1/17/2021
`
`Encrypting File System | Microsoft Docs
`
`Encrypting File System
`
`07/02/2012 • 10 minutes to read
`In this article
`What does EFS do?
`Who will be interested in this feature?
`Are there any special considerations?
`What new functionality does this feature provide?
`What settings have been added or changed?
`Do I need to change any existing code?
`How should I prepare to deploy this feature?
`Is this feature available in all editions of Windows Server 2008?
`Additional references
`Applies To: Windows Server 2008
`Encrypting File System (EFS) is a powerful tool for encrypting files and folders on client computers and remote file servers. It enables users to
`protect their data from unauthorized access by other users or external attackers.
`What does EFS do?
`EFS is useful for user-level file and folder encryption. EFS was first introduced in the Microsoft® Windows® 2000 operating system, and has been
`enhanced in subsequent releases of the operating system.
`Who will be interested in this feature?
`The following groups might be interested in EFS:
`Administrators, IT security professionals, and compliance officers who are tasked with ensuring that confidential data is not disclosed without
`authorization.
`Administrators responsible for servers or Windows Vista® client computers that are portable.
`Users who share computers and work with confidential information.
`Are there any special considerations?
`Before implementing EFS, administrators should plan for recovery of information in the event that keys or certificates are lost. EFS supports a robust
`recovery mechanism which includes three major changes in this release of Windows:
`Key Recovery Agent (KRA) changes
`Data Recovery Agent (DRA) can now be on a smartcard, which eliminates the need for an offline recovery station and makes remote recovery
`possible.
`These first two items are both important changes for the Administrator.
`The ntbackup tool is no longer included in the operating system. Instead, the Robocopy utility has been added to Windows Server® 2008 and
`can copy EFS-encrypted files without needing the decryption key. (Copies made in this way will remain encrypted.) Windows Backup supports
`backup of EFS files in Windows Server 2008.
`All of these changes can significantly change the deployment plan for EFS.
`What new functionality does this feature provide?
`Several important enhancements to EFS are provided in Windows Server® 2008. These include the ability to store encryption certificates on smart
`cards, per-user encryption of files in the client side cache, additional Group Policy options, and a new rekeying wizard.
`
`https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc749610(v=ws.10)?redirectedfrom=MSDN
`
`1/5
`
`Patent Owner, Bot M8 LLC - Ex. 2040, p. 1
`
`

`

`1/17/2021
`
`Encrypting File System | Microsoft Docs
`
`Smart card key storage
`EFS encryption keys and certificates can be stored on smart cards, providing stronger protection for the encryption keys. This can be especially
`valuable to help protect portable computers or shared workstations. Using smart cards to store encryption keys may also provide ways to improve
`key management in large enterprises.
`
`Why is this functionality important?
`Using a smart card to store the EFS keys keeps those keys off of the hard disk of the computer. This increases the security of those keys because
`they cannot be attacked by another user or by someone who steals the computer.
`
`What works differently?
`In Windows Server 2008 and Windows Vista, EFS supports the storage of users’ private keys on smart cards.
`
`Key caching
`Using Group Policy settings, you can configure EFS to store private keys on smart cards in non-cached or cached mode.
`Non-cached mode. Similar to the traditional way EFS works, all decryption operations requiring the user’s private key are performed on the
`smart card.
`Cached mode. A symmetric key is derived from the user’s private key and cached in protected memory. Encryption and decryption operations
`involving the user’s key are then replaced with the corresponding symmetric cryptographic operations by using this derived key. This
`eliminates the need to keep the smart card plugged in at all times or to use the smart card processor for every decryption. It therefore
`provides a significant increase in performance.
`EFS also provides policies to enforce “smart card required” and to control the parameters and caching behavior of users’ keys.
`
`Smart card single sign-on
`Smart card single sign-on (SSO) is triggered whenever the user logs on with a smart card and one of the following conditions is true:
`The user does not have a valid EFS encryption key on the computer, and smart cards are required for EFS by policy settings.
`The user has a valid EFS encryption key that resides on the smart card used for logon.
`When SSO is triggered, EFS caches the personal identification number (PIN) entered by the user at logon and uses it for EFS operations as well. Thus
`the user does not see any PIN prompts from EFS during the session.
`If the smart card used for the logon is removed from the smart card reader before any encryption operations are performed, Single Sign On is
`disabled. The user will be prompted for a smart card and PIN at the first EFS operation.
`
`How should I prepare for this change?
`To prepare to use smart cards to store EFS certificates, you should examine your existing public key infrastructure (PKI) implementation and include
`planning for EFS certificates in your PKI. If your organization does not have a PKI in place, you cannot use smart cards to store EFS certificates.
`Per-user encryption of offline files
`Offline copies of files from remote servers can also be encrypted by using EFS. When this option is enabled, each file in the offline cache is
`encrypted with a public key from the user who cached the file. Thus, only that user has access to the file, and even local administrators cannot read
`the file without having access to the user's private keys.
`
`） Important
`If multiple users share a computer and more than one user tries to use an encrypted, cached copy of a particular file, only the first user to
`cache the file can access the offline copy of the file.
`
`Why is this functionality important?
`https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc749610(v=ws.10)?redirectedfrom=MSDN
`
`2/5
`
`Patent Owner, Bot M8 LLC - Ex. 2040, p. 2
`
`

