Skip to end of metadata
Go to start of metadata

The Encrypting File System (EFS) is a windows feature that provides file system-level encryption. EFS was introduced with Windows 2000. The idea of this feature is to provide an extra level of security in case an attacker gains physical access to the device.

Even though you might protect your Windows user account with a password, it is easy to access the files without knowing the password. For instance the attacker can put the hard disc in another computer and read all your files. This security gap can be resolved with EFS. If you enable the encryption for a file the content of this file is stored encrypted on the hard disc. The encryption relies on randomly generated keys which are mapped to your Windows user account. The consequences are that you (and all software which runs on your user account, e.g. Dropbox) see the plaintext file, but on the hard disc the file is stored encrypted. 

EFS is only available in the professional Windows editions (e.g. Windows XP or 7 Professional) while consumer Windows editions (e.g. XP or 7 Home) do not include this feature. If you have such a consumer Windows edition, this article does not apply to you and the Boxcryptor installer does not offer you to disable EFS.


EFS encrypted file accessed by the correct Windows user account

EFS encrypted file accessed by the wrong Windows user account

 

Boxcryptor applies encryption on a higher level. Files encrypted with Boxcryptor are also stored encrypted on the hard disk, but are encrypted to your user account as well. If Boxcryptor is not running you (and all software which runs on your user account) will see the files encrypted. Using the Encrypting File System and Boxcryptor both at the same time can cause confusion. Therefore we recommend to disable EFS. 

Cause

Boxcryptor uses the built-in NTFS attribute Encrypted to mark files as encrypted. This attribute will be interpreted by Windows, as if the files were encrypted with EFS.

Known issues of Boxcryptor which are caused by EFS..

Wrong Message “Back up your file encryption key”

As Windows interprets the NTFS attribute Encrypted as EFS encryption, it offers you the ability to back up your file encryption key, the first time you encrypt a file or a folder with Boxcryptor. For files encrypted with Boxcryptor this back-up is completely useless. The file encryption key of EFS has no relation to the keys Boxcryptor is using. If you want to back-up your Boxcryptor keys, you can download them from Boxcryptor’s web-interface. 

 

Wrong Message “Back up your file encryption key”

 

Known issues of Boxcryptor with enabled EFS

Windows Explorer is not removing the Encrypted attribute correctly

Boxcryptor follows the conventions that if you copy or move files from the Boxcryptor Drive to a location on your physical hard disc that the files will be decrypted by Boxcryptor during this process.

If you copy or move a file from the Boxcryptor Drive to another location on Windows 7, Windows Explorer is applying the Encrypted attribute of the source file also to the target file. The consequence is that the target file will be encrypted by Windows with EFS with keys associated to your Windows account. In the worst case this can lead to access loss in case you don't have access to that Windows account anymore (e.g. after you re-installed Windows without a proper backup). Whenever you encounter a file or folder with the Encrypted attribute ("with green font color") outside of the Boxcryptor Drive, it is encrypted with EFS and not Boxcryptor.

Note: This applies only to Windows Explorer. E.g. if you copy a file using the command line, the Encrypted attribute will not be set on the target.

 

Files encrypted with Boxcryptor remain "Encrypted" if copied to hard disc

 

Consequences of disabling EFS

…If you did not use EFS 

Besides the fact that you cannot use EFS anymore there are no further consequences.

…If you used EFS

You cannot create new files encrypted with EFS. In this case we recommend not to disable EFS, as the issues are not relevant for you: You definitely need a backup of your file encryption key and if the files remain encrypted you can treat them like others encrypted with EFS.

 

How can EFS be enabled again?

If you disabled EFS during the installation of Boxcryptor, but decide later that you want to use EFS you can set the following registry keys to the value “0” and restart the computer. This will enable EFS again:

  • Windows XP: HKEY_LOCAL_MASCHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration
  • Windows Vista, 7 or 8: HKEY_LOCAL_MASCHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableEncryption

 

Special Case: Windows XP x64 Edition

On Windows XP x64 Edition Boxcryptor is not allowed to access the registry HKEY_LOCAL_MASCHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration. 

 This means that Boxcryptor won't create this value during the installation. If you want to disable the Encrypting File System please set it manually.

  1. Click on start and select run.
  2. Type in regedit and click OK.
  3. Browse to HKEY_LOCAL_MASCHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion and create a new key called EFS.
  4. Select this key and create a new DWORD with the name EfsConfiguration and the value 0.

This articles applies to

  • Windows 2000 Professional, Server, Advanced Server and Datacenter editions
  • Windows XP Professional, also in Tablet PC Edition, Media Center Edition
  • Windows Server 2003 and Windows Server 2003 R2, in both x86 and x64 editions
  • Windows Vista Business, Enterprise and Ultimate editions
  • Windows 7 Professional, Enterprise and Ultimate editions
  • Windows Server 2008 and Windows Server 2008 R2
  • Windows 8 Professional and Enterprise editions
  • Windows Server 2012

References

 

http://support.microsoft.com/kb/223316/en-us

 

http://en.wikipedia.org/wiki/Encrypting_File_System


  • No labels