An Overview of Encrypting File Systems (EFS)

An Overview of Encrypting File Systems | EFS

In this blog explain The Encrypting File System | EFS is a feature of the Windows 2000 operating system that lets any file or folder be stored in encrypted form and decrypted only by an individual user and an authorized recovery agent.

To protect files from mishandling and to ensure their security, the system should encrypt them. NTFS has Encrypting File System (EFS) as built-in feature. Encryption in file systems uses symmetric key encryption technology with public key technology for encryption. The user gets a digital certificate with a public key and private key pair. A private key is not applicable for the users logged on to the local systems; instead the system uses an EFS key to set the key for local users.

Also Read : New Technology File System (NTFS) – an Overview

This encryption technology maintains a level of transparency to the users, who have encrypted the file. There is no need for users to decrypt the file when they access it to make changes. Again, after the user has completed working on a file, the systems will save the changes and restore the encryption policy automatically. When any unauthorized user tries to access the encrypted file, he or she receives an “Access denied” message.

To enable encryption and decryption facilities in a Windows NT—based operating system, the user has to set the encryption attributes to files and folders that he or she wants to encrypt or decrypt.

The system automatically encrypts all the files and subfolders present in a folder. To take the best advantage of the encryption capability, experts recommend that the system should have encryption at the folder level. That means a folder should not contain encrypted files along with unencrypted files.

The users can manually encrypt the files using the graphical user interface (GUI) in Windows, or by the use of a command line tool like Cipher to encrypt a file or folder or using Windows Explorer and selecting proper options available in the menu.

Encrypting a file, as NTFS protects files from unauthorized access and ensures a high level of security, is important to the files present in the system. The system issues a file encryption certificate whenever a user encrypts a file. If the person loses that certificate and related private key (through a disk or any other reason), he or she can perform data recovery through the recovery key agent.

In a Windows 2000 server—based network, which maintains Active Directory, the domain administrator is the recovery agent by default. There is an advance preparation of recovery for the files even before the user or system encrypts them. The recovery agent holds a special certificate and related private key, which helps in data recovery, giving a scope of influence of the recovery policy supported by new versions of Windows.

Components of EFS

EFS Service

EFS service, which is part of the security subsystem, acts as an interface with the Encrypting File Systems driver by using local procedure call (LPC) communication port between the Local Security Authority (LSA) and the kernel-mode security reference monitor. It also acts as interface with CryptoAPI in user mode in order to derive file encryption keys to generate data decryption fields (DDFs) and data recovery fields (DRFs). This service also supports Win32 APIs.

The EFS service uses CryptoAPI to extract the file encryption key (FEK) for a data file, uses it to encode the FEK and produce the DDF.

Related Product : Computer Hacking Forensic Investigator | CHFI

EFS Driver

The EFS driver is a file system filter driver stacked on top of NTFS. It connects with the EFS service to obtain file encryption keys, DDFs, DRFs, and other key management services. it sends this information to the EFS FSRTL to perform file system functions, such as open, read, write, and append.

CryptoAPI

CryptoAPI contains a set of functions that allow application developers to encrypt their Win 32 as the functions allow applications to encrypt or digitally sign data and also offer security for private key data. it supports public key and symmetric-key operations such as generation, management and secure storage, exchange, encryption, decryption, hashing, digital signatures, and verification of signatures.

EFS FSRTL

The EFS FSRTL is part of EFS driver that implements NTFS callouts to handle various file system operations such as reads, writes, and opens on encrypted files and directories, and operations to encrypt, decrypt, and recover file data when the system writes it to or reads it from disk. The EFS driver and FSRTL act as single component, but never communicate directly. They communicate by using the NTFS file control callout mechanism for sending messages to each other.

Win32 API

EFS provides an API set to expose its features that also provides a programming interface for operations such as encrypting plaintext files, decrypting or recovering cipher text files, and importing and exporting encrypted files without decrypting them.

EFS Attribute

NTFS sets a flag for the file after encrypting it and creates an Encrypting File Systems | EFS attribute where it stores the Data Decryption Field (DDF) and Data Recovery Field (DRF). This attribute has Attribute ID = 0x100 in NTFS.

Sparse File 

A sparse file is a type of computer file that attempts to use file system space more efficiently when blocks allocated to the file are mostly empty. For better efficiency, the file system writes brief information (metadata) about the file to the empty blocks to make up the block, using less disk space. For files, they offer a technique of saving disk space by allowing the I/O subsystem to allocate only meaningful (nonzero) data. In a sparse NFTS file, clusters assigned for the data that an application defines, and the file system marks the space as non-allocated in the case of non-defined data.

Questions related to this topic

  1. What encryption does Encrypting File Systems use?
  2. What is EFS in networking?
  3. How do I encrypt EFS in AWS?
  4. What does encrypting a file mean?

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Leave a Comment