A couple of weeks ago I decided to start playing around with the encrypting file system(EFS) that Microsoft provides with W2K and WinXP. I am not sure whether I got the idea from Susan Bradley post, < a xhref=”The Case of the Stolen ….well anything!“. She wrote her post in response to an article she had recently read a Microsoft article on encryption, The Case of the Stolen Laptop: Mitigating the Threats of Equipment Theft — TechNet Column – Security Management – February 2005. Until I started playing with EFS I avoided it like the plague because I did not see a business use for me and the risks from a mistake could be severe. When I finally realized that it is probably the best and easiest strategy for protecting sensitive data for both laptops and desktops. I finally bought in. The desktop benefits eluded me for a long time. The additional benefits from encryption to enhance the security around current access is subtle but straight forward. Even more subtle is the long term benefit from avoiding future unintended access when you want to dispose/reuse a disk drive or if the equipment is stolen. Now that I had settled in my mind that it was a good practice, I had to figure out how to get from here to there.
After my initial testing I was pretty happy with the results. Encryption and decryption was transparent. About a week later I decided I should backup the file recovery certificate and file recovery agent certificate and that’s when I found a couple of problems. The recovery agent could not be backed up properly. Things had gotten mucked up when I had said no to installing the certificate services during the SBS2K3. Since I am paranoid about really making a mess with encryption:
- I decrypted all my folders and files.
- Installed certificate services.
- Installed a new certificate for the Administrator and the recovery agent for the domain.
- Installed a new certificate for my workstation.
- Deleted the old certificates for the administrator and my workstation.
- Rebooted.
I found that I needed EFSinfo.exe to verify the EFS setup so I installed the WinXP support tools. Everything seems to be working and I have backups of the recovery certificates. Nothing has really changed when you look or use the encrypted folders and files in Explorer. You need EFSinfo to see the changes but I now have a warm, fuzzy feeling I can recover files in case of a disaster.