When a computer is stolen or lost, access to the private key material in the user profile is lost or compromised. When the operating system is reinstalled, access to the previous user profiles is lost, including any private keys stored in the user’s profile. This can mean a total loss of access or loss of access to the private key material within the user profile. The corruption of a hard disk can cause users to lose access to their profiles. This results in deletion of the user’s private key material. For example, if the desktop fails or takes a long time to appear, many organizations prescribe deleting the user’s profile and generating a new profile. Many organizations use profile deletion to fix problems with user logon. When an encryption private key is stored in a user’s profile folder, the private key is lost if a anyone deletes that specific profile. Why Should I Implement Any Recovery Method?Īn organization’s security policy typically lists the following reasons for allowing data or key recovery: The FEK created in step one is encrypted by the user’s Public Key in step 2įor more information about EFS Encryption, refer to How EFS Works on TechNet.The computer retrieves the user’s Encrypting File System (EFS) certificate in the user store and obtains the user’s Public Key.The user’s computer generates a random symmetric encryption key called File Encryption Key (FEK).Once the user has a valid Encrypting File System (EFS) certificate, then they can encrypt their files and folders following this process: Windows Server 2008 and Windows 7 have a group policy setting which can disable the generation of an EFS Self-Signed certificate simply by unchecking the option to “Allow EFS to generate self-signed certificates when a certification authority is not available. As a result, I recommend disabling the machine’s ability to generate an EFS Self-Signed certificate using the hotfix for Windows XP or Windows Server 2003 Note: I am not a big fan of self-signed certificates especially when there are Enterprise Issuing CAs in a given Active Directory Forest. If the BasicEFS template is not available at any Enterprise CA, and any other template for EFS is not available then the computer will generate a self-signed EFS certificate.If there isn’t a viable encryption certificate, then the user will request an Encrypting File System certificate based on the BasicEFS template from an Enterprise CA, or any other template superseding it.If there isn’t a default certificate, then the user store is queried for any viable certificate with the Encrypting File System Object Identifier OID (1.3.6.1.4.1.311.10.3.4.). The user’s registry (HKLM\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\CertificateHash) is queried for an Encryption Certificate.When a user attempts to encrypt a file without having an EFS certificate the following process takes place: As a result, This Blog will focus on both areas, explaining the differences and best practices.īoth methods can easily be understood, after understanding the Encrypting File System (EFS) process in a domain environment including certificate enrollment and file encryption I am often asked when talking to my customers about the differences between Key Recovery and Data Recovery for encrypted files, in addition to which method to use. First published on TECHNET on Oct 28, 2011
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |