Tips and Tricks

Encryption All Around

With Windows 2003, you can use the Encryption File Systems to give multiple users access to the same encrypted files.

• By Derek Melber
• 01/01/2005

First introduced with Win2K, EFS encrypts files as they're stored on desktops and servers throughout the enterprise. EFS uses a symmetric key, called the File Encryption Key (FEK), to encrypt the data portion of a file. The FEK is then encrypted using an EFS public key issued to the person who encrypted the file—the requestor. The requestor's copy of the FEK is stored along with the file in an NTFS-named data stream called the Data Decryption Field (DDF). An encrypted file has one and only one DDF.

If a Data Recovery Agent (DRA) is configured at the computer where the encrypted file resides, an additional copy of the FEK is encrypted using the File Recovery (FR) public key issued to the DRA. The DRA's copy of the FEK is stored along with the file in an NTFS-named data stream called the Data Recovery Field (DRF). A computer can have multiple DRAs, so there can be more than one DRF per encrypted file.

With Win2K, if no DRA is configured, encryption fails. With Windows XP and Windows 2003, no DRA is required for encryption to succeed. Therefore, it's possible for an encrypted file on an XP or Windows 2003 computer to have no DRF.

Best practice dictates that encryption be enabled at the folder level so that all new files created under the folder and its subfolders get encrypted as they are created. This avoids leaving clear-text temp files on the drive. However, giving multiple users access to an encrypted file requires configuring each individual file.

To enable additional users to access an encrypted file, each user's public key must be available at the local computer. The best way to organize and store these public keys is through Active Directory. Otherwise, you'd need to enable any user who needs your public key to be able to log on to your computer—not a palatable solution.

After you get all of the certificates for encrypting files into AD, go to the encrypted file that you want to make available to multiple users and follow these steps:

1. Go to the Properties of the file

2. Select the Advanced button on the General tab

3. Select the Details button on the Advanced Attributes screen

4. Select the Add button under the User Name text area

5. Select the certificates for each user that needs access and select the OK button. At this point, only certificates in the local repository are listed. To pull certificates from AD, you'll need to click Find User and search for the user in AD.

Once you've added multiple user certificates to the file, you'll be able to view who has access to the encrypted file, as shown in Figure 1.

Figure 1. The Details of the encrypted file indicates which users have access. (Click image to view larger version.)

If this sounds like a lot of work to provide multi-user access to encrypted files, keep in mind that you'll typically only use encryption for a few highly sensitive files. Also keep in mind that users who have the proper permission to the encrypted files will have the ability to control the list of users who have access to those files.