Difference between revisions of "Windows Encrypted File System"
(Added Bitlocker) |
m |
||
| Line 1: | Line 1: | ||
| − | EFS is the [[File_Systems#Cryptographic_File_Systems |Cryptographic File System]] that is build into Microsoft Windows. | + | EFS is the [[File_Systems#Cryptographic_File_Systems |Cryptographic File System]] that is build into Microsoft [[Windows]]. |
| − | Windows can encrypt files on an EFS volume by file, by directory, or | + | [[Windows]] can encrypt files on an EFS volume by file, by directory, or by the entire volume. [[Encryption]] is done using a certificate. The certificate itself is saved on the encrypted volume, but it is encrypted with a password. Volumes can be configured so that they can be recovered using one of several certificates — for example, a recovery certificate belonging to the organization that owns the computer. |
=How it works= | =How it works= | ||
| − | The first time EFS is used | + | The first time EFS is used [[Windows]] creates a symmetric File Encryption Key (FEK). [[Windows]] then creates an [[RSA]] public/private key pair that is used to encrypt the FEK. The private key is then encrypted with a hash of the user's passphrase and username. The FEK can also be encrypted with the organization's public key. Microsoft calls this second key a "Recovery Agent". |
| − | In Windows 2000 the computer's administrator is the default recovery agent and can decrypt all files encrypted with EFS. | + | In [[Windows]] 2000 the computer's administrator is the default recovery agent and can decrypt all files encrypted with EFS. |
| − | In Windows XP and beyond there is no default recovery agent. | + | In [[Windows]] XP and beyond there is no default recovery agent. |
EFS can be used in conjunction with [[BitLocker]] if desired. | EFS can be used in conjunction with [[BitLocker]] if desired. | ||
| Line 16: | Line 16: | ||
Several tools are available that can recover an EFS key or volume if the original encryption key (or passphrase) are lost. These include: | Several tools are available that can recover an EFS key or volume if the original encryption key (or passphrase) are lost. These include: | ||
| − | * EFS key from Passware | + | * EFS key from Passware; |
| − | * Advanced EFS Data Recovery from Elcomsoft | + | * Advanced EFS Data Recovery from Elcomsoft (http://www.elcomsoft.com/aefsdr.html); |
| − | * EnCase Forensic ( | + | * EnCase Forensic (can perform a brute-force attack on the user's passphrase); |
| − | * | + | * WinHex Forensic (can also perform a brute-force attack on the user's passphrase). |
=Other References= | =Other References= | ||
http://www.beginningtoseethelight.org/efsrecovery | http://www.beginningtoseethelight.org/efsrecovery | ||
Revision as of 14:21, 24 July 2008
EFS is the Cryptographic File System that is build into Microsoft Windows.
Windows can encrypt files on an EFS volume by file, by directory, or by the entire volume. Encryption is done using a certificate. The certificate itself is saved on the encrypted volume, but it is encrypted with a password. Volumes can be configured so that they can be recovered using one of several certificates — for example, a recovery certificate belonging to the organization that owns the computer.
How it works
The first time EFS is used Windows creates a symmetric File Encryption Key (FEK). Windows then creates an RSA public/private key pair that is used to encrypt the FEK. The private key is then encrypted with a hash of the user's passphrase and username. The FEK can also be encrypted with the organization's public key. Microsoft calls this second key a "Recovery Agent".
In Windows 2000 the computer's administrator is the default recovery agent and can decrypt all files encrypted with EFS.
In Windows XP and beyond there is no default recovery agent.
EFS can be used in conjunction with BitLocker if desired.
Recovering an EFS Key
Several tools are available that can recover an EFS key or volume if the original encryption key (or passphrase) are lost. These include:
- EFS key from Passware;
- Advanced EFS Data Recovery from Elcomsoft (http://www.elcomsoft.com/aefsdr.html);
- EnCase Forensic (can perform a brute-force attack on the user's passphrase);
- WinHex Forensic (can also perform a brute-force attack on the user's passphrase).
