Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

An EFS encryption question.

microsoft.public.windows.vista.security






Speedup My PC
Reply
  #1 (permalink)  
Old 10-23-2008
Brian Komar
 

Posts: n/a
Re: An EFS encryption question.
Not a good idea.
The first time that you forget to import the PKCS#12 before you attempt to
access a file, a new EFS certificate will be generated
From that point on, all newly encrypted files will use the new default EFS
key
If you want to have the removal of the EFS certificate from software, then I
recommend you move to Vista and use a smart-card based EFS certificate
Brian

"bagassa" <not@available.com> wrote in message
news:e8Eqa9INJHA.5692@TK2MSFTNGP02.phx.gbl...
> Good afternoon everyone,
>
> What I like to do is lock some of my sensitive files using the windows EFS
> encryption so that if someone were to steal my computer and somehow hack
> the password into my account, they still would not be able to read the
> files.
>
> If I were to:
>
> 1. encrypt the files
> 2. then export the "encrypting file system" certificate from the
> certificate manager (in the personal folder) to a thumb drive (and a
> backup drive).
> 3. delete the certificate managers copy
> 4. Every time I want to access the files, I plug the thumb drive in, and
> use it to decrypt the files.
>
> Is this a good way to do it ? Any red flags here ?
>
> Thanks for your time and help
>
> Peter
>


Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 10-23-2008
bagassa
 

Posts: n/a
An EFS encryption question.
Good afternoon everyone,

What I like to do is lock some of my sensitive files using the windows EFS
encryption so that if someone were to steal my computer and somehow hack the
password into my account, they still would not be able to read the files.

If I were to:

1. encrypt the files
2. then export the "encrypting file system" certificate from the certificate
manager (in the personal folder) to a thumb drive (and a backup drive).
3. delete the certificate managers copy
4. Every time I want to access the files, I plug the thumb drive in, and use
it to decrypt the files.

Is this a good way to do it ? Any red flags here ?

Thanks for your time and help

Peter

Reply With Quote
  #3 (permalink)  
Old 10-23-2008
Brian Komar
 

Posts: n/a
Re: An EFS encryption question.
Inline...
"bagassa" <not@available.com> wrote in message
news:eFmgzvUNJHA.2824@TK2MSFTNGP06.phx.gbl...
> Good afternoon Brian,
>
> You raised a good point. Does this mean that the burglar who stole my
> computer and broke into my account could still read the files, simply
> because Windows will always make a new certificate ?

No. They would need access to the removed certificate's private key to open
previous files

>
> There is no registry change that can stop this automatic generation?

No. You need to read the whitepaper on how EFS works.
You could prevent the creation of self-signed EFS, but the client would
still either request a Basic EFS certificate or autoenroll another
certificate.


>
> About those smart card readers you mentioned. Where can I get a simple
> one at a reasonable price ?

You need three things:
1) Smart card
2) Smart card reader
3) Middleware/mini-driver
Google is your friend. Search for Gemalto



>
> Thanks for your time and input, Brian.
>
> Peter
>
> ========================================
>
>> Not a good idea.
>> The first time that you forget to import the PKCS#12 before you attempt
>> to access a file, a new EFS certificate will be generated
>> From that point on, all newly encrypted files will use the new default
>> EFS key
>> If you want to have the removal of the EFS certificate from software,
>> then I recommend you move to Vista and use a smart-card based EFS
>> certificate
>>
>> Brian
>>

> ========================================
>>>
>>> What I like to do is lock some of my sensitive files using the windows
>>> EFS encryption so that if someone were to steal my computer and somehow
>>> hack the password into my account, they still would not be able to read
>>> the files.
>>>
>>> If I were to:
>>>
>>> 1. encrypt the files
>>> 2. then export the "encrypting file system" certificate from the
>>> certificate manager (in the personal folder) to a thumb drive (and a
>>> backup drive).
>>> 3. delete the certificate managers copy
>>> 4. Every time I want to access the files, I plug the thumb drive in, and
>>> use it to decrypt the files.
>>>
>>> Is this a good way to do it ? Any red flags here ?
>>>
>>> Thanks for your time and help
>>>
>>> Peter

>


Reply With Quote
  #4 (permalink)  
Old 10-24-2008
bagassa
 

Posts: n/a
Re: An EFS encryption question.
Good afternoon Brian,

You raised a good point. Does this mean that the burglar who stole my
computer and broke into my account could still read the files, simply
because Windows will always make a new certificate ?

There is no registry change that can stop this automatic generation?

About those smart card readers you mentioned. Where can I get a simple one
at a reasonable price ?

Thanks for your time and input, Brian.

