An Overview of Encrypting File Systems | EFS

 

In this blog explain The Encrypting File System | EFS is a feature of the Windows 2000 operating system that lets any file or folder be stored in encrypted form and decrypted only by an individual user and an authorized recovery agent.

To protect files from mishandling and to ensure their security, the system should encrypt them. NTFS has Encrypting File System (EFS) as built-in feature. Encryption in file systems uses symmetric key encryption technology with public key technology for encryption. The user gets a digital certificate with a public key and private key pair. A private key is not applicable for the users logged on to the local systems; instead the system uses an EFS key to set the key for local users.

Also Read : New Technology File System (NTFS) – an Overview

This encryption technology maintains a level of transparency to the users, who have encrypted the file. There is no need for users to decrypt the file when they access it to make changes. Again, after the user has completed working on a file, the systems will save the changes and restore the encryption policy automatically. When any unauthorized user tries to access the encrypted file, he or she receives an “Access denied” message.

To enable encryption and decryption facilities in a Windows NT—based operating system, the user has to set the encryption attributes to files and folders that he or she wants to encrypt or decrypt.

The system automatically encrypts all the files and subfolders present in a folder. To take the best advantage of the encryption capability, experts recommend that the system should have encryption at the folder level. That means a folder should not contain encrypted files along with unencrypted files.

The users can manually encrypt the files using the graphical user interface (GUI) in Windows, or by the use of a command line tool like Cipher to encrypt a file or folder or using Windows Explorer and selecting proper options available in the menu.

Encrypting a file, as NTFS protects files from unauthorized access and ensures a high level of security, is important to the files present in the system. The system issues a file encryption certificate whenever a user encrypts a file. If the person loses that certificate and related private key (through a disk or any other reason), he or she can perform data recovery through the recovery key agent.

In a Windows 2000 server—based network, which maintains Active Directory, the domain administrator is the recovery agent by default. There is an advance preparation of recovery for the files even before the user or system encrypts them. The recovery agent holds a special certificate and related private key, which helps in data recovery, giving a scope of influence of the recovery policy supported by new versions of Windows.

Components of EFS

EFS Service

EFS service, which is part of the security subsystem, acts as an interface with the Encrypting File Systems driver by using local procedure call (LPC) communication port between the Local Security Authority (LSA) and the kernel-mode security reference monitor. It also acts as interface with CryptoAPI in user mode in order to derive file encryption keys to generate data decryption fields (DDFs) and data recovery fields (DRFs). This service also supports Win32 APIs.

The EFS service uses CryptoAPI to extract the file encryption key (FEK) for a data file, uses it to encode the FEK and produce the DDF.

Related Product : Computer Hacking Forensic Investigator | CHFI

EFS Driver

The EFS driver is a file system filter driver stacked on top of NTFS. It connects with the EFS service to obtain file encryption keys, DDFs, DRFs, and other key management services. it sends this information to the EFS FSRTL to perform file system functions, such as open, read, write, and append.

CryptoAPI

CryptoAPI contains a set of functions that allow application developers to encrypt their Win 32 as the functions allow applications to encrypt or digitally sign data and also offer security for private key data. it supports public key and symmetric-key operations such as generation, management and secure storage, exchange, encryption, decryption, hashing, digital signatures, and verification of signatures.

EFS FSRTL

The EFS FSRTL is part of EFS driver that implements NTFS callouts to handle various file system operations such as reads, writes, and opens on encrypted files and directories, and operations to encrypt, decrypt, and recover file data when the system writes it to or reads it from disk. The EFS driver and FSRTL act as single component, but never communicate directly. They communicate by using the NTFS file control callout mechanism for sending messages to each other.

Read More : https://info-savvy.com/an-overview-of-encrypting-file-systems-efs/

-------------------------------------------------------------------------------------------------------------------------------------

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com


Comments

Popular posts from this blog

10 Secrets You Will Never Know About Cyber Security And Its Important

ISO 27001 Annex : A.5 Information Security Policies

Impact Of ISO 27001 Lead Auditor