efs encrypted file system. Encrypting File System (EFS). Two Stages of EFS Management

Date of: 14.01.2022

The Encrypting File System (EFS) is a powerful option for protecting data stored on Windows computers. EFS is free and included with every operating system since Windows 2000. Technology advances are everywhere, and EFS is no exception. With advances in technology, it has become much easier to use EFS for most of your storage environment. However, you may not need EFS everywhere, so you need to narrow the boundaries and control to the extent that such a file system can be used. Thus, it would be a great idea to take advantage group policy to manage EFS.

Two Stages of EFS Management

EFS has two levels of customization. The first level is set at the computer level, which determines whether this file system will be supported and made available. The second level is the level of folders and files, this level performs data encryption.

Windows 2000 (Server and Professional), Windows XP Professional, Windows Server 2003, Windows Vista, and Windows Server 2008 all support encryption of data located on a computer. By default, all of these computers support data encryption using EFS. Of course, this can also be a negative characteristic, since some data or some computers do not need to encrypt data due to logistics.

The logistics I'm talking about here is allowing users to encrypt data. Since all computers support data encryption by default, and each user can encrypt them, data can be encrypted on the local computer, as well as data shared on a network. Figure 1 shows the options under which data can be encrypted on a Windows XP Professional computer.

Figure 1: Data encryption is their property

To access the encryption option, as shown in Figure 1, you only need to select the properties of the file or folder that you want to encrypt by right-clicking and calling the "Properties" context menu of the object to be encrypted. Then click the "Advanced" button in the properties dialog box, which in turn will display the "Additional Attributes" dialog box.

Controlling EFS Support for Active Directory Domain Computers

When a computer is joined to an Active Directory domain, the EFS support option can no longer be controlled on the computer. Instead of this this opportunity controls the default domain policy stored in Active Directory. All computers that are members of a Windows Active Directory domain support EFS simply by being a member of it.

Note that Windows 2000 domains manage this configuration in the default domain policy differently than Windows Server 2003 and Windows Server 2008 domains.

Windows 2000 domain control over EFS

Windows computers 2000 has slightly different support for EFS than later OSes, so the setting for EFS is different in the standard domain policy for them. For Windows 2000, enabling and disabling EFS is based on the EFS agent certificate data recovery included in the standard domain policy. By default, the administrator account has this certificate and is configured as the data recovery agent. If there is no data recovery certificate, EFS does not work.

To access this setting in the default domain policy, follow specified path when editing a GPO in the Group Policy Editor:

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypted Data Recovery Agents

At this location, you will see the EFS File Encryption Certificate for the administrator, as shown in Figure 2.

Figure 2: Windows 2000 domains display the EFS file encryption certificate as username, for example "Administrator"

This setting is what gives all computers the ability to encrypt files. To disable this feature, you simply need to remove the administrator certification from the GPO. If you then decide to enable this feature on limited quantity computers in Active Directory, you will need to follow these steps:

Create a new GPO and associate it with an organizational unit containing all computers that need file encryption support.
Enter the "Encrypted File Recovery Agents" tab in the GPO and add a certificate that supports EFS data recovery.

This will give computers covered by the GPO the ability to use EFS for data stored on those computers.

Windows 2003 and 2008 domain control over EFS

Newer domains and operating systems (everything that came out after Windows 2000) support EFS in much the same way, but have their own specific differences.

Data encryption on computers later than Windows 2000 does not require any data recovery agents.
EFS is not controlled by including the data recovery agent certificate in the GPO.
EFS supports multiple user access to encrypted files.

Thus, for Windows 2003 and 2008 domains, you will need a different set of jobs to control EFS on computers that are members of those domains. However, the setting is still in the standard domains policy. Here you will need the following path:

Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System

Now, instead of converting the data recovery agent, you need to right-click on the EFS tab. From the options menu that appears, select Properties. Here you will see a line on your Windows 2003 domain that says "Allow users to encrypt files using the Encrypting File System (EFS)". Windows Server 2008 domains have radically changed the interface, providing rich support for EFS on this property page, as shown in Figure 3.

Figure 3: Windows Server 2008 provides comprehensive control over EFS

Note that on the General tab there is an opposite button called "Don't allow". This setting can be used to disable EFS support on all computers in the domain. Also note that there are many other EFS control options available in this dialog box.

