To back up private keys, disable EFS on users' PCs

The Encrypting File System (EFS) feature was introduced in Windows 2000 and is also available in Windows XP Professional. This data protection and data recovery feature is available without any special configuration because it is enabled by default.

Although this feature is easy to use, administrators have concerns with the use of EFS. These concerns are related to the ability to recover encrypted files and the protection of private keys used for encryption, which are associated with each user's account and the recovery agent's account. Because the private keys necessary for decryption are stored in the user's profile, if the profile gets deleted or corrupted, the user can no longer access their encrypted files.

Without using a custom solution, backing up and storing a user's private keys (without backing up the entire profile) can be a time-consuming process. Also, using nondefault recovery agents requires installation of the Certificate Authority feature, which also needs to be managed properly. To avoid these additional tasks, it is better to disable EFS on users' machines.

The EFS service works differently on Win 2000 and XP. To disable EFS on Windows 2000, do the following:

  1. Launch the Group Policy MMC snap-in and select the Group Policy Object (GPO) linked to your domain.
  2. Drill down to Computer Configuration - Windows Settings - Security Settings - Public Key Policies - Encrypted Data

Requires Free Membership to View

  1. Recovery Agents. Right-click on the Encrypted Data Recovery Agents folder. Select Delete Policy to delete the default recovery policy.
  2. Right-click on Encrypted Data Recovery Agents again and select Initialize Empty Policy. This will prevent users from using EFS on any Windows 2000 system that belongs to the domain.

Disabling EFS on Windows XP requires a different procedure. XP offers greater flexibility in configuring the scope of reach of EFS. If your intention is to disable EFS for a single file, you can simply assign the system attribute to the file. For example, to apply the system attribute to the info1.txt file, type the following at the command prompt: attrib +s info1.txt.

If instead you want to prevent EFS on the folder level, you can create a desktop.ini file in the folder. This file should contain the following two lines:

This will affect the folder itself and all its files. However, it does not have any impact on its subfolders and their content.

If you prefer, you can disable EFS at the system level. Editing the Registry can do this. Set the following entry of DWORD type to the value 1:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration.

About the author: Rahul Shah currently works at a software firm in India, where he is a systems administrator maintaining Windows servers. He has also worked for various software firms in testing and analytics, and also has experiences deploying client/server applications in different Windows configurations.

More information on this topic:

This was first published in August 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.