Peter

========================================

> Not a good idea.
> The first time that you forget to import the PKCS#12 before you attempt to
> access a file, a new EFS certificate will be generated
> From that point on, all newly encrypted files will use the new default EFS
> key
> If you want to have the removal of the EFS certificate from software, then
> I recommend you move to Vista and use a smart-card based EFS certificate
>
> Brian
>

========================================
>>
>> What I like to do is lock some of my sensitive files using the windows
>> EFS encryption so that if someone were to steal my computer and somehow
>> hack the password into my account, they still would not be able to read
>> the files.
>>
>> If I were to:
>>
>> 1. encrypt the files
>> 2. then export the "encrypting file system" certificate from the
>> certificate manager (in the personal folder) to a thumb drive (and a
>> backup drive).
>> 3. delete the certificate managers copy
>> 4. Every time I want to access the files, I plug the thumb drive in, and
>> use it to decrypt the files.
>>
>> Is this a good way to do it ? Any red flags here ?
>>
>> Thanks for your time and help
>>
>> Peter


Reply With Quote
  #5 (permalink)  
Old 10-26-2008
bagassa
 

Posts: n/a
Re: An EFS encryption question.
Last question Brian,

The only white paper I found on the MS website talks about security in
general, or about the BitLocker feature which I don't have (I have Vista
Business).

Can I get a link to that EFS white paper that you mentioned ?

Regards,

Peter

==========================
"Brian Komar" <brian.komar@nospam.identit.ca> wrote in message
news:%23Eyk8%23UNJHA.5232@TK2MSFTNGP05.phx.gbl...
> Inline...
>
>> Good afternoon Brian,
>>
>> You raised a good point. Does this mean that the burglar who stole my
>> computer and broke into my account could still read the files, simply
>> because Windows will always make a new certificate ?

> No. They would need access to the removed certificate's private key to
> open previous files
>
>>
>> There is no registry change that can stop this automatic generation?

> No. You need to read the whitepaper on how EFS works.
> You could prevent the creation of self-signed EFS, but the client would
> still either request a Basic EFS certificate or autoenroll another
> certificate.
>
>
>>
>> About those smart card readers you mentioned. Where can I get a simple
>> one at a reasonable price ?

> You need three things:
> 1) Smart card
> 2) Smart card reader
> 3) Middleware/mini-driver
> Google is your friend. Search for Gemalto
>
> Thanks for your time and input, Brian.
>
> Peter
>


Reply With Quote
  #6 (permalink)  
Old 10-28-2008
GreenieLeBrun
 

Posts: n/a
Re: An EFS encryption question.


bagassa wrote:
> Last question Brian,
>
> The only white paper I found on the MS website talks about security in
> general, or about the BitLocker feature which I don't have (I have
> Vista Business).
>
> Can I get a link to that EFS white paper that you mentioned ?
>
> Regards,
>
> Peter
>
> ==========================
> "Brian Komar" <brian.komar@nospam.identit.ca> wrote in message
> news:%23Eyk8%23UNJHA.5232@TK2MSFTNGP05.phx.gbl...
>> Inline...
>>
>>> Good afternoon Brian,
>>>
>>> You raised a good point. Does this mean that the burglar who stole
>>> my computer and broke into my account could still read the files,
>>> simply because Windows will always make a new certificate ?

>> No. They would need access to the removed certificate's private key
>> to open previous files
>>
>>>
>>> There is no registry change that can stop this automatic generation?

>> No. You need to read the whitepaper on how EFS works.
>> You could prevent the creation of self-signed EFS, but the client
>> would still either request a Basic EFS certificate or autoenroll
>> another certificate.
>>
>>
>>>
>>> About those smart card readers you mentioned. Where can I get a
>>> simple one at a reasonable price ?

>> You need three things:
>> 1) Smart card
>> 2) Smart card reader
>> 3) Middleware/mini-driver
>> Google is your friend. Search for Gemalto
>>
>> Thanks for your time and input, Brian.
>>
>> Peter


These may help:-

The Encrypting File System
http://www.microsoft.com/technet/sec...hyetc/efs.mspx

Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316/en-us


Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Article ID: 930434 Error message when you try to use BitLocker Drive Encryption in Windows Vista: "The drive configuration is unsuitable for BitLocker Drive Encryption" KBArticles English 0 10-22-2007 20:00
Encryption Question Brandon microsoft.public.windows.vista.general 2 03-13-2007 01:49
How Robust Is The Encryption Model In BitLocker Drive Encryption D. Spencer Hines microsoft.public.windows.vista.general 3 03-06-2007 19:28
vista genral question and ultimate question =?Utf-8?B?cGVkcm8gZw==?= microsoft.public.windows.vista.general 7 03-01-2007 12:06
Dual boot system question and family deal discount question =?Utf-8?B?QmV0YXRlc3Rlcnp6?= microsoft.public.windows.vista.general 4 03-01-2007 03:42




All times are GMT +1. The time now is 14:27.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120