This can be controlled by Group Policy, and is when computers join a domain. Administrators have the power to enable or disable EFS on any. File backup: Desktop: general issues Error message “This machine is disabled for file encryption” Error message “This machine is disabled for file.

Encrypting File System (EFS).By using file encryption on NTFSdisks you will prevent other users from using the encrypted files. Even if theyhave some other permissions for using the files, the access is deniedfor other users who work on your computer. Setup and using of EFS is notdifficult, you just have to set the encryption attribute and you can work with the files as with otherunencrypted files.The EFS is mostly used for sensitive data on portable computers for thecase of a theft, it is necessary in networks and on computers where ahigher security is required, but also at home you can use it to ensuremore privacy. Higher security also brings lesser problems with possiblewrong permissions.Principle - Upon encrypting data, theEFS service automatically creates user´s EFS certificate that ties to aprivate and a public key of the user.

Each file or folder is encrypted according to itsunique encryption key (FEK - File Encryption Key) which is protected bythe public key of the user who have encrypted the data. Data areprotected by symmetric encryption that is much faster than theasymmetricused only for the protection of the encryption key (FEK). The access tothe data is only available after the user who have encrypted the datalogs on, to users permitted to share the encrypted files (Windows XP) andto recoveryagents. To decrypt the FEK key you have to use the private key of theEFS certificate or EFS recovery agent.Activating and deactivating fileencryption.1.Choose an object that you want to set up the encryption to (file, folderor several objects).Open the local menu of the marked objects (by clicking the right mouse button) and choose Properties.On General choose Advanced.(Windows 2000 vs XP).Check or un-check Encrypt contents to securedata. You can also use theCipher command to encrypt or decrypt files.You will be asked if the encryption shouldbe used only on file, on the whole folder or on files in the folder orin its subfolders. Encryption of folder isrecommended.In Windows XP, there is an extra button - Details- in attributes. Here you can: a.)specify more users who will be allowed to access the encrypted file.b.) display users and recovery agents (Data RecoveryAgent) authorized to decrypt the file (in Windows 2000 you must useefsinfo).2.

Ciphercommand.3.Activateencryption menu in the local menu Warning.Using encrypting canbe dangerous if incorrectly used.Certificates are always for one userand one (current) OS installation. If you reinstall the OS, removeor incorrectly use the certificate, if the user´s profile getsdamaged, if you reset the password or there occurs another situationthat leads to problems with decrypting, the data are usually irrecoverablylost.By resetting the user´s password theaccess to the encrypted files is denied and the recovery is then onlypossible by using the recovery agent!.Experiments - incorrect setup andexperimenting with encryptions and with certificates can lead to dataloss. Backup the encrypted data and certificates for recovery agents (orusers).Optimal procedure of encryptionsetup.1. Create and set up the recoveryagent.2. Backup the certificate of therecovery agent and export the private key apart from the computer.3. Set up encryption.4. Backup certificate and user´sprivate key.Notes.Using encryptions: 1.

OnlyNTFS, it cannot be used on the FAT file system. It cannot beused in combination with compression (you have to decide betweencompression and encryption). 3.It cannot be used on WindowsXP Home Edition (only for Windows 2000 and Windows XP Professional.)4. Roaming profile files and files in the%Systemroot% foldercannot be encrypted.Encryption Standard: 1. Data Encryption Standard(DESX)algorithm (56bit).

In USA, there is available the Enhanced CryptoPAKpack extending the encrypting functions by 128bit key. In Windows XPyou can use the TripleDES algorithm (Group policy - ComputerConfigurationWindows SettingsSecuritySettingsLocal policySecurity OptionsSystem cryptography: Use FIPScompliant algorithms to encrypt, to calculate the hash value and tosign.Network transfer - File encryption isonly used to secure data on local computer. Data are not protected whentransferring through network.

To encrypt the data transfer we recommendthat you use IPSec or WebDAV web folders.Backup - Files and folders can bebacked up in the encrypted form by using the command of the ntbackupprogram. For reading and recovering on target computer, it is requiredthat the certificatefor users or recovery agents are stored on a special media and on a safeplace. Using backup is also convenient way for transferringdata between computers in case you do not have a portable disk with NTFSor network.Reasons for recovery agents - Datacan be confidential, but usually the content relates to a company and soit is also necessary to allow other user to access it. The most frequentreason is absence of the authorized person in the house (holiday, en ofemployment, illness, death.).Old and new certificates - Files areencrypted by a certain certificate, not by a user.

Before you delete theold certificate you have to make sure whether you really decrypted allfiles relating to this certificate.Recognition of encrypted files -Encryption is being defined as transparent: the authorized user cannotrecognize at first sight whether a file is encrypted or not. Theunauthorized user will be displayed an 'access denied' message.You can distinguish the files by: 1. Setting up different colorfor encrypted and compressed files.

By ticking or unpickingencryption in file properties. The Cipher command. 4.theEFSInfo command.You need a permission for theencryption- e. For users under Windows XP with limited access (Restricted User - Users Group),the encryption cannot be used in some directories - the Users groupdoes not have appropriate NTFS permission. To be allowed to encryptyou must have the right to record file or folder attributes.

New filescreated by just logged on user can be encrypted.Recommendation.Setting updifferent color for compressed files in Explorer - Whenviewing disks the displayed files will be green. This you can set up inFolder Options - View - Show encrypted or compressed NTFSfiles in color.

(For Windows XP; in Windows 2000 only compressed fileshave another color - a picture you will find in the article: Compression).Using encryption on whole folders -The encryption cannot be set for whole volumes (disks). It can be setfor directories and files.

If you choose to encrypt folders, there willbe a dialog displayed which asks whether you want to use the encryptionalso for subfolders and files. I recommend that you only use it forfolders. If you want to protect documents, I recommend that youencrypt My Documents or another directory used for your documentsin your user profile.Encryption of the%Temp% directory andthe directory for print queue - this relates to the previousrecommendation - encryption of whole folders. When opening orprinting, there are created temporary files inunencrypted form.Manipulation - upon havingappropriate permission you can move or copy the files but you stillcannot open them. If the owner who have set up the encryption copies thefiles to a volume with the FAT file system or to diskette, the file willbe automatically moved in deciphered form.More recovery agents - It isrecommended that you set two or more recovery agents in order toheighten the possibility of recovery.In case of use in company consider theinstallation of CertificateServices - Certificates for EFS are not signed by the EFSservice, but by CA.

Certificate administration is easier, more effectiveand provides possibility of issuing other types of certificates.Export the private key apart from the computer.Leaving the private key of the recoveryagent in computer is not too safe. If a user finds out the name andthe passwordof the user - owner of the certificate of recovery agent - he/she can accessall encrypted files to which this recovery agent relates. If there isno need to access and recover the encrypted file, it is recommendedthat you export the private key of the recovery certificate apart fromyourcomputer. The private key is removed after the export. Without itthe recovery of encrypted files cannot be done. Till you import thekey back, nobody will be able to abuse the account of the recoveryagent.Log on under the recovery agent's account andfollow instructions in the Certificate exportarticle.Recovery Agents.The user who owns the certificate forrecovery of EFS file is the agent. The default setup differ.

Stand-alone computer Windows 2000AdministratorStand-alone computer Windows XPNo recovery agentDomain environmentDomain Administrator.Creating agent: Log on under theuser account that you want to use to file recovery. In the commandline write cipher /r:name - in the current directory, after entering andconfirming the password, there will be a certificate created - name. Cer (CertificateX509) and name. Pfx (Personal Information Exchange - standard PKCS #12).In Certificate Manager (certmgr.msc) openthe PersonalCertificates folder and right-click to choose All Tasks -Import.Group policy (Recovery policy).Location:Local Computer PolicyComputer ConfigurationWindows SettingsSecuritySettingsPublic KeyPoliciesEncryptingFile System.The default setup in Windows XP in groupis no recovery agent. Data can be encrypted, but in case thereoccur some problems with the user´s certificate the data cannot berecovered to decrypted form.Use the right mouse button to addrecovery agent, choose 'Add Data RecoveryAgent' and import the recovery agent certificate (e.g. Name.cer).To disable EFS choose'Properties' and unpick 'Allow to user encrypt filesusing Encryption File System (EFS)' (Windows XP).Location2:Computer Configuration Administrative Templates System Group Policy - EFS recovery policy processingComputer Configuration Administrative Templates SystemDo not automatically encrypt files moved to encrypted foldersThree possible options of Recovery Policy (RP)(Windows XP).1.

The policyis used - Agent´s or recovery agent´s certificates are set anddisplayed. Available options:1. Add Data Recovery Agents.

Delete Policy.Together with the public key of the encryptinguser, there is also information about the recovery agent´spublic key recorded to each file.2. No policydefined - in EFS this text is displayed: There is no policy defined.In Windows 2000, there is no text displayed.Available options for WXP: 1. Add Data RecoveryAgents. Do Not Require Data Recovery Agents.Available options for W2K: 1. 2.Initialize EmptyPolicy.In Windows2000, you cannot use EFS without the recovery agent (in WXP it is possible).Not defined policy enable activation of otherlocal policies on stations.3.

No recovery agent(Empty policy) - in EFS this text is displayed: There are no items to show in thisview. In Windows 2000, there is no item and only the headings of thecolumns for certificates are displayed.Available options for WXP: 1. Add Data RecoveryAgents.2. Delete Policy.Available options for W2K: 1. 2.Delete Policy.Empty policy disable using of EFS on allcomputer in domain.

Windows 2000Windows XPWindows 2000 domainWindows XP domainDefault recovery agentAdministratorNo recovery agentAdministrator for domainAdministrator for domain1. Withrecovery agent (policy is used)OKOKOKOK2.Policy not definedA.OKA.OKA3.Deleting agents (Empty policy)A.OKA.OKB.OK - Theencryption can be used on files and folders.A. Whenattempting to encrypt, this message is displayed:There is no valid encryption recovery policy configured for this system(W2K Server). Encryption cannot be used.OKA - Encryptioncan be used.

-->

The File API's behavior can be configured through settings in the registry.

The File API provides two kinds of protection; native protection and PFile protection.

• Native protection - the file is protected to an AD RMS format based on its MIME type (file name extension).
• PFile protection - the file is protected to the AD RMS Protected File (PFile) format.

For more information about supported file formats, see File API File Support Details in this article.

Key/Key Value types and descriptions

The following sections describe the keys and key values that control encryption.

HKEY_LOCAL_MACHINESoftwareMicrosoftMSIPCFileProtection

Type: Key

Description: Contains general configuration for the File API.

HKEY_LOCAL_MACHINESoftwareMicrosoftMSIPCFileProtection<EXT>

Type: Key

Description: Specifies configuration information for a specific file extension; for example, TXT, JPG, and so on.

• The wildcard character, '*', is allowed; however, a setting for a specific extension takes precedence over the wildcard setting. The wildcard character does not affect settings for Microsoft Office files; these must be explicitly disabled by file type.
• To specify files that do not have an extension, use '.'
• Do not specify the '.' character when specifying the key for a specific file extension; for example, use HKEY_LOCAL_MACHINESoftwareMicrosoftMSIPCFileProtectionTXT to specify settings for .txt files. (Do not use HKEY_LOCAL_MACHINESoftwareMicrosoftMSIPCFileProtection.TXT).

To specify the protection behavior, set the Encryption value in the key. If the Encryption value is not set, the default behavior for the file type is observed.

HKEY_LOCAL_MACHINESoftwareMicrosoftMSIPCFileProtection<EXT>Encryption*

Type: REG_SZ

Description: Contains one of three values:

• Off: Encryption is disabled.

Note

This setting has no bearing on decryption. Any encrypted file, whether encrypted using Native or Pfile protection, can be decrypted, as long as the user has the EXTRACT right.

• Native: Native encryption is used. For Office files the encrypted file will have the same extension as the original file. For example, a file with the .docx file extension will be encrypted to a file with an extension of .docx. For other files that can have native protection applied, the file will be encrypted to a file with an extension of the format pzzz, where zzz is the original file extension. For example, .txt files will be encrypted to a file with an extension of .ptxt. A list of file extensions that can have native protection applied follows.

• Pfile: PFile encryption is used. The encrypted file will have .pfile appended to the original extension. For example, after encryption, a .txt file, will have an extension of .txt.pfile.

Note

This setting has no bearing on Office file formats. For example, if the HKEY_LOCAL_MACHINESoftwareMicrosoftMSIPCFileProtectionDOCXEncryption value is set to 'Pfile”, .docx files will still be encrypted using native protection, and the encrypted file will still have a file extension of .docx.

Setting any other value or setting no value results in default behavior.

Default behavior for different file formats

• Office files Native encryption is enabled.
• txt, xml, jpg, jpeg, pdf, png, tiff, bmp, gif, giff, jpe, jfif, jif files Native encryption is enabled (xxx becomes pxxx)
• All other files Encryption is protected file (pfile) enabled (xxx become xxx.pfile)

If encryption is attempted on a file type that is blocked, an IPCERROR_FILE_ENCRYPT_BLOCKED error occurs.

File API - File Support Details

Native support can be added for any file type (extension). For instance, any extension <ext> (non-office), *.p<ext> will be used if the admin configuration for that extension is 'NATIVE'.

Office files

• File extensions: doc, dot, xla, xls, xlt, pps, ppt, docm, docx, dotm, dotx, xlam, xlsb, xlsm, xlsx, xltm, xltx, xps, potm, potx, ppsx, ppsm, pptm, pptx, thmx, vsdx, vsdm, vssx, vssm, vstx, and vstm.
• Protection type = Native (default): sample.docx is encrypted to sample.docx
• Protection type = Pfile: For Office files, has the same effect as Native.
• Off: Disables encryption.

PDF files

• Protection type = Native: sample.pdf is encrypted and named sample.ppdf
• Protection type = Pfile: sample.pdf is encrypted and named sample.pdf.pfile.
• Off: Disables encryption.

All other file formats

• Protection type = Pfile: sample.zzz is encrypted and named sample.zzz.pfile; where zzz is the original file extension.
• Off: Disables encryption.

Examples

The following settings enable PFile encryption for txt files. Office files will have native protection applied (by default), txt files will have PFile protection applied, and all other files will have protection blocked (by default).

The following settings enable PFile encryption for all non-Office files except txt files. Office files will have native protection applied (by default), txt files will have protection blocked, and all other files will have PFile protection applied.

The following settings disable native encryption for docx files. Office files, except for docx files, will have native protection applied (by default) and all other files will have protection blocked (by default).

Related articles