recovery agent, including backing up the file to tape or floppy disk.
• Files that are backed up by using Backup or any other backup tool retain their encryption while they are in their backup storage location. You can decrypt or modify the original files without affecting the encrypted state of the backup copies.
• You can recover an encrypted file or folder yourself if you have kept a backup copy of your file encryption certificate and private key in a .pfx file format on a floppy disk. Use the import command from Certificates in Microsoft Management Console (MMC) to import the .pfx file from the floppy disk into the Personal store.

back to the top

Back Up Default Recovery Keys to a Floppy Disk

1. Click Start, click Run, type mmc, and then click OK.
2. On the File menu, click Add/Remove Snap-in, and then click Add.
3. Under Add Standalone Snap-in, click Certificates, and then click Add.
4. Click My user account, and then click Finish.
5. Click Close, and then click OK.
6. Double-click Certificates - Current User, double-click Personal, and then double-click Certificates.
7. Click the certificate that displays the words "File Recovery" in the Intended Purposes column.
8. Right-click the certificate, point to All Tasks, and then click Export.
9. Follow the instructions in the Certificate Export Wizard to export the certificate and the associated private key to a .pfx file format.

NOTE: This operation must be performed by the recovery agent account that has the recovery certificate and private key in its private store. In a home or non-domain environment, there is no default recovery agent. Before you make any changes to the default recovery policy, make sure to secure the default recovery private key. The default recovery keys in a domain are stored on the first domain controller for the domain. The domain administrator is the default recovery agent.

back to the top

Add a Recovery Agent for the Local Computer

1. Click Start, click Run, type mmc, and then click OK.
2. On the File menu, click Add/Remove Snap-in, and then click Add.
3. Under Add Standalone Snap-in, click Group Policy Object Editor, and then click Add.
4. Under Group Policy Object, make sure that Local Computer is displayed, and then click Finish.
5. Click Close, and then click OK.
6. In Local Computer Policy, go to the following location, and then click Public Key Policies:

   Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/Public Key Policies

7. In the details pane, right-click Encrypting File System.
8. Click Add Data Recovery Agent, and then follow the instructions in the Add Recovery Agent Wizard.
   
   Be prepared to provide the wizard with the user name for a user that has a published recovery certificate. Alternatively, you can use the wizard to browse for .cer files that contain information about the recovery agent that you are adding.

NOTES:

• To perform this procedure, you must be a member of the Administrators group on the local computer. If the computer is joined to a domain, members of the Domain Admins group may be able to perform this procedure. As a security best practice, you may want to use the run as command to perform this procedure.
• If you add a recovery agent from a file, the user is identified as USER_UNKNOWN. This is because the name is not stored in the file.
• Before you can add or create a recovery agent, you must configure Group Policy on your computer.

back to the top

Change the Recovery Policy for the Local Computer

1. Click Start, click Run, type mmc, and then click OK.
2. On the File menu, click Add/Remove Snap-in, and then click Add.
3. Under Add Standalone Snap-in, click Group Policy Object Editor, and then click Add.
4. Under Group Policy Object, make sure that Local Computer is displayed, and then click Finish.
5. Click Close, and then click OK.
6. In Local Computer Policy, go to the following location, and then click Public Key Policies:

   Local Computer Policy/Computer Configuration/Windows Settings/Security Settings/Public Key Policies

7. Right-click Encrypting File System, and then do one of the following tasks:
   • To designate a user as an additional recovery agent by using the Add Recovery Agent Wizard, click Add Data Recovery Agent.
   • To allow EFS to work without recovery agents, click All Tasks and then click Do Not Require Data Recovery Agents.
   • To delete this EFS policy and every recovery agent, click All Tasks, and then click Delete Policy. If you do so, users can still encrypt files on this computer. Note that this setting does not appear unless an EFS policy exists on the computer.

IMPORTANT: Before you change the recovery policy in any way, Microsoft recommends that you back up the recovery keys to a floppy disk first.