You can also specify specific computers in a domain by following the steps outlined in the Windows 2000 domain section above.

Conclusion

EFS is a very powerful and useful option. It can encrypt data stored on Windows computers. Encryption helps protect data from users or hackers who try to access it but are unable to decrypt the data. EFS is a two step process, first EFS needs to be activated on the computer. This option can be controlled through Group Policy or when the computer is joined to a domain. Administrators have the right to enable or disable EFS on any computer in the domain using a GPO setting. If you disable EFS for all computers and then create and configure a new GPO, only certain computers will be able to use EFS.

Laboratory work

Computer science, cybernetics and programming

My Documents that you want to encrypt, right-click and select Properties from the context menu. In the properties window that appears, on the General tab, click Other. In the Compression and Encryption Attributes group, select the Encrypt content to protect data check box, and then click OK. Click the OK button in the properties window of the file or folder to be encrypted. In the dialog box that appears, specify the encryption mode: To this folder only or To this folder and all subfolders and files.

Lab No. 5

Encrypting file system EFS and certificate management

Goals

Familiarize yourself with the capabilities of the Encrypting File System EFS operating system Windows 2000 (XP).
Learn the sequence of operations for encrypting and decrypting files using an encrypting file system EFS operating system Windows 2000 (XP).
Acquire practical skills in protecting information from unauthorized access.

Brief theoretical information

Encrypting file system EFS allows users to store data on disk in encrypted form.

Encryption is the process of converting data into a format that is not readable by other users. Once a file has been encrypted, it automatically remains encrypted wherever it is stored on the disk.

Decryption is the process of converting data from an encrypted form to its original format.

When using the Encrypting File System EFS the following information and recommendations should be considered.

Only files and folders located on NTFS volumes can be encrypted.
Compressed files and folders cannot be encrypted. If encryption is performed on a compressed file or folder, the file or folder is converted to an uncompressed state.
Encrypted files can become decrypted if the file is copied or moved to a non-NTFS volume.
When you move unencrypted files to an encrypted folder, they are automatically encrypted in the new folder. However, the reverse operation will not automatically decrypt the files. Files must be explicitly decrypted.
Files with the "System" attribute and files in the folder structure cannot be encryptedsystem root directory.
Encrypting a folder or file does not protect it from deletion. Any user with delete rights can delete encrypted folders or files.
The encryption process is transparent to the user.

Note. Transparent encryption means that the file does not need to be decrypted before being used. You can, as usual, open the file and modify it. In transparent encryption systems (on-the-fly encryption), cryptographic transformations are carried out in real time, imperceptibly to the user. For example, the user writes prepared in text editor document to a protected disk, and the protection system encrypts it during the recording process.

Using EFS similar to using file and folder permissions. Both methods are used to restrict access to data. But an attacker who has gained unauthorized physical access to encrypted files and folders will not be able to read them. When he tries to open or copy an encrypted file or folder, a message appears that there is no access.

Encryption and decryption of files is done by setting the encryption properties for folders and files, as well as other attributes such as read-only, compressed, or hidden. If a folder is encrypted, all files and subfolders created in the encrypted folder are automatically encrypted. It is recommended to use encryption at the folder level. The Encrypting File System automatically generates an encryption key pair for the user if one is missing. The encrypting file system uses the Data Encryption Standard (DESX) encryption algorithm.

The task:

Enable and disable encryption of files by Encrypting File System EFS . Export a certificate with keys to decrypt files on another computer.

Algorithm for performing work.

A) To enable encryption mode, run the following actions.

1. Specify a file or folder (for example, create a file cipher. doc in My Documents folder ) that you want to encrypt, right-click and select the command from the context menu Properties.

2. In the properties window that appears, on the tab General Click Others . A dialog box will appearAdditional attributes.

3. In a group check the boxEncrypt content to protect dataand press the button"OK".

4. Click OK in the properties window of the file or folder to be encrypted, in the dialog box that appears, specify the encryption mode:

Only for this folder

This folder and all subfolders and files.

Attention! After completing these steps, the file with your information will be automatically encrypted. It will not be possible to view it on another PC.

B) To turn off the encryption mode, follow the steps below.

