Third-party certification authority support for encrypting file system
Article ID: 273856 - View products that this article applies to.
This article was previously published under Q273856
This article describes how Microsoft Windows 2000 supports third-party Certification Authorities (CAs) that issue Encrypting File System (EFS) certificates and EFS Recovery Agent certificates.
OverviewThis article is divided into the following two sections:
EFS overview and the public key infrastructureEFS is the solution in Windows 2000 for encrypting files on NTFS file system volumes. EFS uses the Crypto Architecture feature and Public Key Infrastructure feature in Windows 2000.
Certificate enrollmentDuring an encryption operation, EFS uses your current EFS certificate. If one is not available, EFS searches your personal store for an appropriate certificate. If EFS cannot locate a current certificate, it enrolls you for an EFS certificate. An online Windows 2000 CA that supports the EFS template can issue an EFS certificate. A self-signed certificate is generated by EFS if it cannot enroll for a certificate with an online Windows 2000 CA or if you are not using a domain account.
After EFS chooses a certificate, you cannot change it through the system user interface. Additionally, EFS does not automatically switch certificates when a better one becomes available (such as when EFS uses its own self-signed certificate and you enroll for an EFS certificate from an online Windows 2000 CA).
There are two ways to change the certificate that EFS uses:
File data encryption and decryptionEFS uses a randomly-generated symmetric key to encrypt file data. A new key is generated for each file that is encrypted. The data encryption algorithm that is used is DESX (a stronger version of Data Encryption Standard). No other algorithms can be configured.
The symmetric encrypting key is then encrypted by using the public key derived from your EFS certificate. The resulting encrypted data, your display name, and a hash of the certificate is stored in a named stream in the file that contains EFS metadata. When EFS decrypts a file, it uses your private key to decrypt the symmetric encrypting key. EFS then uses the symmetric key to decrypt the data.
To encrypt a file on a network server, EFS loads your profile on the network if you have roaming profiles. If you do not have roaming profiles, EFS expects to find your certificate and keys on the server and tries to generate a profile there.
When an EFS file is copied over a network, it is decrypted and sent over the network in clear text. To protect your files while they are in transit on your network, use IP Security.
EFS certificate renewalWhen the EFS certificate expires, EFS performs renewal by enrolling for a new certificate with a new key pair. EFS, itself, does not renew the current certificate when it expires.
If you renew the EFS certificate and archive the old certificate before it expires, EFS continues to use the old certificate until it expires. EFS then goes through the same process for enrollment to find a new certificate in the store or to acquire a new one if it cannot find a valid certificate. While looking for a new certificate to use, EFS can fetch a certificate that is different from the one that you acquired through renewal, if there is more than one EFS certificate in the store.
After EFS starts to use a new certificate, if it handles a file that was previously encrypted with a different certificate, EFS regenerates the metadata to use the new certificate.
Revocation checkingEFS does not perform any revocation checking.
EFS Recovery AgentYou can use EFS Recovery Agents to decrypt an encrypted file if the user who encrypted the file leaves your company. You can enroll for EFS Recovery Agent certificates using the EFS Recovery template on Windows 2000 CAs.
You can set EFS Recovery Agent certificates in global domain policy for all users on the domain. You can also set these certificates for all the users on the local computer in local computer policy. If both policies are present, the global policy takes precedence.
To open the Add Recovery Agent Wizard, click Group Policy, click Public Key Policies, and then click Encrypted Data Recovery Agents. This wizard helps you designate Recovery Agent certificates. You can click Browse Folders, and then click the certificate file to directly import it as the Recovery Agent certificate. The certificate is imported with the Recovery Agent notation User unknown. This occurs for any third-party CA certificate that you designate as a Recovery Agent certificate.
If you publish the certificate in the directory for a user (which occurs if you enroll against an online Windows 2000 CA for the EFS Recovery Agent certificate for the user), you can use the wizard to directly import the user as a recovery agent. Browse through the directory and select the user who you want to designate as the recovery agent.
During file encryption, the symmetric encrypting key is also encrypted to the recovery agent's public key, and the information is stored in the named stream containing EFS metadata. To recover an encrypted file, EFS uses the recovery agent's private key to decrypt the symmetric encrypting key, which EFS then uses to decrypt the data.
Rules for third-party CA for creating and using valid EFS and EFS Recovery Agent certificates
EFS certificatesThe rules for forming the certificate are:
There are two ways to enroll for the EFS certificates using third-party products:
EFS recovery certificatesThe rules for forming the certificate are:
After it is created, the certificate can be imported by using the Recovery Agent Wizard.
During file recovery, both the file recovery certificate and the private key must be imported into the system that is used to recover the files according to the following guidelines: