Home Links
GROK home button GROK Home
GROK Mobile button Mobile Site


Quick Links
Favorite Article Icon Favorite GROK Articles
Need more help icon Need More Help?
Suggestions and Feedback Icon Suggestions and Feedback
Add your content to GROK icon. Add Content To GROK

Article Count: 9200

Encrypting File System (EFS): LSU Overview



Overview Article

General Information

*Disclaimer:  BEFORE YOU START, discuss the use of  Encrypting File System (EFS) with the your Departmental Technology Support Professional (TSP).

The following article describes the Microsoft Encrypting File System (EFS) as well as what to encrypt, what not to encrypt, and how to configure it for your department.
 

Setting up your users to use EFS

ITS can automatically provision all your users in Active Directory with certificates without requiring any client side work. These are published by our globally trusted subordinate Certificate Authority located in the Frey Computing Services. There are two steps to fully implement EFS for the user:

1. Contact the PKI administration team at pki@lsu.edu and request for your organization or a group of employees of your organization to be configured for auto-enrollment.
 
2. Once they have been given proper permissions, you will be able to ENROLLING for the first time.
 
3. After the initial enrollment, the certificates will be renewed automatically every year.

4. Enable Context Menu Encryption.

5. Encrypt the documents and files.

ITS is providing a registry file that will enable Context (right-click) Menu Integration of EFS as well as a script that will encrypt the My Documents folder, the Desktop Folder, and the Outlook Data Folder.
 
Please be careful as to what you encrypt using EFS.   The registry key can be pushed down with group policy and the script as a one-time logon script that will seamlessly enable encryption for that user on those folders.
 

Enable EFS on your Computer

As part of the Active Directory system, you already have access to Encrypting File System. The only steps you need to take are to ENABLE right-click encryption.  
 
As part of this document, we have made available a registry key that will allow you to do so. This registry key will also define your file view to show encrypted files in green for easy identification. In some instances, your computer may already have a context menu “Encrypt” option because of your computer's group policy in Active Directory. 
 
To test whether or not you have this option available, right-click on a file or folder and look for an Encrypt option. The following is a screenshot of this.

screenshot of Documents and Settings window


What should I Encrypt

EFS is a very powerful and potentially dangerous tool. With this in mind, you should consider carefully what files and folders you want to encrypt.
 
For most people, the best practices are to encrypt the My Documents folder, the Outlook Application folder within the Documents and Settings folder, the Desktop Folder, and any other folders used to store day-to-day documents and data. 
 
With the context menu "Encrypt" option enabled, all that is necessary to do this is to right-click on the folder and left-click Encrypt. You will know a folder is encrypted because it will show in green. 

screenshot of Documents and Settings window
 
NOTE:  Please make sure that a certificate issued by LSU CA is being used for encryption and not a local certificate. A local certificate will be lost as soon as a machine is rebuilt and the files encrypted will not be recoverable.
 

What Should I NOT encrypt

Do not encrypt an entire volume unless it’s a data volume only. If you encrypt Program Files or the Windows Folder, you will potentially make your computer un-bootable. 
 
It is VERY IMPORTANT that Operating System files are not encrypted, as the computer cannot decrypt a file or folder unless it is operating in the context of the user that encrypted those files. 
 

Data Recovery

One of the biggest concerns associated with using EFS is losing data or losing access to data. The IT Security and Policy Office will work with you to establish a group policy that will setup proper data recovery steps. 
 

Disabling EFS for your Group

If you don’t want your users to have the ability to use EFS you can create a group policy that will prevent them from using it at all. The following are the steps necessary to prevent EFS usage:
 
1. Open the GPO that you want to edit. You can use Active Directory Users and Computers or the GPMC to edit the GPO.
 
2. In the Group Policy Object Editor, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Public Key Policies, and then click Encrypting File System.
 
3. Right-click Encrypting File System, and then click Properties.
 
4. Select the Allow users to encrypt files using Encrypting File System (EFS) check box, then click OK.
 

Support Documentation

EFS Helper Files
 

Note: If you have any questions or concerns, please contact the IT Security and Policy Office at pki@lsu.edu.



77  
5/17/2013 4:36:55 PM  

We love feedback! Please help us improve this article.


Article Rating:
Email Address:
(Optional, unless you would like to hear back from us)
Comments:
GROK is a resource of Louisiana State University developed and maintained with support of the LSU Student Technology Fee.  We love getting feedback from the general public, but our one on one support efforts are generally dedicated to the LSU community.  Thanks for your understanding!
"" LSU Footer ""

Information Technology Services
200 Frey Computing Center · Baton Rouge, LA 70803
Telephone: 225-578-3700 · Fax: 225-578-3709 · E-mail: helpdesk@lsu.edu

Copyright © 2006. All Rights Reserved. Official Webpage of Louisiana State University.