Select the cipher file. doc in the My Documents folder.
1. Press the right mouse button and select the item Properties.
  1. On the General tab, click Other.
  2. In the dialog box that opens, in the groupCompression and encryption attributes uncheck the box Encrypt content to protect data.

Attention! After performing these steps, the file with your information will not be encrypted.

C) Creation backup Certificate means Windows 2000 (XP0.

A backup copy of the certificate is required to decrypt data after reinstalling the operating system or to view the f rovannoy information on another PC.

Attention! Before reinstalling the operating system, be sure to create copies of the Certificates, as after p e reinstall you will not be able to decrypt info r mation.

To back up a certificate, follow these steps:

Select the Start button on the taskbar.
1. Go to item Run.
  1. In the window that opens, in the input field, enter the command mmc.
  2. as a result, the management console will open mmc.

Note. MMC Console is a tool for creating, saving, and opening collections of administrative tools called consoles. Consoles contain items like snap , snap-in extensions, controls, tasks, wizards, and documentation needed to manage many hardware, software, and networking components Windows systems. You can add items to an existing MMC, or you can create new consoles and customize them to manage specific system components.

In the console menu select a team Add or remove snap(Picture 1) and press the button Add .

Picture 1

In the field double click Certificates (Picture 2), set the switch toaccount computerand press the button Further .

Figure 2

Perform one of the following actions.
- To manage certificates local computer, set the switch tolocal computerand press the button Ready .
  - To manage remote computer certificates, set the radio button toanother computerand enter a computer name or click the button Overview to select a computer, then press the button Ready .
  1. Click the Close button.
  2. The item will appear in the list of selected snap-ins for the new console. Certificates (computername).
  3. If you don't want to add any other snap-ins to your console, click OK.
  4. To save this console, in the menu Console select a team Save and give the snap name Certificates.
  5. Close the Console window and select command Start and then All programs.
  6. Find an item Administrationand select a sub-item Certificates (t now snap with Certificates is available in the Start menu).
  7. In the left pane of the snap Certificates open folder Trusted Root Certificates, and then the Certificates folder. A list of certificates will appear in the right pane.
  8. Specify the certificate to be transferred (for example, the first one in the list, Figure 3) and click right click mice. In the context menu that appears, select the command All tasks and more select a team Export.

Figure 3

This will launch the Certificate Export Wizard.
1. Press "Next.
  1. In the next window of the wizard, select the optionYes, export private key.
  2. Then press the button Further.
  3. In the next window of the wizard, only one format is available ( PFX ), designed for personal information exchange. Click the button Further.
  4. In the following windows, provide the password (for example, 11 ) protecting file data certificate. pfx , as well as the path to save the file (write down the path to the folder in which you saved a copy of the Certificate) certificate . pfx .
  5. Press "Next.
  6. A list of exported certificates and keys will be displayed. Click the button Ready.
  7. Complete the Certificate Export Wizard by clicking the button OK in a dialog box informing you that the export procedure was successful.

As a result, the certificate and private key will be exported to a file with the extension certificate.pfx, which can be copied to a floppy disk and transferred to another computer or used after reinstalling the operating system.

Follow these steps to restore a certificate from a backup.

Transfer the file created in the previous step with the extension certificate.pfx to the computer ( You need to remember the path to the copy of the Certificate).
1. Run a snap certificates, to do this, select the button Start taskbar and more All programs we/Administration/ Certificates.
  1. In the snap structure window Certificates open folder trusted root certificates, then the Certificates folder. A list of your certificates will appear in the right pane.
    1. Right-click on an empty space in the right pane.
    2. In the context menu that appears, select the command All tasks.
    3. In its submenu, select the command Import ( Import ).
    4. The Certificate Import Wizard starts.
    5. Follow the wizard specify the location of the certificate file. pfx and provide the password for protecting this file.
    6. Click the buttons to start the import operation. Done and OK.
    7. After the import process is complete, click the button OK and close the import wizard window;

As a result of your actions, the current user or you yourself will be able to work with encrypted data on this computer.

Tasks for independent work

Export certificate #2 from the Intermediate Certification Authorities folder root agency (save the illustrations for the report to the teacher).
Import the exported certificate to the Personal folder (keep the illustrations for your teacher's report).

test questions

What is included in a cryptosystem?
Compare public and private key encryption methods (asymmetric vs. symmetric encryption).
What is mmc?
What allows EFS.

