What is efs in windows OS. EFS encryption and certificate management

There are a lot of rumors about Canon lenses on the Internet, I admit honestly, until recently I myself was mistaken about the difference between EF and EF-S lenses. In this article, I tried to collect some information about them, which will help make a choice in favor of one modification or another, put an end to disputes and dispel some myths.

Let's first decipher the abbreviation EF - it comes from the phrase Electro-Focus (“Electrofocus”). With the EF mount comes an automatic focusing system built into the optics, i.e. There are no moving parts between the lens and the camera, only contacts, and the electric motor in the lens is responsible for focusing and aperture. By the way, the first EF series lens appeared back in 1987.

EF-S is a modification of the mount for cameras with an APS-C format matrix, which was developed in 2003. The "S" stands for Short Back Focus. The last optical element in such lenses is located closer to the matrix than in EF lenses. For comparison, I’ll give a picture of two lenses with different mount modifications.

Left lens EF, right EF-S

As you can see, on the right lens the last lens is located after the mount thread, i.e. when installed on the camera, it will be noticeably closer to the matrix. In fact, this is the only, but very important difference. The fact is that EF-S optics cannot be used with full-frame cameras. Despite the compatibility of the mount, a protruding lens can damage the camera mirror. Moreover, EF lenses are compatible and can be used with any Canon EOS cameras (DSLRs).

For APS-C format cameras, lens focal lengths must be adjusted. To calculate the focal length equivalent to that obtained on a full-format sensor, you need to multiply the values ​​indicated on the lens by 1.6. There is a widespread opinion on the Internet that for the EF-S series this is not necessary and the real values ​​​​are indicated on the optics, already taking into account recalculation. This is wrong. As an example, I will give a description of the new Canon EF-S 18-55mm f/3.5-5.6 IS II lens from the company’s official website:

The EF-S 18-55mm f/3.5-5.6 IS II is a high-quality, standard zoom lens that will appeal to photographers who prefer to travel light. With a focal length equivalent of 29-88mm in 35mm format…

As you can see, for these lenses the standard conversion of focal lengths is used and 18-55 turns into 29-88mm. A completely logical question arises: why bother with this entire garden? The fact is that this design made it possible to make lighter, smaller lenses. This is according to Canon, but in fact, it is quite possible that this is done so that inexpensive lenses are not used with expensive full-frame equipment.

Another interesting touch: neither the EF nor the EF-S were licensed to third party optics manufacturers such as Sigma or Tamron. Despite these manufacturers' claims of 100% compatibility, Canon does not provide such a guarantee. Therefore, when purchasing non-branded lenses, they must be tested especially carefully.

Let's draw conclusions about Canon lenses:

• focal length on APS-C cameras is recalculated for all types of lenses;
• ultra-wide angle on cropped cameras is only available with the EF-S 10-22mm lens;
• Unfortunately, fisheye on cropped cameras is not available at all;
• EF lenses are suitable for any Canon cameras;
• When upgrading from an APS-C camera to full frame, EF-S lenses cannot be used.

If you plan to upgrade to a full frame camera in the future, consider purchasing lenses in advance.

To protect potentially sensitive data from unauthorized access when physically accessing the computer and disks.

User authentication and resource access rights in NT work when the operating system is booted, but when physically accessing the system it is possible to boot another OS to bypass these restrictions. EFS uses symmetric encryption to protect files, as well as public/private key pair encryption to protect a randomly generated encryption key for each file. By default, the user's private key is protected by user password encryption, and the security of the data depends on the strength of the user's password.

Description of work

EFS works by encrypting each file using a symmetric encryption algorithm, depending on the operating system version and settings (starting with Windows XP, it is theoretically possible to use third-party libraries to encrypt data). This uses a randomly generated key for each file, called File Encryption Key(FEK), the choice of symmetric encryption at this stage is explained by its speed and greater reliability in relation to asymmetric encryption.

FEK (a symmetric encryption key random for each file) is protected by asymmetric encryption using the public key of the user encrypting the file and the RSA algorithm (theoretically, it is possible to use other asymmetric encryption algorithms). The FEK encrypted in this way is stored in the $EFS alternate stream of the NTFS file system. To decrypt data, the encrypted file system driver transparently decrypts the FEK using the user's private key, and then the desired file using the decrypted file key.

