Q: Can I store my Encrypting File System (EFS) private key on my smart card?

A:Yes, starting with Windows Server 2008 and Windows Vista, Microsoft supports storage of the EFS private key on a user's smart card. Microsoft providesa Group Policy Object (GPO) setting that will require the use of a smart card for EFS. You can find this setting in the properties of the EncryptingFile System container in the Computer ConfigurationWindows SettingsSecurity SettingsPublic Key Policies folder.

As Figure 1 shows, the Encrypting File System Properties dialog box includes the Create caching-capable user key from smart card configurationoption. This setting lets the administrator select either the cached or non-cached mode of operation for the EFS private key storage on smart cards.

Figure 1: The Encrypting File System Properties dialog box  (Click image for larger view)

Non-cached mode means that all EFS decryption operations that require the user's private key are done on the smart card. Cached mode means that Windowsautomatically derives a special symmetric key from the user's private key and caches it in protected system memory on the computer, not on the smartcard. Cached mode implies that all standard EFS operations that normally involve the user's private key are replaced with symmetric cryptographicoperations that use the special symmetric key.

Cached mode positively impacts EFS performance when using smart cards for private key storage because EFS doesn't need to call on the smart cardprocessor for every EFS encryption or decryption operation. Cached mode also eliminates the need to keep the user's smart card plugged in to the smartcard reader. You can enable the EFS cached mode of operation for the EFS private key storage on smart cards by selecting the Create caching-capable user key from smart card option on the General tab in the EFS properties dialog box, as Figure 1 shows.