`

`p
`y
`y
`Encrypting File System | Microsoft Docs
`1/17/2021
`Security is enhanced by the addition of per-user encryption. Previously, any user of the computer could potentially gain access to any file in the
`offline cache.
`
`What works differently?
`In the past, the encryption was done by using system keys; thus, one user could read the offline files of another user. This situation no longer exists
`because the encryption is performed with each user's own public key.
`
`How should I prepare for this change?
`Familiarize yourself with the new EFS settings and choose the options that meet your company's specific security needs.
`Increased configurability of EFS through Group Policy
`EFS protection policies can be centrally controlled and configured for the entire enterprise by using Group Policy.
`A number of new Group Policy options have been added to help administrators define and implement organizational policies for EFS. These include
`the ability to require smart cards for EFS, enforce page file encryption, stipulate minimum key lengths for EFS, enforce encryption of the user’s
`Documents folder, and prohibit self-signed certificates.
`
`Why is this functionality important?
`Increased configurability improves the efficiency of administrators by enabling them to configure and control EFS policies on an enterprise scale.
`
`What works differently?
`Additional settings enhance the effectiveness of Group Policy. To find out more, see What settings have been added or changed? later in this topic.
`
`How should I prepare for this change?
`Familiarize yourself with the new EFS settings in Group Policy and choose the options that meet your company's specific security needs.
`Encrypting File System rekeying wizard
`The Encrypting File System rekeying wizard allows the user to choose a certificate for EFS and to select and migrate existing files that will use the
`newly chosen certificate. It can also be used to migrate users in existing installations from software certificates to smartcards. The wizard can also be
`used by an administrator or users themselves in recovery situations. It is more efficient than decrypting and reencrypting files.
`
`Why is this functionality important?
`The wizard provides a streamlined, step-by-step process to choose certificates or migrate files.
`
`What works differently?
`Files are not automatically re-encrypted whenever they are opened or updated. The wizard provides the user with a high degree of flexibility.
`
`How should I prepare for this change?
`On a test computer, click Start. In the Start Search box, type rekeywiz, and then press ENTER. This starts the Encrypting File System rekeying wizard
`and allow you to become familiar with its operation.
`What settings have been added or changed?
`In this release of Windows Server 2008, additional EFS options can be managed with Group Policy. The Group Policy settings listed in the following
`table are available in administrative templates.
`
`https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc749610(v=ws.10)?redirectedfrom=MSDN
`
`3/5
`
`Patent Owner, Bot M8 LLC - Ex. 2040, p. 3
`
`