Description of the report form

The completed assignment for independent work and answers to control questions must be sent to the teacher for verification.

As well as other works that may interest you
38728.		Key concepts of intelligence	169.5KB
	Only gradually does it become clear how meaningful, voluminous, complex, multifaceted and interesting the phenomenon of intelligence is. All attempts to define and describe it are accompanied by the use of concepts that are characteristic of the bearers of intelligence or somehow characterize them. But there are concepts that determine intelligence. Much of our life depends on how deeply we are able to realize them.
38731.		Creating a mobile space for the school museum	4.31MB
	Educational and methodological manual: "Museum-Education Space" issue 1 "Pedagogical Museum: from Traditions to Innovations" reflects the concept of the museum-pedagogical complex as an educational field - a special developing environment in which:
38732.		Modeling the Mechanism of Changes in the Luminosity of a Red Giant Initiated by Gravitational Interaction in Multiple Systems	473.5KB
	The study is based on the methods of mathematical modeling. As the main methodological approach for constructing the initial model of the system under study, one of the variational principles of mechanics was used - the Hamilton principle (the principle of least action)
38733.		The LLC protocol of the logical link control layer. Protocol types and their structures	289KB
	A local area network is usually called a network, all elements of which are located in a relatively small area. Such a network is usually intended for the collection, transmission and distributed processing of information within one enterprise or organization.
38734.		Fundamentals of Management	874.5KB
	Management and business activity of the organization. Place and role of management in the system of business activity of the organization. Management and business activity of the organization 1. The essence of the object and subject of management theory To achieve the goals of the organization, the coordination of its tasks is necessary.
38736.		Study of the dynamics of the translational-rotational motion of a rigid body	159.5KB
	On the vertical post 1, a millimeter scale is applied on which the pendulum stroke is determined. The photo sensor is designed to output electrical signals to the stopwatch 10 at the moment the light beam is crossed by the pendulum disk. Theoretical information Maxwell's pendulum of mass m raised to height h by winding suspension threads on the pendulum rod has a potential energy mgh.

Microsoft Windows XP and the Encrypting File System (EFS) makes it possible to store data on a disk in an encrypted format, however, when the system is reinstalled or the user account is deleted, the encrypted data will be irretrievably lost if you do not take care of saving the certificate and keys, creating a recovery agent account.

The EFS Encrypted File System is used to store encrypted files on NTFS 5.0 file system volumes. Once a file or folder is encrypted, you can work with it in the same way as with other files or folders, i.e. encryption is transparent to the user who encrypted the file. This means that the file does not need to be decrypted before being used. You can, as usual, open the file and modify it.

Working with EFS is similar to using file and folder permissions. The task of both methods is to restrict access to data. However, file and folder permissions will not protect you if an attacker gains physical access to your data, such as connecting your HDD to another computer or booted using another operating system that has access to NTFS volumes. When trying to open or copy an encrypted file or folder, he will receive an exhaustive answer: "No access."

File encryption and decryption is done by setting file or folder attribute Folder or file options > General > Other > Encrypt content to protect data(Fig. 1).

As soon as we encrypt any folder or file, Windows will create for us a certificate and a pair of keys associated with it (public and secret keys), on the basis of which the files will be encrypted and decrypted. A certificate is a digital document used for authentication and secure transmission of data on public networks (Internet, Intranet, Extranet), it associates a public key with an object containing a corresponding private key.

Our task is to carry out backup keys. This can be done using the Management Console snap-in Certificates. By default, when installing the system, it is not present, so we will add it by following a series of steps.

Click the button Start, select a command Run, enter mmc and press the button OK. On the menu Console select a team Add or remove a snap and press the button Add. In field rigging double click Certificates. Next check the box My user account and press the button Ready. On the menu Console > Options set console mode User - limited. access, one window, click Apply. Now the console is ready to work (Fig. 2).

If you have already encrypted any file or folder, then in Console Root > Certificates - Current User > Personal > Certificates you should see the certificate which is associated with the private key and which we need to export to a file. Let's go to it and call context menu, choose All tasks, and then Export. On offer Export the private key along with the certificate « Yes”, leave the file format unchanged, enter the password, the knowledge of which we will need for the reverse procedure - importing the certificate. The resulting .pfx file must be hidden, since any user who imports this certificate for his account will have access to your files, of course, if he knows or guesses the password required to import the certificate.

