TechSpot

BEWARE: File Encryption on XP/PRO

By jobeard
Feb 28, 2007
Topic Status:
Not open for further replies.
  1. XP/Pro users have the ability to encrypt files and directories using the Encrypted File System(EFS).
    You should think TWICE about this before you act!

    For various reasons, you may loose the ability to decrypt you data and therefore
    while still present on the disk, it is effectively the same as being deleted!

    Home users (ie those without a Domain Controller) should NOT use the EFS feature
    without understanding the Recovery Agent and how to backup and recover
    the certificate.

    details:
    Code:
    Master Key Storage and Security
    
    The Data Protection API automatically encrypts the user’s master key or keys. 
    Master keys are stored in the user profile under 
    RootDirectory\Documents and Settings\username\Application Data\Microsoft\Protect. 
    For a domain user who has a roaming profile, the master key is located in the 
    user’s profile and is downloaded to the user’s profile on the local computer 
    until the computer is restarted.
    
    While the user is logged on, when a master key is not being used for a 
    cryptographic operation, it is encrypted and stored on disk. Before master 
    keys are stored, they are 3DES-encrypted using a key derived from the user’s 
    password. When a user changes his or her logon password, master keys are 
    automatically unencrypted and re-encrypted using the new password.
    
    Master Key Loss and Data Recovery
    
    If a [U][B]logon password is forgotten or if an administrator resets a user password[/B][/U], 
    the user’s master keys become inaccessible. Because the decryption key is 
    derived from the user’s password, the system is unable to decrypt the master 
    keys. Without the master keys, EFS-encrypted files are also inaccessible to 
    the user and can be recovered only by a data recovery agent, if one has 
    been configured, or through the use of a password reset disk (PRD), 
    if one has been created.
    
    Changing your login profile or reinstalling XP/Pro also has the same effect!
     
    For more information, [b]see article 290260[/b], 
    “EFS, Credentials, and Private Keys from Certificates Are Unavailable After a Password Is Reset,” 
    in the Microsoft Knowledge Base at http://support.microsoft.com.
    
    PLEASE see the article to create a Recovery Agent

    This MS article has the File Encryption Documentation
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.