What the User Sees

EFS might take a long time to run the first time you use it. In the first encryption operation, EFS must also check whether the user has a valid EFS user certificate, containing the user's public key. If the user does not have a valid EFS user certificate, EFS requests the certificate from an enterprise certification authority (CA) if one is available online or, if a CA is not available, it creates one for the user. After this is done, as long as the certificate is valid, the process does not need to be repeated for the same user and EFS then works much faster.

The following sections provide user scenarios that demonstrate how EFS works.

Finding and Accessing an Encrypted File

Encryption is an attribute of a file or folder, so to see whether a file or folder is already encrypted, examine its attributes. The Large Icons and Small Icons view in Windows Explorer display the attributes of a selected folder to the left of the file or folder icon. In Figure 15.1, the screen shows you that the file Floppyres.txt is encrypted.


Figure 15.1 Large Icons View in Windows Explorer

The Details view in Windows Explorer can also show attributes; E in the attributes column means that the file is encrypted. You can configure Windows Explorer to display not only the E attribute, but also file ownership — so you know whether it is one of yours and whether you can open it. Figure 15.2 shows an example of this.


Figure 15.2 Details View in Windows Explorer

You can also change which fields are displayed in the Contents pane. To do this, right-click any of the column headings in the Contents pane. This displays a menu with the names of available fields. Fields that are currently displayed have a check mark by them. Click a field to display it or to remove it from the display.

In Figure 15.2, the Attributes column for the file Permiss1.txt displays AE to indicate that the file has the archive attribute on ( A ) and the encryption attribute on. Only encrypted files have E in the Attributes column.

Because EFS encryption is transparent, you can use an encrypted file in the same way that you did before it was encrypted. For example, you can still open a Microsoft® Word or Notepad document and modify it. Any other user who is trying to open this file gets an "Access denied" error message.


Windows 2000 identifies users by their account names, including the server name. For example, if Alice encrypts a file on her domain account, Wonderland\Alice, she can use the file only when she is logged on to the domain. If she tries to open the file while she is logged on to her local account, MyLaptop\Alice, access is denied.

Encrypting a File or Folder

Because encryption is an attribute, you must have write permission to encrypt a file or folder. But even if you have write permission, you cannot encrypt files or folders in the systemroot folder (for example, C:\WinNT\Notepad.exe or C:\WinNT\System32). You also cannot encrypt files or folders that have their system attribute set. If these types of files and folders could be encrypted, it might render the system useless. This is because many of these files are needed for the system to start up, and decryption keys are not available during the startup process to decrypt them. If you attempt to encrypt a file or folder in the systemroot folder or that has its system attributes set, the encryption attempt fails and an error message appears.

Encrypting at the folder level is recommended. There are two ways to accomplish this: from Windows Explorer, or from a command prompt, using the cipher command. You can also encrypt individual files by using cipher or Windows Explorer.

Encrypting a Folder by Using Windows Explorer

To encrypt a folder, select it in Windows Explorer, and then click File , click Properties , click the General tab , and then click Advanced. (For more information about encrypting a folder, see Microsoft® Windows® 2000 Server Help or Microsoft® Windows® 2000 Professional Help.) Figure 15.3 shows the dialog box that appears.


Figure 15.3 Advanced Attributes Dialog Box

Select the Encrypt contents to secure data check box, and then click OK . Figure 15.4 shows the dialog box that you use to choose which files and folders to encrypt.


Figure 15.4 Confirm Attribute Changes Dialog Box

Table 15.1 shows the results of selecting the Apply changes to this folder only option.

Table   15.1 Results of Selecting the Apply Changes to This Folder Only Option

File description

Encryption status

Already stored in the folder and its subfolders.

Unchanged. They remain encrypted or unencrypted, whichever they were.

Created in or copied to the folder by you later.

Protected with your private key.

Created in or copied to the folder by another user (if the folder is shared) later.

Protected with the other user's private key.

Created in or copied to subfolders later.


Moved to the folder or subfolders later.