It is recommended to use encryption at the folder level. If a folder is encrypted, all files and subfolders created in the encrypted directory are automatically encrypted. This procedure allows you to create encrypted files whose data will never appear on disk in plain text—even temporary files created by programs during the editing process will also be encrypted.

There are a number of things to keep in mind when working with encrypted files and folders.

Only files and folders located on NTFS volumes can be encrypted. Compressed files and folders cannot be encrypted. If encryption is performed on a compressed file or folder, the file or folder is converted to an uncompressed state.

Encrypted files can become decrypted if the file is copied or moved to a non-NTFS volume. When unencrypted files are moved to an encrypted folder, they are automatically encrypted in the new folder, however, the reverse operation will not automatically decrypt the files, the files must be explicitly decrypted. Files with the System attribute and files in the system directory cannot be encrypted. Encrypting a folder or file does not protect it from deletion—any user with delete permissions can delete encrypted folders or files. For this reason, the use of EFS in combination with NTFS system permissions is recommended. Files and folders can be encrypted or decrypted on a remote computer for which remote encryption is enabled. However, if an encrypted file is opened over the network, the data transmitted over the network will not be encrypted. Other protocols, such as SSL/TLS or IPSec, must be used to encrypt data transmitted over the network.

Now let's look at the encryption process in Microsoft Windows XP at a lower level in order to protect ourselves from the overhead of encryption, namely data loss.

First, let's recall the two main cryptographic systems. The simplest is encryption using a secret (symmetric) key, i.e. The same key is used to encrypt and decrypt data. Advantages: high encryption speed; disadvantages: the problem of transferring the secret key, namely the possibility of intercepting it. Representatives: DES, 3DES, DESX, AES. The difference between public-key encryption (asymmetric encryption) is that data is encrypted with one key and decrypted with another; using the same key, the reverse transformation cannot be performed. This encryption technology assumes that each user has at his disposal a pair of keys - a public key (public key) and a personal or private key (private key). Thus, by freely distributing the public key, you give other users the ability to encrypt their messages sent to you, which only you can decrypt. If the public key falls into “bad hands”, then it will not make it possible to determine the secret key and decrypt the data. Hence the main advantage of public key systems: there is no need to transfer the secret key, but there is also a drawback - low encryption speed. Representatives: RSA, ElGamal algorithm, Diffie-Hellman algorithm.

EFS takes full advantage of the above systems for encryption. Data is encrypted using a symmetric algorithm using a File Encryption Key (FEK). FEK is a randomly generated EFS key. In the next step, the FEK is encrypted with the user's public key and stored within an attribute called a Data Decryption Field (DDF) directly within the file itself. In addition, EFS encrypts the FEK using the recovery agent's public key and places it in the Data Recovery Field attribute - DRF. The DRF may contain data for multiple recovery agents.

Who is this mysterious recovery agent? Data Recovery Agent (DRA) is a user who has access to all encrypted data of other users. This is relevant in case of loss of keys by users or other unforeseen situations. The data recovery agent is usually an administrator. To create a recovery agent, you must first create a data recovery certificate and define a recovery policy, and then designate one of the users as the recovery agent. The recovery policy plays an important role in the Windows XP encryption system, it defines the recovery agents, and their absence or removal of the policy generally prohibits users from using encryption.

To configure the recovery policy, you must run the console Start > Settings > Control Panel > Administrative Tools > Local Security Policy, in which to go to the item Public Key Policies > EFS File Systems(Fig. 3). By default, the recovery policy is such that the rights of the recovery agent belong to the administrator. If the default recovery agent certificate is removed and there is no other agent in the policy, the computer will have an empty recovery policy. An empty recovery policy means that no recovery agent exists. This disables EFS, therefore preventing users from encrypting files on this computer. We can create an administrator account using the recovery agent and export its key for reliability, or we can create a new recovery certificate and assign another user as an agent.

To create a recovery certificate, you need to use the utility command line cipher, which is designed to manage encryption ( detailed information you can read about this utility in the operating system help). You need to log in with administrator rights, enter in the command line:

cipher /R: certificate file name

Next, enter the password that you will need in case of import. Certificate files have the extension . pfx(contains the certificate and its associated public and private key) or. cer(certificate and associated public key) and the name you provided. These files allow any user of the system to become a recovery agent, so our task is to keep them in a safe place, and most importantly, do not forget to add the recovery agent certificate to the public key policy.

