Using a Certificate Authority for the Encrypting File Service

The Encrypting File System (EFS) is a feature of Windows 2000 that allows users to encrypt data directly on volumes that use the NTFS file system. It operates by using certificates based on the X.509 standard. If no Certificate Authority (CA) is available from which to request certificates, the EFS subsystem automatically generates its own self-signed certificates for users and default recovery agents.

There are several circumstances in which an organization may want to implement Certificate Authorities, as opposed to allowing EFS to generate its own self-signed certificates.

The following are some reasons why an organization might want to use a Certificate Authority for EFS certificate generation:

• More flexible EFS recovery management. With a Certificate Authority infrastructure, it is possible for an organization to issue specific recovery certificates for dedicated recovery computers, rather than to domain controllers.
• Centralized certificate management. Administrators can control the lifetime of issued EFS certificates, and can publish certificate revocation lists to control how long recovery certificates are valid.
• Scalability. Certificate Authorities can be distributed throughout an organization, providing their own set of templates that define the types of certificates that can be issued at each level.

For additional information about EFS, see "Step-by-Step Guide to Encrypting File System (EFS)" on the following Microsoft Web site: