All versions of Windows 2000 support the Encrypted File System (EFS), an extension to NTFS that allows users to encrypt files on-disk. EFS uses system-level certificates to encrypt the data. However, the algorithms used in these encryption certificates vary with each version of Windows 2000 (including XP and Windows .NET Server 2003).

Because of this, there can be problems decrypting EFS-stored files across versions of Windows. For instance, if you create an EFS file on Windows .NET Server 2003 or Windows XP with Service Pack 1 or later installed, and then try to view it using Windows 2000 (any version) or Windows XP with no service packs installed (the "RTM" version), the file may appear to be garbled or damaged. If you attempt to decrypt such a file completely, it may be irreversibly destroyed.

The reason for this is simple. Windows XP Service Pack 1 and Windows .NET Server 2003 use an algorithm for encryption known as AES (Advanced Encryption Standard). Windows 2000 and Windows XP RTM cannot use the AES algorithm, and therefore cannot access these files. This may become a problem if you are using EFS in a strongly heterogeneous environment -- i.e., many Windows 2000 and XP computers.

One way to get around this is to force Windows XP to use a downwardly-compatible encryption standard, or to use a third-party product that supports the same encryption standards across multiple platforms. The first option is a little easier to implement, since it involves

    Requires Free Membership to View

making a Registry change in XP that can be rolled out to target systems as a .REG file, but it requires that all existing encrypted files on those systems be decrypted first.

To force Windows XP to use an earlier encryption standard:

  1. Decrypt any encrypted files.

  2. Open the Registry and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS.

  3. Add a REG_DWORD value named AlgorithmID.

  4. Set the value of AlgorithmID to one of the following (all values are in hex):

    0x6604: Use the DESX algorithm, which is compatible with all versions of Windows 2000 and Windows XP.
    0x6603: Use the 3DES algorithm, which is compatible with all versions of Windows XP and .NET Server.
    0x6610: Use the AES 256-bit algorithm (the default value, which is only compatible with Windows XP SP1 or higher).

  5. Restart the computer and re-encrypt the files.

Aside from using a new encryption standard, the newer EFS encryption uses a slightly different encryption strategy. The key created by EFS is itself encrypted using the public keys for the user encrypting the files as well as anyone else who is permitted to access the file or behave as a recovery agent for it. This way, an original unencrypted copy of the key is not accessible.


Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!


This was first published in November 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.