To create this very agent, you need to do the following steps: log in under an account that should become a data recovery agent; in console Certificates go to section Certificates - Current User > Personal > Certificates; Further Action >All Tasks > Import to launch the Certificate Import Wizard, then import the recovery certificate. And keep in mind: in order to decrypt files, you need to import the private key, so when choosing a file to import, use the file .pfx.

Often, the disadvantage of encryption using EFS is the impossibility of transporting encrypted data, i.e. it will not be possible to write data to a "blank" without losing their secrecy. But this is not entirely true - indeed, you can’t just write them down, but you can use the archiving program for Windows XP - NTBackup, in this case the data will be copied to the specified media without decryption, and the media may not support NTFS 5.0. After recovery, the encrypted data remains encrypted.

And a few more tips. Always enable encryption for folders as this will protect temporary files. Export the recovery agent account private key, save it in a safe place, and then delete it from the computer. When changing recovery policies, do not rush to delete old certificates until you are sure that all files encrypted with these certificates will not be updated.

Remember: "wrong" encryption can do more harm than good!

Page 1 of 5

The Encrypting File System is a service that is tightly integrated with NTFS and resides in the Windows 2000 kernel. Its purpose is to protect data stored on a disk from unauthorized access by encrypting it. The appearance of this service is not accidental, and was expected for a long time. The fact is that the file systems that exist today do not provide the necessary protection of data from unauthorized access. An attentive reader may object to me: what about Windows NT with its NTFS? After all, NTFS provides access control and data protection from unauthorized access! Yes it's true. But what if the NTFS partition is accessed not through the Windows NT operating system, but directly, at the physical level? After all, this is relatively easy to implement, for example, by booting from a floppy disk and running special program: for example, the very common ntfsdos. A more sophisticated example is the NTFS98 product, which can be downloaded from

(the unregistered version allows reading NTFS volumes from under Windows98, the registered version also allows writing to such volumes). Of course, you can provide for this possibility and set a password to start the system, but practice shows that such protection is ineffective, especially when several users work on the same computer at once. And if an attacker can remove the hard drive from the computer, then no passwords will help here. By connecting the drive to another computer, its contents can be read with the same ease as this article. Thus, an attacker can easily get hold of confidential information that is stored on the hard drive.

The only way to protect against physical reading of data is to encrypt files. The simplest case of such encryption is archiving a file with a password. However, there are a number of serious shortcomings here. Firstly, the user needs to manually encrypt and decrypt (that is, in our case, archive and unarchive) data each time before and after work, which in itself reduces data security. The user may forget to encrypt (archive) the file after the end of work, or (even more banally) simply leave a copy of the file on disk. Secondly, user-created passwords are usually easy to guess. In any case, there are a sufficient number of utilities that allow you to unpack password-protected archives. As a rule, such utilities carry out password guessing by enumeration of the words recorded in the dictionary.

The EFS system was designed to overcome these shortcomings. In the following, we'll take a closer look at the details of encryption technology, EFS user interaction, and data recovery methods, get to know the theory and implementation of EFS in Windows 2000, and look at an example of encrypting a directory using EFS.

Encryption technology

EFS uses the Windows CryptoAPI architecture. It is based on public key encryption technology. To encrypt each file, a file encryption key is randomly generated. In this case, any symmetric encryption algorithm can be used to encrypt the file. Currently, EFS uses one algorithm, DESX, which is a special modification of the widely used DES standard.

EFS encryption keys are stored in a resident storage pool (EFS itself is located in the Windows 2000 kernel), which prevents unauthorized access to them through the page file.

User interaction

In order to encrypt a directory from within Windows Explorer, the user simply needs to select one or more directories and check the encryption box in the directory's advanced properties window. All files and subdirectories created later in this directory will also be encrypted. Thus, you can encrypt a file simply by copying (or moving) it to an "encrypted" directory.

Encrypted files are stored on disk in encrypted form. When reading a file, the data is automatically decrypted, and when writing, it is automatically encrypted. The user can work with encrypted files in the same way as with regular files, i.e. open and edit in a text editor Microsoft Word documents, edit pictures in Adobe Photoshop or graphics editor paint, and so on.