Since file encryption/decryption occurs using the file system driver (essentially an add-on to NTFS), it occurs transparently to the user and applications. It is worth noting that EFS does not encrypt files transferred over the network, so to protect the transferred data, you must use other data protection protocols (IPSec or WebDAV).

Interfaces for interacting with EFS

To work with EFS, the user has the opportunity to use GUI explorer or utility command line.

Using the GUI

In order to encrypt a file or folder containing a file, the user can use the corresponding file or folder properties dialog box by checking or unchecking the “encrypt contents to protect data” checkbox; for files starting from Windows XP, you can add public keys of other users, who will also be able to decipher this file and work with its content (subject to appropriate permissions). When encrypting a folder, all files in it are encrypted, as well as those that will be placed in it later.

Wikimedia Foundation. 2010.

See what "EFS" is in other dictionaries:

EFS- steht für: EFS Flug Service, ein deutsches Charterflugunternehmen EFS Hausgeräte, eine Haushaltsgerätefirma Encrypting File System, System für Dateiverschlüssung unter Microsoft Windows EFS Euro Finanz Service Vermittlungs AG (EFS AG), ein… … Deutsch Wikipedia

Efs- steht für: EFS Flugservice, ein deutsches Charterflugunternehmen EFS Hausgeräte, eine Haushaltsgerätefirma Encrypting File System, System für Dateiverschlüssung unter Microsoft Windows Error Free Second beim Betrieb von Netzelementen Euro Finanz… … Deutsch Wikipedia

EFS- Saltar a navegación, búsqueda El Encrypting File System (EFS) es un sistema de archivos que, trabajando sobre NTFS, lete cifrado de archivos a nivel de sistema. Está disponible para Microsoft Windows 2000 y posteriores. La tecnología… … Wikipedia Español

EFS- may refer to one of the following: *Electronic Filing System, an electronic platform by the Singapore Judiciary *Emergency Fire Service, now Country Fire Service (Australia) *Emperor of the Fading Suns, a turn based, strategy video game… … Wikipedia

EFS- , ein System zur Verschlüsselung von Dateien und Ordnern unter den Betriebssystemen Windows NT und Windows 2000, so dass sie vor dem Zugriff unberechtigter Benutzer geschützt… … Universal-Lexikon

EFS- Cette page d'homonymie répertorie les différents sujets et articles partageant un même nom. Sigles d’une seule lettre Sigles de deux lettres > Sigles de trois lettres Sigles de quatre lettres … Wikipédia en Français

EFS- ● en sg. m. MS GESTFICH Encrypting File System. système de fichiers crypté, intégré par Microsoft dans Windows 2000, et dont l usage est optionnel. Voir TCFS. Je ne sais pas il existe un lien avec efs... Dictionnaire d'informatique francophone

efs- noun the name of the letter F ... Wiktionary

EFS- Encrypting File System (Computing » Security) * Enhance Financial Services Group, Inc. (Business » NYSE Symbols) * Engineered Fiber Selection (Miscellaneous » Clothes) * Effective Financing Statement (Business » Accounting) * Flowchart (EasyFlow) … Abbreviations dictionary

EFS- earliest finishing shift; electric field stimulation; European Fraxiparin Study; event free survival … Medical dictionary

Let's assume you have a computer running Windows control the most recent version. You play shooting games on it, write your dissertation, do accounting for individual entrepreneurs using a simplified system, and in general, have fun as best you can. But suddenly, completely unreasonably, you begin to feel that something from the outside is threatening the security of some of the data that is stored on your personal computer. You, with a hot look, read numerous cyber forums and realize with horror that all your data on your hard drive is not protected in any way. And if your beloved computer is stolen, and the risk of theft for portable equipment is not so low, then the attacker will be able to get to all the contents hard drive! Oh, my priceless dissertation!

Let's try to figure out whether it is really possible to gain unauthorized access to files if the computer is running the Windows 10 operating system. IBM engineers, and subsequently Microsoft, spent a lot of effort implementing a rights separation system for the NTFS file system (when IBM was HPFS) . And if Win10 is running on a computer, then it is very, very difficult to gain access to other people’s files without permission, and if access is blocked, it is completely impossible. Windows securely protects user files.

But as soon as you boot into another operating system, for example, Linux Mint, then everything user files will be in full view. Download whatever you want. And you can boot into Mint either from a flash drive or from a CD-ROM, you just need to get to the UEFI (BIOS) and activate booting from removable drives, if it has not been activated previously, or use the boot menu. Assuming you set a password to log into UEFI and disable selecting a drive to boot as a class, then your files are a little more protected. And an attacker can simply unscrew your computer, pull out HDD and connect it to your computer, and then download everything that is required. After all, the data in the form of files will be in his hands like an open notebook.