`

`Encrypting File System | Microsoft Docs
`1/17/2021
`This table provides a simple description for each setting. For more information about a specific setting, see the Explain tab of each setting in the
`Group Policy Management Console (GPMC).
`Template and setting
`
`Path and description
`
`Default
`
`GroupPolicy.admx—EFS recovery policy
`processing
`
`Computer Configuration\Administrative Templates\System\Group Policy—Determines
`when encryption policies are updated.
`
`EncryptFilesonMove.admx—Do not automatically
`encrypt files moved to encrypted folders
`
`Computer Configuration\Administrative Templates\System\—Prevents Windows Explorer
`from encrypting files that are moved to an encrypted folder.
`
`OfflineFiles.admx—Encrypt the Offline Files cache
`
`Computer Configuration\Administrative Templates\Network\Offline Files\—This setting
`determines whether offline files are encrypted.
`
`Not
`configured
`
`Not
`configured
`
`Not
`configured
`
`Note
`
`In Windows XP these files are encrypted with the system key, whereas in
`Windows Server 2008 they are encrypted with the user’s key.
`
`Search.admx—Allow indexing of encrypted files
`
`Computer Configuration\Administrative Templates\Windows Components\Search\—This
`setting allows encrypted items to be indexed by Windows Search.
`
`Not
`configured
`
`７ Note
`There might be data security issues if encrypted files are indexed and
`the index is not adequately protected by EFS or another means.
`
`You can also use the GPMC or the Local Group Policy Editor (secpol.msc) to configure the following EFS options. To view or change these options,
`expand the Public Key Policies node, right-click Encrypting File System, and then click Properties.
`On the General tab, you can configure general options and certificate options. The following general options are available:
`Option
`Notes
`
`Default
`
`File encryption using Encrypting File
`System (EFS)
`
`If set to Don't allow, EFS cannot be used on this computer.
`
`Not defined
`
`If set to Allow or Not defined, EFS can be used on this computer.
`
`Encrypt the contents of the user's
`Documents folder
`
`If enabled, the Documents folder of all users on this computer will automatically be encrypted
`with EFS.
`
`Require a smart card for EFS
`
`If enabled, software certificates cannot be used for EFS.
`
`Create caching-capable user key from
`smart card
`
`If enabled, the first time a smart card is required for EFS during a user's session, a cached
`version of the required keys is made, as described earlier in this topic.
`
`Disabled
`
`Disabled
`
`Enabled
`
`If disabled, a smart card must be inserted whenever encrypting or decrypting a file protected
`with a certificate on the smart card.
`
`Enable pagefile encryption
`
`If enabled, the Windows memory paging file will be encrypted with EFS.
`
`Disabled
`
`Display key backup notifications when
`user key is created or changed
`
`If enabled, users will be prompted to back up their EFS keys for recovery whenever a new key
`is created or a key is changed.
`
`Domain-joined:
`Disabled
`
`In the certificates section, the following options are available:
`Option
`Notes
`
`Workgroup or
`Stand-Alone:
`Enabled
`
`Default
`
`https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc749610(v=ws.10)?redirectedfrom=MSDN
`
`4/5
`
`Patent Owner, Bot M8 LLC - Ex. 2040, p. 4
`
`

`

`1/17/2021
`
`Option
`
`Encrypting File System | Microsoft Docs
`
`Notes
`
`Allow EFS to generate self-signed certificates when a
`certification authority is not available
`
`If disabled, users will not be able to use EFS, except with certificates from a
`certification authority.
`
`Key size for self-signed certificates
`
`You can select 1024, 2048, 4096, 8192 or 16384 bit keys. Long key sizes increase
`security but might decrease performance.
`
`EFS template for automatic certificate requests
`
`This is the name of the certificate template used to request an EFS certificate from a
`certification authority.
`
`Default
`
`Enabled
`
`2048
`
`Basic
`EFS
`
`７ Note
`All EFS templates in Windows Server 2008, both for user and recovery, as well as self-signed EFS certificates now specify a 2048-bit key length
`by default.
`
`On the Cache tab you can adjust the behavior of the EFS certificate cache. For more information about caching in EFS, click the Learn more about
`EFS caching link on the Cache tab.
`Do I need to change any existing code?
`No change to existing code is required for EFS.
`How should I prepare to deploy this feature?
`Prior to enabling EFS, you should consider the following:
`Establish a designated recovery agent and a recovery process.
`Review the new EFS settings and determine which configurations are best for your specific security requirements.
`Is this feature available in all editions of Windows Server 2008?
`EFS is an integral part of the file system all editions of Windows Server 2008, with no difference in functionality among editions. EFS is available on
`32-bit and 64-bit platforms.
`EFS is available in Windows Vista® Business, Windows Vista® Enterprise and Windows Vista® Ultimate, and can help significantly in protecting
`data stored on client computers, particularly portable ones.
`Additional references
`For additional information about EFS, see Encrypting File System in Windows XP and Windows Server 2003 (https://go.microsoft.com/fwlink/?
`LinkID=85746).
`For additional information about protecting data with Microsoft encryption technologies, see Data Encryption Toolkit for Mobile PCs
`(https://go.microsoft.com/fwlink/?LinkID=85982).
`
`https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc749610(v=ws.10)?redirectedfrom=MSDN
`
`5/5
`
`Patent Owner, Bot M8 LLC - Ex. 2040, p. 5
`
`