Windows File Encryption System EFS

Windows Encryption File System (EFS) Tech Briefing July 18th 2008 http://www.stanford.edu/services/efs STANFORD UNIVERSITY • INFORMATION TECHNOLOGY SERVICES Agenda Stanford Users • What is EFS • What does it Protect • Is this for me? • Features • Data Recovery Agent • Getting Started • Demo - How to Encrypt • Demo – How to backup Key IT Support Staff • How to setup Data Recovery Agent 7/25/2008 Windows Encrypting File System (EFS) STANFORD UNIVERSITY • INFORMATION TECHNOLOGY SERVICES page 1 What is Encrypting File System (EFS) The Microsoft Windows Encrypting File System (EFS) is feature built into the file system of the Windows XP and Windows Vista operating systems. It lets you encrypt designated files on a local computer so that no other user can access your data. When a file is encrypted, EFS automatically decrypts the file for use and re-encrypts the file when it is saved. EFS is particularly useful for protecting data on a computer that might be physically stolen, such as a laptop. 7/25/2008 Windows Encrypting File System (EFS) STANFORD UNIVERSITY • INFORMATION TECHNOLOGY SERVICES page 2 What It Protects  EFS protects files you designated if your computer is lost or stolen.  If someone tries to break in or has access into your system to retrieve files, they will not be able to open the file even if they can see that it exists (as long as they do not have your SUNet ID and password).  Files copied to a Web folder using WebDAV are kept encrypted. 7/25/2008 Windows Encrypting File System (EFS) STANFORD UNIVERSITY • INFORMATION TECHNOLOGY SERVICES page 3 What It Doesn’t Protect or Prevent  It does NOT provide encryption to files that are: • Sent via email • Kept on a separate flash drive/thumb drive/USB drive/floppy disk • Moved over the network via shared folders (CIFS/AFS) • System and page file • Compress Files • Files moved into folder set to encrypt all files • Files form being deleted  When you are about to move an encrypted file, Windows will warn you that you will lose your EFS encryption. Keep in mind that whenever you move a file off of your computer, it is probably no longer protected by EFS. 7/25/2008 Windows Encrypting File System (EFS) STANFORD UNIVERSITY • INFORMATION TECHNOLOGY SERVICES page 4 Is this for me?  Reasons for using EFS • Want to secure files on your computer incase it is stolen or lost • You work with or store restricted data on your local computer • You travel and need to work with restricted data  Requirements Windows XP Professional Windows Vista Business, Enterprise or Ultimate Computer is a member if University Windows Infrastructure (AD) Users is logged on to the computer with their SUNet ID (WIN Domain), local computer or child domain accounts will NOT work • Hard drive is formatted with NTFS • • • • 7/25/2008 Windows Encrypting File System (EFS) STANFORD UNIVERSITY • INFORMATION TECHNOLOGY SERVICES page 5 Features  Microsoft Windows Encrypting File System (EFS) • Transparent encryption done at the file-system level • If a folder is marked, every file created or moved into it will be encrypted • File encryption keys can be archived (USB Flash Drive, File server) • There is no “back door” • Keys are protected with the users password on the computer • Data Recovery Agent to allow for recovery of files if user’s key is lost  Future Features  Additional Users can be added to a file  Group Policy to Auto Encrypt “My Documents” Folder 7/25/2008 Windows Encrypting File System (EFS) STANFORD UNIVERSITY • INFORMATION TECHNOLOGY SERVICES page 6 Data Recovery Options Once a file is encrypted only the users private key can access the file. Should this key get lost the data will be inaccessible. Options to protect the data include:  User copies key to USB flash drive and store separately from computer  Configure Data Recover Agent (DRA) • Domain Wide DRA • Local/Departmental DRA 7/25/2008 Windows Encrypting File System (EFS) STANFORD UNIVERSITY • INFORMATION TECHNOLOGY SERVICES page 7 Data Recovery Agent (DRA) These data recovery agents (DRAs) are a separate set of issued recovery certificates with public and private keys that can be used to recover files. Recommendation for DRAs • Local Systems Administrators • Separate flash drive (Iron Key) stored in secure location (safe) Requirements for Recovery • Admin will need read access to files at time of recovery • Password for the DRA Private Key 7/25/2008 Windows Encrypting File System (EFS) STANFORD UNIVERSITY • INFORMATION TECHNOLOGY SERVICES page 8 Getting Starting For End Users  Open a HelpSU Request  Once you have approval from your Local Support Staff that they have setup the DRA you can then choose directories to start encrypting.  Copy your Key to a External USB Drive 7/25/2008 Windows Encrypting File System (EFS) STANFORD UNIVERSITY • INFORMATION TECHNOLOGY SERVICES page 9 Demo 1 How To Encrypt Files 7/25/2008 Windows Encrypting File System (EFS) STANFORD UNIVERSITY • INFORMATION TECHNOLOGY SERVICES page 10 Demo 2 How to back-up Your Keys 7/25/2008 Windows Encrypting File System (EFS) STANFORD UNIVERSITY • INFORMATION TECHNOLOGY SERVICES page 11 Storing User Keys  Export and then Delete Key on local computer  External USB Flash Drive • NOT stored with your computer or in laptop bag • Encrypted (optional)What 7/25/2008 Windows Encrypting File System (EFS) STANFORD UNIVERSITY • INFORMATION TECHNOLOGY SERVICES page 12 Known Issues  DCOM Required 1. Start Registry Editor. 2. Locate the following path: HKEY_LOCAL_MACHINE\Software\Microsoft\OLE 3. Change the EnableDCOM string value to Y. 4. Restart the operating system for the changes to take effect. Note: There is a BigFix fixlet to re-enable DCOM  Vista and Symantec Bug – Patch available on ESS 7/25/2008 Windows Encrypting File System (EFS) STANFORD UNIVERSITY • INFORMATION TECHNOLOGY SERVICES page 13 Demo 3 How to Setup DRA 7/25/2008 Windows Encrypting File System (EFS) STANFORD UNIVERSITY • INFORMATION TECHNOLOGY SERVICES page 14 Questions and Answers  Extra Info for users and admins • Stanford Data Classification http://www.stanford.edu/group/security/securecomputing/datacl ass_chart.html • Windows Desktop File Encryption and EFS 7/25/2008 Windows Encrypting File System (EFS) STANFORD UNIVERSITY • INFORMATION TECHNOLOGY SERVICES page 15