Re: An EFS encryption question.
"bagassa" <firstname.lastname@example.org> wrote in message
> Good afternoon Brian,
> You raised a good point. Does this mean that the burglar who stole my
> computer and broke into my account could still read the files, simply
> because Windows will always make a new certificate ?
No. They would need access to the removed certificate's private key to open
> There is no registry change that can stop this automatic generation?
No. You need to read the whitepaper on how EFS works.
You could prevent the creation of self-signed EFS, but the client would
still either request a Basic EFS certificate or autoenroll another
> About those smart card readers you mentioned. Where can I get a simple
> one at a reasonable price ?
You need three things:
1) Smart card
2) Smart card reader
Google is your friend. Search for Gemalto
> Thanks for your time and input, Brian.
>> Not a good idea.
>> The first time that you forget to import the PKCS#12 before you attempt
>> to access a file, a new EFS certificate will be generated
>> From that point on, all newly encrypted files will use the new default
>> EFS key
>> If you want to have the removal of the EFS certificate from software,
>> then I recommend you move to Vista and use a smart-card based EFS
>>> What I like to do is lock some of my sensitive files using the windows
>>> EFS encryption so that if someone were to steal my computer and somehow
>>> hack the password into my account, they still would not be able to read
>>> the files.
>>> If I were to:
>>> 1. encrypt the files
>>> 2. then export the "encrypting file system" certificate from the
>>> certificate manager (in the personal folder) to a thumb drive (and a
>>> backup drive).
>>> 3. delete the certificate managers copy
>>> 4. Every time I want to access the files, I plug the thumb drive in, and
>>> use it to decrypt the files.
>>> Is this a good way to do it ? Any red flags here ?
>>> Thanks for your time and help