IT specialists know that you can somewhat secure the data on your computer using BitLocker technology. BitLocker is a good thing, but it only allows you to encrypt entire partitions on disks, either physical or virtual. At the same time, the safety of the keys is ensured, including storage in TPM modules. Which is very convenient. However, encrypting everything and everyone is not always convenient, although, of course, using full disk encryption makes some sense. But for some reason everyone forgets about partial encryption of files and directories.

In Windows 10, as in its previous reincarnations, there is an Encrypted File System, which means Encrypted File System (EFS). This feature is available from the Pro edition and higher, so if you have the Windows Home version, you need to upgrade to at least Pro. Wikipedia has written a lot about how and what is encrypted in EFS. I will just try to explain everything as simply as possible and give the most detailed instructions to enable protection for your files.

In addition to having a minimum Pro view editors, it is necessary that you work under a user who has a password. The password must be present, let it be a link to cloud service Microsoft, or a completely standalone password. Whether you log into the system using a PIN code or using a pattern - it doesn’t matter, what matters is that your account password is attached. In addition to having a password in the active account, it is necessary that the protected files and directories are located on a disk or partition with the NTFS file system. Most likely, this is exactly what file system and applies to you.

Data encryption occurs absolutely transparently for users and for the vast majority of software products, because encryption occurs at the NTFS file system level. You can encrypt one file or an entire folder at once. You can encrypt it as an empty folder, and then add new files to it and they will also be encrypted, or you can encrypt a folder with files and directories inside. Everything is your choice.

When working with encrypted folders and files, consider the following:

1. Files are encrypted until they are transferred to any other file system other than NTFS. For example, you copy an encrypted file to a flash drive. If it is FAT32, and most likely it is there, then the file will be decrypted. In the tenth Windows versions Microsoft has nevertheless implemented a feature where the file remains encrypted even if you transferred it to a flash drive with FAT, so you should be vigilant if you leak any files to your friend. Will he be able to open them later without swearing? If you send a file via e-mail- it will be decrypted (otherwise there is no point in sending it by mail). When transferring a file over the network, decryption will also occur.
2. When moving between NTFS partitions, the file remains encrypted. When moving a file from one NTFS disk to another NTFS disk, the file will be encrypted. When you copy a file to a removable hard disk with the NTFS file system, it will be encrypted in a new location.
3. If the account password is forcibly changed by a third party, for example, an administrator, or the password of a linked domain account or cloud service is forcibly changed, access to files without a backup certificate (generated during the first encryption) will no longer be possible.

The last point is very important, especially for people with unreliable memory who constantly reset passwords. Here, such a trick can result in permanently encrypted files, unless, of course, you import the saved certificate into the system. However, when the password change is voluntary, such as in accordance with a password change policy, then untimely loss of encrypted files will not occur.

Skeptics will quite rightly note that such protection, however, like BitLocker, is not super reliable, they say, hackers can guess the password if it is weak, and the intelligence services will decipher everything. Indeed, they can simply guess your password if it is short and simple. And that’s what intelligence services are for, to have the technical ability to get to the contents of the files of overly suspicious users. What's more, once you're logged in, you immediately have transparent access to all your EFS-encrypted files. And if there is a Trojan or virus on your computer, then it will gain access to precious files in exactly the same way. Computer hygiene should be strictly observed.

Detailed instructions for enabling encryption using EFS under Win10 Pro on a folder

Below I offer step-by-step, precise instructions on how to encrypt a folder with files in it. An individual file is encrypted in the same way.

Step 1. Let's create a folder. Let it be called “My Pictures”.

Creating a directory

Step 2. Right-click on the folder and select “Properties” from the context menu.

Right click on the folder and get this

Step 3. In the “Properties” menu, go to the extended attributes of the folder by clicking the “Other...” button.

Folder properties

Step 4. Check the box next to “Encrypt content to protect data” and click OK. If you need to cancel encryption, uncheck the same checkbox and the file will be decrypted.

In folder properties extended attributes

Step 5. Finish with “Properties” and click OK or “Apply”.

Step 6. We answer in the dialog box what to “apply” to our folder and all its contents.

