Best Practices To Encrypting File System
Microsoft's Encrypting File System (EFS) is one of the most popular filesystem-level encryption tools. The utility offers simple, manageable security for workgroups and private computers, and newer versions of EFS provide reliable 256-bit ECC encryption.
Unfortunately, as is the case with any encryption tool, EFS poses some challenges. In some cases, system administrators unintentionally create a single point of failure through poor group encryption policies or by failing to maintain recovery agents for last passwords. If an encrypted drive's private key becomes inaccessible or if a recovery agent does not function as expected, data recovery becomes extremely difficult or impossible. To avoid these threats, system administrators and regular EFS users should closely evaluate their practices.
At Secure Data Recovery Services, we have years of experience with encryption tools like EFS and their various implementations. The practices listed below should allow for better security, better redundancy and better reliability overall on EFS-encrypted systems.
Common Practices for Maintaining Private and Recovery Keys
Any person with access to your private keys can decrypt your EFS data. Therefore, you will need to control access to your private keys in order to maintain security, but you also need to plan for data loss disasters to prevent the private keys from becoming a liability.
Always store private keys in a safe location. Complement your private keys with recovery keys by creating recovery agents. Ideally, system administrators should create several recovery accounts and store the resulting recovery keys on a redundant device.
Microsoft recommends keeping backups of all private keys and recovery certificates after EFS changes recovery agents. By keeping obsolete keys and certificates, you maintain redundancy for older files that were encrypted under the old recovery agent. Never assume that all of your EFS files are up to date with a new recovery agent without checking each file individually.
Your recovery agent accounts should never be used for any purpose other than recovery. Keep at least two recovery agent accounts on two separate machines for each organizational unit to prevent any single point of failure from causing data loss.
For the best possible security on systems with multiple users, authorized users should store their private keys on removable media as a .PFX file. This practice prevents an unauthorized third party from decrypting protected data, even after maintaining physical access to your media.
To maintain system performance on servers, only use EFS on folders that require additional security controls. Do not encrypt full partitions or virtual drives unless absolutely necessary. Encrypt folders rather than individual files to allow your programs to work properly.
Sharing Encrypted EFS Files
EFS allows users to share access to encrypted files. Many system administrators attempt to use this feature to access encrypted data on older hard drives, servers and other media.
To share an encrypted file, right-click on the file's icon and navigate to Properties, Advanced and Details. You can then select "Add" to add new users via their EFS certificates.
Note that you must carry out this process on a computer that can access the encrypted files; you cannot regain access to files after losing private keys. Any users with read/write access can decrypt your EFS files and remove other authorized users.
Data Recovery Techniques for EFS
When you cannot access encrypted data, you should immediately turn off your system. Never run recovery utilities if you cannot clearly identify the source of data loss. If your files are corrupt, your media is physically damaged or your private key does not work correctly, your device may need prompt attention from a certified data recovery provider.
Secure Data Recovery Services is a professional data recovery provider with dedicated, customized service options for EFS-encrypted data. We provide free media diagnostics, fast turnaround times and industry-leading recovery rates for encrypted systems. As one of the only data recovery companies with a Certified Class 10 ISO 4 Cleanroom, we are uniquely qualified to provide safe services for physically damaged hard drives, RAID arrays, solid-state drives and removable media.
We treat all encrypted data using strict security protocols and protected networks. Our engineers can return recovered data in an encrypted, decrypted or partially decrypted format depending on your preferences.
Our certifications include:
- PCI Security Certification
- SAS 70 Certification
- SSAE 18 Type II Certification
- Green Business Certification
- General Services Administration (GSA) Contractor Certification
- Information Systems Security Association (ISSA) Member
We offer free diagnostics for all encrypted devices. For a price quote, turnaround estimates or other information, contact Secure Data Recovery Services today.