Encrypted File System / Public Key Infrastructure

Ok, so it took me about 3 days to learn a handy little security tool built into Windows called EFS. My boss's words in fact were, 'EFS, learn it and learn to love it.' So presented with this new challenge I needed to decide on where to start.

EFS uses what is called Public Key Infrastructure to issue 'certificates' to the end user which they can then use to encrypt files and/or folders. EFS can be used on a domain or standalone environment.

First things first when you are implementing a new technology in your environment. Figure out your business need. In my case, if you read about me you know I work in a hospital environment and when you have sensitive information regarding patients floating around on a Doctors laptop you want it secured right? So there was the need, now on to the reading.

If any of you haven't been to Microsoft's Technet you should crawl from behind your rock and grab some coffee. There are certain differences between standalone PKI (Public Key Infrastructure) and a PKI implemented on a domain. First being that if a user encrypts files and folders using their domain profile, only that user or a domain Recovery Agent can decrypt it. That means that the local administrator on that box can't even see the file's content. If you are on a workgroup or just want to try it out outside of a domain, note that the local admin of the machine IS the recovery agent and can unlock the file.

Down to business, I will explain the process of using EFS with domain functionality. You will need to have Windows Server 2003 (will work with 2000) installed and have a Enterprise Certificate Authority setup as a role on the server. This will be your rootCA. The Authority to which all others bow down to. Since this is not Technet I won't go into specifics just the theory. I had configured auto-enrollment for Authenticated Users to pull certificates and setup the Domain Admin accounts to have permissions as Recovery Agents. With that out of the way I needed to test functionality.

Using my own domain admin profile I logged on and loaded the 'Certificates' MMC snap-in and requested a Recovery Agent certificate from the EFS Recovery template that was on the rootCA. Once I had the certificate on the machine I loaded up Active Directory and making sure to enable 'Advanced' under view I imported my shiny new certificate into my AD account store. Once this was done I needed to modify group policy to tell the domain that I in fact am a Recovery Agent. I used the Default Domain Policy and added my name to the list under Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Encrypting File System. Once group policy is applied you will be listed in the details of any encrypted file on the domain as a RA. Don't forget a handy little tool to use when updating policy is 'gpupdate' or 'gpupdate /force'.

A key thing to remember and this is what I couldn't understand at first using EFS Recovery Agents is that you cannot simply log into a users machine as yourself (recovery agent) and decrypt files. You must first understand how Public Key Infrastructure works. When you obtain your certificate as a RA, you have a public and private key that is loaded into the local store on the machine you are using. It is considered best practice to upload the private key to a secure location on your network using the export function and delete the keys from the machine when done. You don't want your RA key floating around on people's PC's. When the need arises to decrypt files or folders, you must import that private key from your network store down to the local machine and then and only then will you be able to access or decrypt the file or folder. Also be sure to delete the RA key from that machine after you are through doing your thing.

So I am still in the process of testing the ins and outs but I have successfully used my Recovery Agent keys to decrypt a users encrypted file on our domain here at the Hospital. My team and I will be testing among ourselves before pushing this to a production environment. I only hope we can make the process of encrypting files easy enough so that the docs won't need to go back to school to use it! I have glazed over much of the details and how certain things are done but if anyone has any questions just comment and I will do my best to answer them, when I was looking (googling :-) EFS setup I couldn't find anyone that could explain the way the keys work in lamans terms. I kept trying to log on and decrypt files because I had everything set up correctly EXCEPT the fact that I didn't have my RA keys imported on the users machine.

UPDATE: I have created an .ADM file for use with a custom GPO (group policy object) that will enable a user to right click and have the option to encrypt/decrypt right there one the mini-list. This is cool, very cool indeed...