Select the desired encryption item

That's it, our folder and all its contents are encrypted using EFS. If you wish, you can check that our folder and all the files in it are securely closed from outsiders.

Step 7. We go through steps 1-3 and see that the “encrypt” checkbox is active. And next to it the “Details” button is active. Click on “details”.

Checking what's encrypted

Step 8. In the window that appears, we see that this file has only one certificate for access by only one user, plus no certificates for restoring access are installed.

The folder is encrypted with one certificate

To understand that specific file can be encrypted in Windows Explorer; a lock icon appears on the file.

Gallery with encrypted pictures. Only the account owner can view them.

The icon appears in all other file views and Explorer views. True, on some pictograms they are very hard to see and you have to look closely.

The same gallery, only in the form of a table. Locks in the upper right corner of the icon.

After the first files have been encrypted, Windows prompts you to make a copy of the certificate. The same certificate that will allow you to decrypt files if suddenly something goes wrong with your computer (reinstalled the system, reset the password, transferred the disk to another computer, etc.).

Step 9. To save the backup recovery certificate, click on the key archiving icon.

Tray icon calling for archiving the backup certificate to restore encryption

Step 10. In the window that appears, select “Archive now.”

Choosing when to archive

Step 11. In the activation wizard dialog box, click “Next”.

Certificate Export Wizard window

Step 12. If you only use EFS encryption, you can leave the default values. And click on “Next”.

Backup certificate export settings

Step 13. It makes sense to protect the exported certificate with a password. We enter a password, it can be anything, not necessarily from your email or to log into Windows. And click “Next”.

Enter the password for additional protection recovery certificate

Step 15. Confirm the result by clicking OK.

Finishing the export wizard

And that's all. The downloaded certificate should be copied to a safe place. For example, on a floppy disk, flash drive, or in a secure cloud. Leaving a recovery certificate on your computer is a bad idea, so after saving it in a “safe place,” we delete the file from the computer and at the same time empty the recycle bin.

By the way, you can also encrypt directories into which cloud files on your computer are synchronized, for example, OneDrive, DropBox, Yandex Disk and many others. If you want to encrypt such a folder, you should first turn off the cloud synchronization application or pause synchronization. It is also worth closing all open files in the directory that will be subject to encryption, for example, closing Word, Excel or other programs. After this, you can enable encryption on the selected folder. When the encryption procedure is completed, you can enable synchronization again. Otherwise, encryption may not affect all files in the folder, because The embedded system can only encrypt writable files. Yes, when synchronizing to the cloud, the files will be decrypted and in the cloud they will no longer be encrypted.

You must sign out of OneDrive before encryption can begin.

Now is the time to test how well EFS encryption works. I created a file with text in an encrypted directory. And then I booted into Linux Mint from a flash drive. This version Linux can easily handle NTFS hard drives, so getting to the contents of my hard drive was easy.

Create a file with text in an encrypted folder.

However, when I tried to open files from an encrypted folder, I was disappointed. Not a single file could be opened. Linux Mint viewers bravely reported that they did not have access to the specified files. But all the others opened without a hitch.

Encrypted files in Win10 are visible from Mint, but cannot be opened.

“Yeah!” - said the stern Siberian men. But if you write an encrypted file to a flash drive, it will probably remain encrypted. And then transfer it to another computer, under a different operating system, then suddenly it will open? No, it won't open. Or rather, it will open, but its contents will be completely unreadable. It's encrypted.

An attempt to open an encrypted text file recorded on a flash drive.

In general, it is possible to use EFS, and in some cases it is even necessary. Therefore, if you are running Windows 10 from the Pro edition and higher, assess the risks of strangers accessing your PC or laptop and whether they will be able to obtain your confidential files. Maybe something should be encrypted today?

Encrypting file system

The encrypting file system is a service tightly integrated with NTFS, located in the Windows 2000 kernel. Its purpose is to protect data stored on the disk from unauthorized access by encrypting it. The appearance of this service is not accidental, and has been expected for a long time. The fact is that the file systems that exist today do not provide the necessary protection of data from unauthorized access.

An attentive reader may object to me: what about Windows NT with its NTFS? After all, NTFS provides access control and data protection from unauthorized access! Yes it's true. But what if the NTFS partition is not accessed using operating system tools? Windows systems NT, but directly, at the physical level? After all, this is relatively easy to implement, for example, by booting from a floppy disk and running special program: for example, the very common ntfsdos. A more sophisticated example is the NTFS98 product. Of course, you can provide for this possibility and set a password to start the system, but practice shows that such protection is ineffective, especially when several users are working on the same computer. And if an attacker can remove the hard drive from the computer, then no passwords will help. By connecting the drive to another computer, its contents can be read with the same ease as this article. Thus, an attacker can freely take possession of confidential information stored on the hard drive.

