Encrypting File System

Encrypting File System (EFS) allows you to encrypt and decrypt files and directories transparently. Like its predecessor, Windows 7 supports EFS and it is very simple to apply. By just marking a directory to use EFS, any file created in that directory is encrypted.

It is also possible to encrypt single files, but one needs to understand that although a file is encrypted, it is common for applications to create temporary files while manipulating the file in question. This means that the file originally marked for encryption, has temporary copies that are not encrypted. Temporary files may contain sensitive data which may be exposed to unauthorized access or compromised by hackers. In fact, to make sure that the data is protected it is better to encrypt the entire directory.

Briefly, when a user implements EFS, the system generates a random file encryption key and stores that key by encrypting it using the user’s encryption key. This key is protected using the Data Protection API (DPAPI) in Windows, and the key used by DPAPI is derived from the user’s password. The process of allowing a new user to access an EFS-encrypted file is simple, too. The file encryption key is encrypted with the user’s key, and it is stored alongside the other user keys in the file metadata. EFS also supports the concept of a file recovery agent, a special capability to decrypt files if, for some reason the user’s lose their EFS keys.

For a demonstration how to configure and use the Encrypting File System (EFS) in Windows 7 from encrypting a file and to provide user access to the file go here – http://technet.microsoft.com/en-us/windows/how-do-i-get-started-with-the-encrypting-file-system-in-windows-7.aspx