Encrypting File System (EFS): LSU Overview
*Disclaimer: BEFORE YOU START, discuss the use of Encrypting File System (EFS) with the your Departmental Technology Support Professional (TSP).
The following article describes the Microsoft Encrypting File System (EFS) as well as what to encrypt, what not to encrypt, and how to configure it for your department.
Setting up your users to use EFS
ITS can automatically provision all your users in Active Directory with certificates without requiring any client side work. These are published by our globally trusted subordinate Certificate Authority located in the Frey Computing Services. There are two steps to fully implement EFS for the user:
1. Contact the PKI administration team at firstname.lastname@example.org and request for your organization or a group of employees of your organization to be configured for auto-enrollment.
2. Once they have been given proper permissions, you will be able to ENROLLING for the first time.
3. After the initial enrollment, the certificates will be renewed automatically every year.
4. Enable Context Menu Encryption.
5. Encrypt the documents and files.
ITS is providing a registry file that will enable Context (right-click) Menu Integration of EFS as well as a script that will encrypt the My Documents folder, the Desktop Folder, and the Outlook Data Folder.
Please be careful as to what you encrypt using EFS. The registry key can be pushed down with group policy and the script as a one-time logon script that will seamlessly enable encryption for that user on those folders.
Enable EFS on your Computer
As part of the Active Directory system, you already have access to Encrypting File System. The only steps you need to take are to ENABLE right-click encryption.
As part of this document, we have made available a registry key that will allow you to do so. This registry key will also define your file view to show encrypted files in green for easy identification. In some instances, your computer may already have a context menu “Encrypt” option because of your computer's group policy in Active Directory.
To test whether or not you have this option available, right-click on a file or folder and look for an Encrypt option. The following is a screenshot of this.
What should I Encrypt
EFS is a very powerful and potentially dangerous tool. With this in mind, you should consider carefully what files and folders you want to encrypt.
For most people, the best practices are to encrypt the My Documents folder, the Outlook Application folder within the Documents and Settings folder, the Desktop Folder, and any other folders used to store day-to-day documents and data.
With the context menu "Encrypt" option enabled, all that is necessary to do this is to right-click on the folder and left-click Encrypt. You will know a folder is encrypted because it will show in green.
NOTE: Please make sure that a certificate issued by LSU CA is being used for encryption and not a local certificate. A local certificate will be lost as soon as a machine is rebuilt and the files encrypted will not be recoverable.
What Should I NOT encrypt
Do not encrypt an entire volume unless it’s a data volume only. If you encrypt Program Files or the Windows Folder, you will potentially make your computer un-bootable.
It is VERY IMPORTANT that Operating System files are not encrypted, as the computer cannot decrypt a file or folder unless it is operating in the context of the user that encrypted those files.
One of the biggest concerns associated with using EFS is losing data or losing access to data. The IT Security and Policy Office will work with you to establish a group policy that will setup proper data recovery steps.
Disabling EFS for your Group
If you don’t want your users to have the ability to use EFS you can create a group policy that will prevent them from using it at all. The following are the steps necessary to prevent EFS usage:
1. Open the GPO that you want to edit. You can use Active Directory Users and Computers or the GPMC to edit the GPO.
2. In the Group Policy Object Editor, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Public Key Policies, and then click Encrypting File System.
3. Right-click Encrypting File System, and then click Properties.
4. Select the Allow users to encrypt files using Encrypting File System (EFS) check box, then click OK.
EFS Helper Files
Note: If you have any questions or concerns, please contact the IT Security and Policy Office at email@example.com.
5/17/2013 4:36:55 PM