The only way to protect against physical reading of data is to encrypt files. The simplest case of such encryption is archiving a file with a password. However, there are a number of serious drawbacks. Firstly, the user needs to manually encrypt and decrypt (that is, in our case, archive and unarchive) the data each time before starting and after finishing work, which in itself reduces the security of the data. The user may forget to encrypt (archive) the file after finishing work, or (even more commonplace) simply leave a copy of the file on the disk. Secondly, user-created passwords are usually easy to guess. In any case, there are a sufficient number of utilities that allow you to unpack password-protected archives. As a rule, such utilities perform password guessing by searching through words written in the dictionary.

The EFS system was developed to overcome these shortcomings. Below we will look in more detail at the details of encryption technology, EFS interaction with the user and data recovery methods, get acquainted with the theory and implementation of EFS in Windows 2000, and also look at an example of encrypting a directory using EFS.

Encryption technology

EFS uses the Windows CryptoAPI architecture. It is based on encryption technology with public key. To encrypt each file, a file encryption key is randomly generated. In this case, any symmetric encryption algorithm can be used to encrypt the file. Currently, EFS uses one algorithm, DESX, which is a special modification of the widely used DES standard.

EFS encryption keys are stored in a resident memory pool (EFS itself is located in the Windows 2000 kernel), which prevents unauthorized access to them through the page file.

User interaction

By default, EFS is configured so that the user can start using file encryption right away. Encryption and reverse operations are supported for files and directories. If a directory is encrypted, all files and subdirectories of this directory are automatically encrypted. It should be noted that if an encrypted file is moved or renamed from an encrypted directory to an unencrypted one, it will still remain encrypted. Encryption/decryption operations can be performed in two ways: different ways- using Windows Explorer or the Cipher console utility.

To encrypt a directory from Windows Explorer, the user simply needs to select one or more directories and check the encryption box in the directory's advanced properties window. All files and subdirectories created later in this directory will also be encrypted. Thus, you can encrypt a file by simply copying (or moving) it to an “encrypted” directory.

Encrypted files are stored on the disk in encrypted form. When reading a file, the data is automatically decrypted, and when writing, it is automatically encrypted. The user can work with encrypted files in the same way as with regular files, that is, open and edit in text editor Microsoft Word documents, edit drawings in Adobe Photoshop or graphic editor Paint, and so on.

It should be noted that under no circumstances should you encrypt files that are used when the system starts - at this time, the user’s personal key, with which decryption is performed, is not yet available. This may make it impossible to start the system! EFS provides simple protection against such situations: files with the “system” attribute are not encrypted. However, be careful: this may create a security hole! Check if the file attribute is set to "system" to ensure that the file will actually be encrypted.

It is also important to remember that encrypted files cannot be compressed using Windows 2000 and vice versa. In other words, if a directory is compressed, its contents cannot be encrypted, and if the directory's contents are encrypted, then it cannot be compressed.

In the event that data decryption is required, you simply need to uncheck the encryption boxes for the selected directories in Windows Explorer, and the files and subdirectories will be automatically decrypted. It should be noted that this operation is usually not required, since EFS provides a "transparent" experience with encrypted data to the user.

Data recovery

EFS provides built-in support for data recovery in case you need to decrypt it, but for some reason this cannot be done normally. By default, EFS will automatically generate a recovery key, install an access certificate in the administrator account, and save it the first time you log in. Thus, the administrator becomes a so-called recovery agent, and will be able to decrypt any file on the system. Of course, the data recovery policy can be changed, and a special person responsible for data security, or even several such persons, can be appointed as a recovery agent.

A little theory

EFS encrypts data using a shared key scheme. The data is encrypted with a fast symmetric algorithm using the FEK (file encryption key). FEK is a randomly generated key of a certain length. The key length in the North American version of EFS is 128 bits; the international version of EFS uses a reduced key length of 40 or 56 bits.

