EFS and Encrypted File Sharing

Q: I regularly use the Encrypting File System (EFS) to encrypt files that are stored on my PC and on file shares (these shares are located on our corporate Windows file servers). Does EFS provide a mechanism to share encrypted files with other users? It would be very handy to give certain colleagues access to my encrypted files on the file shares.

A: Yes, the EFS supports encrypted file sharing between different users. EFS file sharing was introduced in Windows XP and Windows Server 2003 – and is thus not available for Windows 2000 EFS. It enables a user that has access to an EFS-encrypted file to share it with other users. EFS file sharing can be set up only for individual user accounts, not for group accounts. From an administration point-of-view, things would certainly have been much simpler if Microsoft had let users share their encrypted files with Windows groups. But because EFS relies on X.509-based certificates that by definition can only be issued to individual users and not groups, this is impossible. Another important limitation is that EFS file sharing can be applied only to individual EFS-encrypted files, and not to EFS-encrypted NTFS folders. Also remember that EFS is only available on the NT File System (NTFS), and not on other Windows file systems such as FAT or FAT32.

You can enable EFS file sharing in an encrypted file’s advanced properties, which you can access from the Advanced button on the General tab of a file’s properties. Before you can share an encrypted file, the file must obviously be encrypted. If a file is encrypted, you will notice that the Details button in the file’s Advanced properties is available. Pressing this button brings up the “Encryption Details for…” dialog box. (By the way, in Windows Vista this dialog box is titled “User Access to”). From this dialog box you can share an encrypted file with other users. The sharing of an EFS encrypted file is not an explicit privilege of the user account that encrypted the file and shared it with another user. For example, Jan may have encrypted the file and decided to share it with Katrien. Katrien on her turn may then have decided to share it with Wim. The only condition is that the user that you want to give access to an encrypted file has a valid EFS certificate that's stored either in the local certificate store on your PC or in Active Directory (if your machine is joined to an AD domain).

Let’s look at how EFS determines whether a user is authorized to change a file’s EFS sharing properties and with whom he/she can share the encrypted file. To change a file’s EFS sharing properties, you need at least write permission to the file. To share a file with another user you need access to that user’s EFS encryption certificate. From the Select User dialog box, you can access the EFS user certificates that are stored in the Other People and Trusted People certificate containers of your personal certificate store. The Trusted People is a new XP and Windows 2003 certificate container. It contains the EFS certificates of all users that have ever encrypted a file from a particular machine. If your machine is a member of a Windows AD domain, you'll notice that the Find User… button is enabled. Pressing this button lets you access the EFS user certificates that are published in AD. Note that the EFS “Select User” dialog box will display only the valid EFS certificates. This means that the certificate must have the “Encrypting File System” purpose enabled in its properties, and also that the certificate must be valid and should not have expired. If you want to share encrypted files with people whose EFS certificate is not available in one of the above repositories, you can always import it manually into AD or your certificate store.

To better understand how EFS file sharing really works, it's worthwhile taking a look at the cryptographic nuts and bolts of EFS file sharing. When a user shares an encrypted file with another user, an extra Data Decryption Field (DDF) is added to the file’s EFS-related NTFS file streams. EFS uses DDFs to securely store the cryptographic keys that are needed to encrypt an EFS-protected file and automatically decrypt it. At no point in the EFS file-sharing process is the file itself decrypted. In the above example of Jan giving Katrien access to one of his encrypted files, when Jan decides to share an encrypted file with Katrien, EFS first decrypts Jan’s DDF with Jan’s private key to retrieve the File Encryption Key (FEK). EFS then encrypts the FEK using Katrien’s public key and adds the resulting new DDF for Katrien to the file’s EFS-related NTFS file streams. For a good explanation of the cryptographic EFS internals, read the Microsoft article “How EFS Works,” at http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsck_efs_duwf.mspx?mfr=true