It should be noted that in no case should you encrypt files that are used at system startup - at this time, the user's private key, with which decryption is performed, is not yet available. This may cause the system to be unable to start! EFS provides a simple protection against such situations: files with the "system" attribute are not encrypted. However, be careful: this can create a "hole" in the security system! Check if the file attribute is set to "system" to make sure the file will actually be encrypted.

It is also important to remember that encrypted files cannot be compressed using Windows 2000 and vice versa. In other words, if a directory is compressed, its contents cannot be encrypted, and if the contents of a directory are encrypted, then it cannot be compressed.

In the event that data decryption is required, you just need to uncheck the encryption boxes for the selected directories in Windows Explorer, and the files and subdirectories will be automatically decrypted. It should be noted that this operation is usually not required, since EFS provides "transparent" operation with encrypted data for the user.

EncryptingfileSystem

Although NTFS also provides access control and data protection from unauthorized access, what if the NTFS partition is accessed not using the Windows NT operating system, but directly, at the physical level? After all, it is relatively easy to implement, for example, by booting from a floppy disk and running a special program: for example, a very common one. Of course, you can provide for this possibility and set a password to start the system, but practice shows that such protection is ineffective, especially Multiple users work on the same computer at the same time. And if an attacker can remove the hard drive from the computer, then no passwords will help here. By connecting the disk to another computer, its contents can be read without any problems. Thus, an attacker can easily get hold of confidential information that is stored on the hard drive. The only way to protect against physical reading of data is file encryption. The simplest case of such encryption is archiving a file with a password. However, there are a number of serious shortcomings here. Firstly, the user needs to manually encrypt and decrypt (that is, in our case, archive and unarchive) data each time before and after work, which in itself reduces data security. The user may forget to encrypt (archive) the file after the end of work, or (even more banally) simply leave a copy of the file on disk. Secondly, user-created passwords are usually easy to guess. In any case, there are a sufficient number of utilities that allow you to unpack password-protected archives. As a rule, such utilities carry out password guessing by enumeration of the words recorded in the dictionary. The EFS system was designed to overcome these shortcomings.

2.1. Encryption technology

EP$ uses the Windows CryptoAPI architecture. It is based on public key encryption technology, to encrypt each file, a file encryption key is randomly generated. In this case, any symmetric encryption algorithm can be used to encrypt the file. Currently, EFS uses one algorithm - this is DESX, which is a special modification of the widely used DES standard. EFS encryption keys are stored in a resident storage pool (EFS itself is located in the Windows 2000 kernel), which prevents unauthorized access to them through the page file.

By default, EFS is configured so that the user can immediately start using file encryption. The encryption operation and the reverse are supported for files and directories. If a directory is encrypted, all files and subdirectories of this directory are automatically encrypted. It should be noted that if an encrypted file is moved or renamed from an encrypted directory to an unencrypted one, it will still remain encrypted. Encryption/decryption operations can be performed in two different ways - using Windows Explorer or the Cipher console utility. in order to encrypt a directory from Windows Explorer, the user simply needs to select one or more directories and check the encryption box in the directory's advanced properties window. All files and subdirectories created later in this directory will also be encrypted. Thus, you can encrypt a file simply by copying (or moving) it to an "encrypted" directory. Encrypted files are stored on disk in encrypted form. When a file is read, the data is automatically decrypted, and when a file is written, it is automatically encrypted. The user can work with encrypted files in the same way as with regular files, that is, open and edit documents in the Microsoft Word text editor, edit drawings in Adobe Photoshop or the Paint graphics editor, and so on.

It should be noted that in no case should you encrypt files that are used at system startup at this time, the user's private key, with which decryption is performed, is not yet available. This may cause the system to be unable to start! EFS provides a simple protection against such situations: files with the "system" attribute are not encrypted. However, be careful: this can create a "hole" in the security system! Check if file attribute is set<системный» для того, чтобы убедиться, что файл действительно будет зашифрован.

In the event that data decryption is required, you just need to uncheck the encryption boxes for the selected directories in Windows Explorer, and the files and subdirectories will be automatically decrypted. It should be noted that this operation is usually not required, since EFS provides a "transparent" operation with encrypted data for the user.