The FEK is encrypted with one or more shared encryption keys, resulting in a list of encrypted FEK keys. The list of encrypted FEK keys is stored in a special EFS attribute called DDF (data decryption field). The information used to encrypt data is tightly linked to this file. Public keys are extracted from X509 certificate user key pairs with additional opportunity using "File encryption". The private keys from these pairs are used in data decryption and FEK. The private part of the keys is stored either on smart cards or in another secure location (for example, in memory, the security of which is ensured using CryptoAPI).

The FEK is also encrypted using one or more recovery keys (derived from the X509 certificates recorded in the encrypted data recovery policy for of this computer, with the additional option “File recovery”).

As in the previous case, the public part of the key is used to encrypt the FEK list. A list of encrypted FEK keys is also stored with the file in a special area of ​​EFS called DRF (data recovery field). DRF uses only the common part of each key pair to encrypt the FEK list. For normal file operations, only shared recovery keys are needed. Recovery agents can store their private keys in a secure location outside the system (for example, on smart cards). The figure shows diagrams of the processes of encryption, decryption and data recovery.

Encryption process

The user's unencrypted file is encrypted using a randomly generated FEK. This key is written with the file, and the file is decrypted using the user's public key (stored in DDF) as well as the recovery agent's public key (stored in DRF).

Decryption process

First, the user's private key is used to decrypt the FEK - this is done using the encrypted version of the FEK that is stored in the DDF. The decrypted FEK is used to decrypt the file block by block. If in large file blocks are not read sequentially, then only readable blocks are decrypted. The file remains encrypted.

Recovery process

This process is similar to decryption, with the difference that the recovery agent's private key is used to decrypt the FEK, and the encrypted version of the FEK is taken from the DRF.

Implementation in Windows 2000

The figure shows the EFS architecture:

EFS consists of the following components:

EFS Driver

This component is located logically on top of NTFS. It interacts with the EFS service, receives file encryption keys, DDF, DRF fields and other key management data. The driver passes this information to the FSRTL (file system runtime library) to transparently perform various file system operations (for example, opening a file, reading, writing, appending data to the end of the file).

EFS Runtime Library (FSRTL)

FSRTL is a module inside the EFS driver that makes external calls to NTFS to perform various file system operations such as reading, writing, opening encrypted files and directories, as well as encryption, decryption, data recovery operations when writing to disk and reading from disk. Although the EFS driver and FSRTL are implemented as a single component, they never communicate directly. They use the NTFS call mechanism to exchange messages among themselves. This ensures that NTFS is involved in all file operations. Operations implemented using file management mechanisms include writing data to EFS file attributes (DDF and DRF) and passing EFS-computed FEKs to the FSRTL library, since these keys must be set in the context of the file open. This file open context then allows for discreet file encryption and decryption as files are written to and read from disk.

EFS Service

The EFS service is part of the security subsystem. It uses the existing LPC communication port between the LSA (Local security authority) and the kernel-mode security monitor to communicate with the EFS driver. In user mode, the EFS service interacts with the CryptoAPI to provide file encryption keys and provide DDF and DRF generation. In addition, the EFS service supports the Win32 API.

Win32 API

Provides a programming interface for encryption open files, decryption and recovery of closed files, reception and transmission of closed files without first decrypting them. Implemented as a standard system library advapi32.dll.

A little practice

To encrypt a file or directory, follow these steps:

1. Launch Windows Explorer, right-click on the directory, select Properties.
2. On the General tab, click the Advanced button.

1. Check the box next to “Encrypt contents to secure data”. Click OK, then click Apply in the Properties dialog. If you have chosen to encrypt an individual file, a dialog box similar to the following will additionally appear:

The system offers to also encrypt the directory in which the selected file is located, since otherwise the encryption will be automatically canceled the first time such a file is modified. Always keep this in mind when encrypting individual files!

At this point, the data encryption process can be considered complete.

To decrypt directories, simply uncheck the “Encrypt contents to secure data” option. In this case, the directories, as well as all subdirectories and files contained in them, will be decrypted.

