Problem solve Get help with specific problems with your technologies, process and projects.

Utility keeps Encrypted File System in line

The efsinfo.exe command line utility can be a valuable time saver if you use the Windows Encrypted File System. Use it to scan partitions for encrypted files to get basic information on them.

If you encrypt files and folders you are certainly adding a valuable layer of security for your system. But, at the same time, you are adding important duties to your already busy job.

The fundamental requirement with any encrypted material is to keep track of permissions and keys. If you don't track them, the material can become unreadable. Your security efforts are for naught.

The Encrypted File System (EFS) built into Windows Server 2003 presents you with an additional potential problem: When you install Windows Active Directory on a computer, Windows automatically erases any cryptographic keys and certificates that were stored on the machine. It's not a problem if you know that's what happens and backed up the security information. If you're blindsided, though, your users are likely to find that anything they had stored with EFS protection on that machine is no longer available to them.

Another potential problem is keeping track of who the "recovery agents" are for a particular encrypted file. The recovery agent is the administrator or administrators who can recover the file if the creator can't or isn't available. Since best practice is to have at least two recovery agents for every file and to have separate accounts only used for recovery, keeping track of who can recover which files can be tricky.

What you really need is a way to scan partitions and volumes for encrypted files and folders and get basic information on them. Windows Server provides that with a utility called efsinfo.exe. It's a command-line utility found in the Windows Support Tool folder (\support\tools) on your product CD.

Efsinfo.exe checks for encryption information about files and folders in the current folder. It has options for displaying recovery agent information, certificate thumbnails and other information. The syntax is straightforward and, like other command-line utilities, it can be used with pipes, filters and other command line functions to produce more focused output.

To find additional information about efsinfo.exe visit this Microsoft site.

About the Author: Rick Cook has been writing about mass storage since the days when the term meant an 80 K floppy disk. The computers he learned on used ferrite cores and magnetic drums. For the last 20 years he has been a freelance writer specializing in storage and other computer issues.

Dig Deeper on Windows Server storage management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.