Table 15.2 shows the results of choosing the Apply changes to this folder, subfolders, and files option.

Table   15.2 Results of Selecting the Apply Changes to This Folder, Subfolders, and Files Option

File description

Encryption status

Already in the folder and its subfolders.

Protected with your private key if you have Write Attributes permission; otherwise, files are unchanged.

Later created in or copied to the folder or subfolders by you.

Protected with your private key.

Later created in or copied to the folder or subfolders by another user.

Protected with the other user's private key.

Later moved to the folder or subfolders.


With either choice, the folder's list of files remains in plaintext and you can enumerate files as usual, provided you have access to the folder.

EFS lets you encrypt a file you do not own, provided that you have Write Attributes, Create Files/Write Data, and List Folder/Read Data permissions for the file. However, any file that you encrypt is protected with your private key, not the owner's private key. As a result, encrypting a file that you do not own locks out the owner unless you are the owner. For this reason, it is not a good idea to select Apply changes to this folder, subfolders, and files when the folder is shared by other users who own files or subfolders in the folder.

Encrypting a Single File from Windows Explorer

You are encouraged to turn on encryption at the folder level rather than the individual file level because it is easier; you do not have to encrypt each file individually when you save it. It also ensures that the data remains encrypted during and after editing, provided the application does its editing in the same folder. Editing creates temporary or backup files that some applications leave in plaintext. (Applications do not always use the same folder for temporary files or backup files while editing. Microsoft Word, for example, uses the folder where the encrypted file is located for temporary and backup files. Other applications often store temporary files to the Temp folder. Thus, it is recommended that you encrypt these types of folders to ensure that temporary files and backup files are encrypted.)

By using Windows Explorer, you can turn on EFS for an individual file in exactly the same way as you do for a folder. However, when you encrypt a single file, the user interface displays the warning shown in Figure 15.5.


Figure 15.5 Warning Message

If you select the Always encrypt only the file check box, the warning no longer appears, and EFS encrypts only the file that you select.

Encrypting from the Command Prompt

You can also encrypt and decrypt folders or files by using the cipher command at the command prompt. In the example in Figure 15.6, the file called Flopres.txt is encrypted and then decrypted.


Figure 15.6 Use of Cipher Command

You can use cipher with a wildcard character to encrypt or decrypt files. For example, to encrypt all files with "cnfdl" in the name, you can type:

C:\>cipher /e /a *cnfdl*

You can use multiple directory names and wildcard characters. You must put spaces between multiple parameters.

Used without parameters, cipher displays the encryption state of the current folder and any files it contains. To see all the options available with cipher , type the following:

cipher /?

For more information about the cipher command, see Microsoft® Windows® 2000 Professional Help or Windows 2000 Server Help.

Decrypting a Folder or File

Decryption is the opposite of encryption — restoring encrypted data to its original plaintext form. To do this, in Windows Explorer, right-click the file or folder, click Properties , click Advanced , and then clear the Encrypt contents to secure data check box. This causes EFS to decrypt the selected folder and mark it as unencrypted. When you apply your choice, you have the option of decrypting all files and subfolders in the folder, in addition to resetting the folder as unencrypted.

You can also use the cipher command to decrypt files or folders. For example, to decrypt a file named "cnfdl.txt," you can type:

C:\>cipher /d /a cnfdl.txt

Users do not need to decrypt individual files or folders every time they access the data because EFS provides transparent encryption and decryption during data writes and reads.

Renaming, Copying, or Moving an Encrypted File or Folder

Encrypted files and folders can be renamed, copied, or moved. If this is done properly, they remain encrypted. For more information about renaming, copying, or moving encrypted files and folders, see Windows 2000 Professional Help or Windows 2000 Server Help. Table 15.3 describes the encryption status of files after managing encrypted files and folders.

Table   15.3 Encryption Status When Renaming Copying, or Moving EFS Files and Folders


Encryption status

Changing the name of an encrypted file or folder


Moving an encrypted file or folder

Encrypted if the target volume is Windows 2000 NTFS; otherwise, encryption is lost.

