Encrypting File System Tools and Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Encrypting File System Tools and Settings
In this section
Encrypting File System Tools
Encrypting File System Registry Entries
Encrypting File System Group Policy Settings
Related Information
Encrypting File System Tools
The following tools are associated with Encrypting File System.
Cipher.exe: Cipher
Category
Cipher is an operating system command-line tool.
Version compatibility
This tool is compatible with Windows 2000, Windows XP, Windows Server 2003.
Allows a user or administrator to display or alter the encryption of files. In addition to encrypting or decrypting a file or folder, Cipher can be used to update the file encryption keys or the keys of the data recovery agent (DRA) should there be a change in the data recovery policy.
When used with the /w switch, Cipher can also remove data from portions of the volume it can access that have not been allocated to files or directories. Cipher does not lock the drive, so other programs can obtain space on the drive which cipher cannot erase. Because the /w option writes to a large portion of the volume, it might take a long time to complete and should only be used when necessary.
For more information about Cipher, see “Command-Line References” in the Tools and Settings Collection.
Efsinfo.exe: Encrypting File System Information
Category
Encrypting File System Information is a Windows Server 2003 command-line tool.
Version compatibility
This tool is compatible with Windows 2000, Windows XP, Windows Server 2003.
Encrypting File System Information displays information about files and folders encrypted with Encrypting File System (EFS) on partitions that use the NTFS file system. Options include displaying encryption information about the files and folders in the current folder, recovery agent information, and certificate thumbnail information.
For more information about EFSinfo, see “Command-Line References” in the Tools and Settings Collection.
Xcopy.exe: Xcopy
Category
Xcopy is a command line tool that ships with Windows Server 2003 and Windows XP Professional.
Version compatibility
This tool is compatible with Windows 2000, Windows XP Professional, Windows Server 2003.
Encrypted files are copied from Web folders in the same way that plaintext files are copied from file shares. The Xcopy command does not require any special parameters. The file is transmitted in ciphertext and remains encrypted on the local computer if possible. The encryption status for files copied from Web folders is the same as for files copied locally.
Encrypted files are copied from Web folders in the same way that plaintext files are copied from file shares. The Copy and Xcopy commands do not require any special parameters. The file is transmitted in ciphertext and remains encrypted on the local computer if possible. The encryption status for files copied from Web folders is the same as that for files copied locally.
For more information about Xcopy, see “Command-Line References” in the Tools and Settings Collection.
SecPol.msc: Local Security Settings Snap-in
Category
Local Security Settings is a Microsoft Management Console (MMC) snap-in that ships with Windows Server 2003, Windows 2000 Server, and Windows XP Professional.
Version compatibility
This tool is compatible with Windows 2000, Windows XP Professional, Windows Server 2003.
Local Security Settings is compatible with Windows Server 2003 and Windows 2000 Server, and can be used to EFS data recovery agents on computers running Windows Server 2003, Windows XP Professional, and Windows 2000.
To find more information about the Local Security Settings snap-in, see “Security Policy Settings.”
Encrypting File System Registry Entries
The following registry entries are associated with Encrypting File System.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys
HKEY_CURRENT_USER\Software\Microsoft\Cryptography\CertificateTemplateCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
The following information is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys
The following registry entries are created only when EFS is used for the first time.
CertificateHash
Registry path
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\CertificateHash
Version
Windows Server 2003, Windows 2000, and Windows XP.
This registry entry contains the certificate hash used by the current user to encrypt and decrypt data.
Flag
Registry path
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\Flag
Version
Windows Server 2003, Windows 2000, and Windows XP.
This registry entry identifies the encryption algorithm used to encrypt and decrypt new EFS files.
Note
For more information about the encryption algorithms that can be used with EFS, see “How Encrypting File System Works” in the Technical Reference.
KeyCacheValidationPeriod
Registry path
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\KeyCacheValidationPeriod
Version
Windows Server 2003, Windows 2000, and Windows XP.
This registry entry identifies the length of time in seconds a cached EFS certificate is assumed to be valid before revalidation is required.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys
The following registry entries control how EFS is used on the local machine.
UserCacheSize
Registry path
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\UserCacheSize
Version
Windows Server 2003, Windows 2000, and Windows XP.
This registry entry identifies the number of user EFS certificates to cache.
EFSDomainGPOCreated
Registry path
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\EFSDomainGPOCreated
Version
Windows Server 2003, Windows 2000, and Windows XP.
This registry entry records whether domain-based EFS Group Policy settings are in effect.
EFSBlob
Registry path
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\EFS\CurrentKeys\EFSBlob
Version
Windows Server 2003, Windows 2000, and Windows XP.
This registry entry contains data about the file recovery certificates that have been registered for the system.
HKEY_CURRENT_USER\Software\Microsoft\Cryptography\CertificateTemplateCache
The template cache is used to cache copies of the domain’s certificate templates which are distributed by Active Directory Domain Services. When your domain administrator configures certificate templates for your organization this registry key will contain sub-keys for each template in the domain.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\EFS
The following registry entries are added when domain Group Policy is used to enable or disable EFS.
EFSConfiguration
Registry path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\EFS\EFSConfiguration
Version
Windows Server 2003, Windows 2000, and Windows XP
This registry setting makes it possible to disable and re-enable EFS on a local computer using Group Policy.
LastGoodEFSConfiguration
Registry path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\EFS\LastGoodEFSConfiguration
Version
Windows Server 2003, Windows 2000, and Windows XP
This registry setting is added when EFS is disabled through domain Group Policy. This registry setting is deleted if EFS is re-enabled using domain Group Policy.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Registry path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Version
Windows Server 2003, Windows 2000, and Windows XP
This registry setting can be used to display Encrypt and Decrypt options on the Windows Explorer shortcut menu when a user right-clicks a file or folder.
Encrypting File System Group Policy Settings
The following table lists and describes the Group Policy settings that are associated with Encrypting File System.
Group Policy Settings Associated with Encrypting File System
| Group Policy Setting | Description |
|---|---|
Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Autoenrollment |
Can be used to enroll certificates automatically, renew expired certificates, update pending certificates, and remove certificates that have been revoked. In addition, this setting can be used to block certificate auto-enrollment. |
Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System |
Can be used to disable or enable encryption of files using EFS. The default setting is enabled. In addition, this setting can be used to register one or more data recovery agents for use with EFS or to remove data recovery agents if they are no longer desired. |
Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Automatic Certificate Request Settings |
Can be used to configure automatic certificate request settings for a specific certificate template for a domain by using the Automatic Certificate Request Setup Wizard. The request will be processed automatically at the first occurrence of any of the following: a user logs on, Group Policy is refreshed, or a computer joins the domain and is subject to a Group Policy setting. |
To find more information about these Group Policy settings, see “Group Policy Settings Reference” in the Tools and Settings Collection.
Related Information
The following resources contain additional information that is relevant to this section.
“Certificates Tools and Settings” in Certificates Technical Reference
“Certificate Services Tools and Settings” in Certificate Services Technical Reference