http://www.answers.com/topic/encrypting-file-system http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx How to back up the recovery agent Encrypting File System (EFS) private key http://support.microsoft.com/default.aspx?scid=kb;EN-US;q241201 242296 How to Restore an EFS Private Key for Encrypted Data Recovery 243026 Using Efsinfo.exe to determine information about encrypted files http://support.microsoft.com/kb/243026/ For more information about EFS in Windows Server, visit the following Microsoft Web site: http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx (http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx) For more information about how to work with EFS in Windows Server 2003, visit the following Microsoft Web site: http://technet2.microsoft.com/windowsserver/en/library/a3aa1b1f-98c9-41b3-ba05-9424e316a0781033.mspx The recommended way to encrypt sensitive data using EFS is to create a folder, set the encrypt attribute on it, and then create files within it. If this is done, the files will be encrypted from the start. EFS will never create a backup file containing plaintext; this ensures that there will never be plaintext shreds on the drive. In Windows XP and on, there are no default recovery agents and no need to have one. Setting SYSKEY to mode2 or higher (syskey typed in during bootup or stored in floppy) will prevent this attack, since the private keys will be stored in an encrypted SAM file that an attacker cannot decrypt, because he cannot know the SYSKEY passphrase/keyfile. Setting SYSKEY with syskey.exe http://support.microsoft.com/default.aspx?scid=kb;en-us;143475&sd=tech To backup EFS key(s) from the command-line, the cipher.exe utility may be used: CIPHER /X[:efsfile] [filename] /X Backup EFS certificate and keys into file filename. If efsfile is provided, the current user's certificate(s) used to encrypt the file will be backed up. Otherwise, the user's current EFS certificate and keys will be backed up. Filename: A filename without extensions. Efsfile: An encrypted file path. Determining If EFS is Being Used on a Machine Some organizations may find it useful to see if users are using EFS on machines in the domain. Although there is no way to determine if EFS is being currently used, several registry keys may be examined to determine if EFS has ever been used by the user on the machine. If the machine is a Windows 2000 machine, the following registry key can be examined to see if a certificate hash exists: • HKCU\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\CertificateHash If the machine is running Windows XP, the following registry keys may be examined: • HKCU\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\CertificateHash • HKCU\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\Flag The Cipher.exe command-line utility may be used to overwrite deallocated file clusters on the NTFS disk to reduce the risk of discovery of plaintext shreds left over from file conversion. Cipher.exe /W makes three disk write passes on all unused clusters on the disk. The first pass writes 0. The second pass writes 0xF. The third pass writes pseudorandom data. CIPHER /W:directory /W Removes data from available unused disk space on the entire volume. If this option is chosen, all other options are ignored. The directory specified can be anywhere in a local volume. If it is a mount point, or points to a directory in another volume, the data on that volume will be removed. the following will cause the deallocated space on the C: drive to be overwritten. cipher /W:c:\ Cipher.exe /W may take a very long time to run, especially on large volumes. It is not possible to stop it once it has started. Running the chkdsk.exe command on the volume after completion is a best practice. Also, it is not recommended that the cipher.exe /W be run multiple times; the intent of the process is a one time cleanup of the disk. The best practice is to use a Microsoft CA to issue a DRA certificate for the central recovery agent. For an environment without a Microsoft certificate authority. It is possible to replace the certificate being used by EFS for local file encryption in two steps: 1. Replace the following registry value on the local machine for the current user with the thumbprint of the new certificate to be used: HKCU\Software\Microsoft\Windows NT\EFS\CurrentKeys\CertificateHash 2. Run the cipher.exe utility with the /K option C:\>cipher /? Displays or alters the encryption of directories [files] on NTFS partitions. CIPHER [/E | /D] [/S:directory] [/A] [/I] [/F] [/Q] [/H] [pathname [...]] CIPHER /K /K Creates new file encryption key for the user running Cipher. If this option is chosen, all the other options will be ignored. Third Party Certification Authorities http://support.microsoft.com/default.aspx?scid=kb;en-us;273856&sd=tech ************** How to add an EFS recovery agent in Windows XP Professional http://support.microsoft.com/kb/887414 ************** Encrypting File System (EFS) generates a self-signed certificate when you try to encrypt an EFS file on a Windows XP-based computer http://support.microsoft.com/kb/912761