Copying an encrypted file or folder

Encrypted if the target volume is Windows 2000 NTFS; otherwise, encryption is lost.

Moving or restoring encrypted files or folders to a different computer

Encrypted if you use the Windows 2000 Backup tool, regardless of target volume. You cannot open the file on the other computer unless it has your private key.

EFS determines when an encrypted file is being moved or copied to another drive. EFS always decrypts and sends files as plaintext. The file is re-encrypted if the target drive supports EFS. If the target drive does not support EFS (for example, if it is a file allocation table (FAT) volume), the new copy of the file is stored as plaintext.


Most floppy disk drives are FAT volumes, and therefore, you lose your encryption unless you use the Windows 2000 Backup tool to copy to them.

If the target drive has EFS but is on a different computer, the file is re-encrypted with the sender's public key. The target computer must be trusted for delegation, or the transfer fails.

To tell whether a computer is trusted for delegation

  1. Select the computer in Active Directory.

  2. See the General tab in the Properties dialog box. If the computer is trusted, the Trusted for Delegation check box is selected.

Domain administrators have permission to select and clear this check box. For more information about determining whether computers are trusted for delegation, see Windows 2000 Server Help.

The target computer finds the public key in the sender's profile or, failing that, creates a new certificate and key pair for the sender.

If you send an EFS file over the network (for example, by copying it to a folder on another computer), it is transmitted as plaintext. You can use a secure network protocol such as Secure Sockets Layer (SSL) or IPSec to encrypt the data while it is being transmitted.

Backing Up an Encrypted File or Folder

Backup copies of encrypted files that are made using Windows 2000 Backup or any other backup tool designed for Windows 2000 remain encrypted, regardless of destination. When you back up the encrypted file or folder to a floppy disk or other removable medium, it stays encrypted when transferred to a backup tape, a non-NTFS file system, or an e-mail attachment.

You can open the file at its new site if you have a roaming profile or if you use the Certificate Export wizard and the Certificate Import wizard to transfer your certificate and private key to your user profile on the other computer. For more information about moving or restoring encrypted files or folders to a different computer, see Windows 2000 Professional Help or Windows 2000 Server Help.

You can use Backup to send a file to a recovery agent administrator when the user's private key is lost. To do a simple move or copy, the user's key must be present to decrypt the file during the operation. Backup does not require the user's private key, however, because the file is not decrypted and re-encrypted; it keeps its original encryption. For more information about file recovery, see Windows 2000 Server Help.

Encrypting a File or Folder on Another Computer

To encrypt a file or folder on another computer, see Windows 2000 Professional Help or Windows 2000 Server Help. If the remote computer is trusted for delegation, EFS can use the public key from your profile to create a DDF and DRF for the file.

If the remote computer is not trusted for delegation, a domain administrator has to make it trusted for delegation. For more information about trusting a remote server for delegation, see Windows 2000 Server Help.

Setting Permissions for Shared Folders

It is not usually a good idea to encrypt folders that are shared by several users. Encryption is not designed to make information public; it is designed for keeping information private. However, there are situations when encrypting a shared folder might make sense. For example, on a computer that is shared by several users, it might be convenient to turn on encryption for one folder and let all users of the computer know that this folder is the place to store encrypted data. (You can do this by giving the folder a name that clearly signals its purpose — by calling it "Encrypted," for example). That way, everyone who uses the computer knows that they can encrypt a file by saving it in the encrypted folder.

If you must encrypt a shared folder, it is best to start with a new, empty folder. After you create the folder, enable encryption by following the procedure described in "Encrypting a Folder by Using Windows Explorer." Then set the permissions on the folder as shown in Table 15.4.

Table   15.4 Security Permissions for Shared Folders



Applies to


Full Control

This folder, subfolders, and files.


Traverse Folder/Execute File

This folder only.


List Folder/Read Data

This folder only.


Create Files/Write Data

This folder only.