Determine usage scenarios for Encrypting File System (EFS)

This post will help you determine usage scenarios for encrypting file system (EFS) in Windows Server 2016 as per the 70-744 objectives. We’ll cover how you can use EFS to encrypt files in Windows.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.


Determine usage scenarios for Encrypting File System

While BitLocker is used to encrypt at a volume level, EFS is used to encrypt individual files at a file level. BitLocker is therefore considered to be more secure and preferable, as you can use it to easily encrypt a full volume which will ensure that everything within is encrypted.

EFS on the other hand requires that you manually enable encryption on a per file or folder basis. EFS is also older, and has been around since Windows Server 2000, whereas the newer BitLocker solution has been around since Windows Server 2008.

EFS works at the file system level, and requires NTFS to work. In older versions of Windows prior to 2016 if you move or copy a file encrypted with EFS from NTFS to FAT32, the file will be decrypted in previous versions. However now Windows Server 2016 supports EFS with FAT and EXFAT file systems as well.

Files are encrypted with a symmetric key, which is then encrypted with the public key of a key pair. The associated private key is bound to a user account, meaning that as long as a user account and password are known the user’s files can be decrypted. This means decryption is user based as the user has the certificate, compromise of the user account leads to access to the encrypted files. It also means if the account is otherwise deleted, the keys are lost.

By default these user certificates are self signed which is not a scalable solution, there is no chain of trust and it’s easier to lose the encryption keys or have them compromised. It is possible to export and backup the archive keys which will be useful if they get lost, however this is a manual process. Instead it’s recommended to setup a public key infrastructure (PKI) using Active Directory Certificate Services (AD CS) and issue certificates centrally for EFS from here.

By default domain administrators act as data recovery agents (DRA) which means they can decrypt all users EFS files, so a compromise of this type of account is even worse.

Note that if you copy a file encrypted with EFS to an external system, it will no longer be encrypted. EFS is not designed to protect data while in transfer between systems, files that are transferred are decrypted prior to transfer and move over the network in plain text. If the destination folder is configured to be encrypted with EFS, the file will then be encrypted locally. It is possible to ensure EFS files stay encrypted when transferring over a network if they are copied to a web folder using WebDAV.

Summary

With a basic understanding of how EFS works, we can determine usage scenarios for Encrypting File System. Compared to BitLocker it’s older, more difficult to manage, and provides less features. I’d recommend using full disk encryption with BitLocker instead, as EFS has many limitations.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

  1. Who has access rights to the EFS(Encrypting File System) features and functions in Microsoft Windows Server 2016?

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>