Self Managed EFS
Enable EFS
By default when EFS is enabled a self-signed certificate is created to grant access to encrypted files. That certificate is stored in your profile and is protected by your password.
To enable EFS:
Right Click Folder| Properties | Advanced Button | Check "Encrypt contents to secure data"
Note: EFS certificates can also be generated and automatically archived by a Certificate Authority. When joined to a domain this type of enrollment can be automatic and Group Policy can be used to assign data recovery agents.
Backup and Archive your EFS Private Certificate and Private Key
If your local XP account password is changed by an administrator (or anyone other than you), you will no longer have access to your encryption key and it will need to be restored before you can decrypt your files. Your encryption key can also be lost if your user profile becomes corrupted or is deleted.
To prevent data loss export a copy of your EFS certificate and private key in .pfx format and store it on removable media like a CD or USB device. Keep this backup of your key in a secure location. When needed your EFS certificate and key can be restored by using the Certificates MMC.
When I change my Password can I lose access to EFS keys?
Yes, there is a danger of losing access to EFS keys when using a local account even if your computer is joined to a domain. To protect your EFS key your password must be changed using the <Ctrl> + <Alt> + <Del> password change method. Using any other method, including a password reset by an administrator will deny you access to your own EFS encrypted files. If you've lost access to EFS data due to a password change, import you backup EFS certificate and keys.
Tips to improve EFS Security:
- Encrypt your My Documents folder and all temp directories.
- Only encrypt folders, never individual files.
- Use Group Policy to erase the page file on shutdown
- Close sensitive applications before your computer hibernates or disable hibernation.
- Use syskey and store your password offline.
- Don't use self-signed certificates instead use archived certificates from a Certificate Authority.
- When migrating profiles or to a new computer decrypt all your data and re-encrypt with a new key.
Default Data Recovery Agent (DRA)
In stand alone mode (not joined to domain) XP does not have a default recovery Agent like windows 2000 does. If you have a backup of your EFS key, assigning a DRA is a good practice as a second method of recovering data.
To use the local Administrator account as a data recovery agent:
- Generate a Data Recovery Agent Key
At the command prompt type:
c:\cipher /r:a\efskey
Enter a password to protect the key
This creates a public key file EFSKEY.CER and a private key pair file EFSKEY.PFX. on your A: drive. If you don't have an A: drive use removable media or other secure means of storing this key.
- Assign the public key to local group policy
Open Administrative Tools | Local Security Policy | navigate to Public Key Policies \ Encrypting File System | right-click on the Encrypting File System container | Add Recovery Agent Certificate | Next | Browse | Select EFSKEY.CER
Note: If a recovery agent is configured at the Local Security Policy level, when the computer is joined to the domain this will override Domain Group Policy recovery agents.
- Install the private key in the Administrator's profile
Login as the local administrator and run mmc.exe
Click File | Add / Remove Snap-in | Add | Select Certificates | Add | Next | Finish | Close | OK
Double click the Certificates MMC | right-click on the personal store folder | All Tasks | Import | Next | Select EFSKEY.PFX | Next | Finish
- Securely Store the Data Recovery Agent Key
Store all keys on archived media like a CD, USB or floppy.
Securely erase all copies of EFSKEY.CER and EFSKEY.PFX from your computer.
Resources:
Backup an EFS certificate with the private key
To add a recovery agent for the local computer
Best practices for the Encrypting File System
Data Protection and Recovery
Documentation of MS Cipher Tool