conclusions

• EFS in Windows 2000 gives users the ability to encrypt NTFS directories using a strong, shared-key cryptographic scheme, and all files in private directories will be encrypted. Encryption of individual files is supported, but is not recommended due to unpredictable application behavior.
• EFS also supports encryption deleted files, which are accessed as shared resources. If there are user profiles for connection, the keys and certificates of the remote profiles are used. In other cases, local profiles are generated and local keys are used.
• The EFS system allows you to set a data recovery policy such that encrypted data can be recovered using EFS if required.
• Data recovery policy is built into the general policy Windows security 2000. Monitoring of compliance with the recovery policy may be delegated to authorized persons. Each organizational unit can have its own data recovery policy configured.
• Data recovery in EFS is a closed operation. The recovery process decrypts the data, but not the user key with which the data was encrypted.
• Working with encrypted files in EFS does not require the user to take any special steps to encrypt and decrypt data. Decryption and encryption occur unnoticed by the user during the process of reading and writing data to the disk.
• EFS supports backup and recovery of encrypted files without decrypting them. NtBackup supports backup of encrypted files.
• EFS is built into the operating system in such a way that information leakage through swap files is impossible, while ensuring that all copies created are encrypted
• Numerous precautions are provided to ensure the safety of data recovery, as well as protection against data leakage and loss in the event of fatal system failures.

Starting with Windows XP in all operating systems Microsoft systems there is built-in data encryption technology EFS (Encrypting File System). EFS encryption is based on the capabilities of the NTFS 5.0 file system and the CryptoAPI architecture and is designed to quickly encrypt files on a computer's hard drive.

Let's briefly describe the EFS encryption scheme. EFS uses public and private key encryption. EFS encryption uses the user's private and public keys, which are generated the first time the user uses the encryption function. These keys remain unchanged as long as his account exists. When encrypting a file, EFS randomly generates a unique number, the so-called File Encryption Key (FEK) 128 bits long, with which the files are encrypted. FEK keys are encrypted with a master key, which is encrypted with the key of the system users who have access to the file. The user's private key is protected by a hash of the user's password.

Thus, we can conclude: the entire EFS encryption chain is essentially strictly tied to the user’s login and password. This means that data security also depends on the strength of the user’s password.

Important. Data encrypted using EFS can only be decrypted using the same account. Windows entries with the same password used for encryption. Other users, including administrators, will not be able to decrypt and open these files. This means that private data will remain safe, even by any means. But it is important to understand the other side of the issue. If the account or its password is changed (unless it was changed directly by the user himself from his session), the system crashes or the OS is reinstalled, the encrypted data will become inaccessible. This is why it is extremely important to export and store encryption certificates in a safe place (the procedure is described below).

Note. Beginning with Windows Vista MS OS systems support another encryption technology – BitLocker. BitLocker as opposed to EFS encryption:

• used to encrypt an entire disk volume
• requires a hardware TPM module (if this requires an external key storage device, such as a USB flash drive or hard drive)

Externally, for the user, working with private files encrypted using EFS is no different from working with regular files - the OS performs encryption/decryption operations automatically (these functions are performed by the file system driver).

How to enable EFS directory encryption on Windows

Let's look at the procedure for encrypting data in Windows 8 using EFS step by step.

Note. Under no circumstances should you enable encryption for system directories and folders. Otherwise, Windows may simply not boot, because... the system will not be able to find the user's private key and decrypt the files.

In File Explorer, select the directory or files that you want to encrypt, and by right-clicking, go to their properties ( Properties).

On the tab General in the attributes section, find and click the button Advanced.

In the window that appears, check the box Encrypt contents to secure data(Encrypt content to protect data).

Click OK twice.

If you are encrypting a directory, the system will ask you whether you want to encrypt only the directory or the directory and all its subelements. Select the desired action, after which the directory properties window will close.

Encrypted directories and files in Windows Explorer are displayed in green (remember that objects are highlighted in blue). If you choose to encrypt a folder with all its contents, any new items inside the encrypted folder are also encrypted.

You can manage EFS encryption/decryption from the command line using the cipher utility. For example, you can encrypt the C:\Secret directory like this:

Cipher /e c:\Secret

A list of all files in the file system encrypted using the current user's certificate can be displayed using the command:

Cipher /u/n

Key backup EFS encryption

After the user encrypts their data using EFS for the first time, a pop-up window will appear in the system tray telling them to save the encryption key.

Back up your file encryption key. This helps you avoid permanently losing access to you encrypted files.

Clicking on the message will launch the wizard Reserve copy certificates and associated ones private keys EFS encryption.

Note. If you accidentally close the window or it doesn't appear, you can export EFS certificates using the " Manage file encryption certificates» in the user control panel.

Select Back up your file encryption certificate and key

Then enter a password to protect the certificate (preferably quite complex).

All that remains is to indicate the location where you want to save the exported certificate (for security purposes, it must be copied to external hard disk/ usb flash drive and store in a safe place).