NOTES:

• To perform this procedure, you must be a member of the Administrators group on the local computer. If the computer is joined to a domain, members of the Domain Admins group may be able to perform this procedure. As a security best practice, you may want to use the run as command to perform this procedure.
• A standalone computer does not have a default recovery agent. To create a file recovery certificate, run cipher.exe /r. You can use the Add Data Recovery Agent setting to import this certificate into the EFS policy. For additional information about switches that you can use with Cipher.exe, type cipher /? at a command prompt or search the Help files for "cipher."
• To make changes to the File Recovery certificate, right-click the certificate, and then click Properties. For example, you can give the certificate a friendly name, and then type a text description.

back to the top

Add a Recovery Agent for a Domain

1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
2. Right-click the domain whose recovery policy you want to change, and then click Properties.
3. Click the Group Policy tab.
4. Right-click the recovery policy you want to change, and then click Edit.
5. In the console tree, go to the following location, and then click Encrypting File System:

   Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Encrypting File System

6. In the details pane, right-click, then click Add Data Recovery Agent.
7. Follow the instructions of the wizard to complete this procedure.

NOTES:

• To perform this procedure, you must be a member of the Administrators group on the local computer. If the computer is joined to a domain, members of the Domain Admins group may be able to perform this procedure. As a security best practice, you may want to use the run as command to perform this procedure.
• You can perform this operation on any sites, domains, or organizational units in an Active Directory forest.
• If you add a recovery agent from a file, the user is identified as USER_UNKNOWN. This is because the name is not stored in the file.
• If you add a recovery agent from Active Directory, File Recovery certificates must be published in Active Directory. However, the default EFS File Recovery certificate template does not publish these certificates. To change this behavior, copy the default EFS File Recovery certificate template to create a new template, and then configure the Publish certificate in Active Directory setting.
• Before you can add or create a recovery agent, you must configure Group Policy on your computer.

back to the top

Create a Recovery Policy for a Domain

1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
2. Right-click the domain whose recovery policy you want to change, and then click Properties.
3. Click the Group Policy tab.
4. Right-click the recovery policy that you want to change, and then click Edit.
5. In the console tree, go to the following location:

   Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Encrypting File System

6. Right-click Encrypting File System, and then either click Create Data Recovery Agent to create a certificate to use as the EFS recovery certificate or click Add Data Recovery Agent if you want to use an existing certificate.
7. If you click Add Data Recovery Agent, follow the instructions of the wizard to complete this procedure.

IMPORTANT: Before you change the recovery policy in any way, Microsoft recommends that you back up the recovery keys to a floppy disk first.

NOTES:

• To perform this procedure, you must be a member of the Administrators group on the local computer. If the computer is joined to a domain, members of the Domain Admins group may be able to perform this procedure. As a security best practice, you may want to use the run as command to perform this procedure.
• In a domain, a default recovery policy is implemented for the domain when the first domain controller is set up. The first domain administrator is issued the self-signed certificate, which designates the domain administrator as the recovery agent. To change the default recovery policy for a domain, log on to the first domain controller as an administrator.
  
  If you click Add Data Recovery Agent during this procedure, the domain controller contacts a Windows Server 2003 certification authority (CA) to request a certificate based on the EFS Recovery Agent certificate template. If this template is unavailable or if it does not allow you to obtain a certificate, you receive the following message:

  Windows cannot create a data recovery agent.

back to the top

Configure the Domain So That It Does Not Require a Recovery Agent

1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
2. Right-click the domain whose recovery policy you want to change, and then click Properties.
3. Click the Group Policy tab.
4. Right-click the recovery policy that you want to change, and then click Edit.
5. In the console tree, go to the following location, and then click Encrypting File System:

   Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Encrypting File System

6. Right-click Encrypting File System, click All Tasks, and then click Do Not Require Data Recovery Agents.

NOTES:

• To perform this procedure, you must be a member of the Administrators group on the local computer. If the computer is joined to a domain, members of the Domain Admins group may be able to perform this procedure. As a security best practice, you may want to use the run as command to perform this procedure.
• You can perform this operation on any sites, domains, or organizational units in an Active Directory forest.
• If the EFS policy is currently defined, you must select Delete Policy before you can perform this procedure.
• This procedure allows EFS to continue working without using recovery agents.

back to the top

Turn Off EFS for the Local Computer

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry key:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS

3. Click Edit, point to New, and then click DWORD Value.
4. Type efsconfiguration in the Value name box, and then press ENTER.
5. Double-click the EfsConfiguration registry key that you just created, and then type 1 in the Value Data box.
6. Click OK, and then close Registry Editor.
7. Restart the computer.

back to the top

Turn Off EFS for a Domain

1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
2. Right-click the domain whose recovery policy you want to change, and then click Properties.
3. Click the Group Policy tab.
4. Right-click the recovery policy you want to change, and then click Edit.
5. In the console tree, go to the following location:

   Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Encrypting File System

6. Right-click Encrypting File System, then click Properties.
7. Click to clear the Allow users to encrypt files using Encrypting File System (EFS) check box.

NOTES:

• To perform this procedure, you must be a member of the Administrators group on the local computer. If the computer is joined to a domain, members of the Domain Admins group may be able to perform this procedure. As a security best practice, you may want to use the run as command to perform this procedure.
• You can perform this procedure on any sites, domains, or organizational units in an Active Directory forest.
• This procedure completely turns off EFS.

back to the top

Add Users to or Remove Users from a File or Folder

1. Click Start, point to All Programs, point to Accessories, and then click Windows Explorer.
2. Right-click the encrypted file or folder that you want to change, and then click Properties.
3. On the General tab, click Advanced.
4. Click Details.
   

NOTE: The Details button does not appear at the time that you encrypt a file; you must close and then reopen the Advanced Attributes dialog box to see the button.

1. To add a user to this file or folder, click Add, and then perform one of the following tasks:
   1. To add a user whose certificate is on this computer, click the certificate, and then click OK.
   2. To view a certificate on this computer before you add it to the file, click the certificate, and then click View Certificate.
   3. To add a user from Active Directory, click Find User , click the user in the list, and then click OK.
2. To remove a user from this file or folder, click the user name and then click Remove.

NOTE: You cannot add groups to file encryption access. All users who are added to the file must have a certificate that is located on the computer. All of the users who can decrypt the file must also have access to read the file. You must set NTFS permissions correctly to allow this access. If a user is denied access through NTFS permissions, they cannot read the encrypted file and cannot decrypt the data.

back to the top

Back Up an EFS Certificate with the Private Key

1. Click Start, click Run, type certmgr.msc, and then click OK.
2. In the console tree, go to the following location, and then click Certificates:

   Certificates - Current User/Personal/Certificates

3. In the details pane, click the certificate that has "Encrypting File System" listed in the Intended Purposes column.
4. On the Action menu, point to All Tasks, and then click Export.
5. In the Certificate Export Wizard, click Next, and then click Yes, export the private key.
   
   NOTE: This option appears only if the private key is marked as exportable and if you have access to the private key.
6. Under Export File Format, make sure that the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above) check box is selected, and then click Next.
7. In the Password box, type a password to encrypt the private key that you are exporting, type the same password in the Confirm password box, and then click Next.
8. In the File name box, type a file name and a path for the PKCS #12 file that will store the exported certificate and private key, click Next, and then click Finish.

NOTES:

• If more than one certificate has an intended purpose of EFS, back up each certificate individually. If you do so, you can make sure that all encrypted files can be accessed when they must be.
• By default, strong protection (also known as iteration count) is configured in the Certificate Export Wizard when you export a certificate with its associated private key.
• Strong protection is not compatible with older programs, so you must clear the Enable strong protection check box if you are going to use the private key with any browser earlier than Microsoft Internet Explorer 5.0.

back to the top