What is the Encrypting File System?
The Encrypting File System is a technology that does data encryption at the file level. This technology enables transparent encryption of data so that it can protect confidential data from attackers who have gained physical access to the system. It ensures data protection in file-level granularity. It can encrypt files and directories selectively or all of them using encryption keys.
Encrypting File System is available in all versions of Windows (starting from Windows 2000 onwards) developed for business environments.
How does the Encrypting File System work?
In the Encrypting File System, if we encrypt and decrypt files using asymmetric keys, it may take a longer time and degrade the performance of the file system. So, symmetric key encryption is used for that purpose.
The symmetric encryption algorithm used in the Encrypting File System varies with file systems and their versions. Usually, a file symmetric key is used to encrypt and decrypt the files, and the file symmetric key is again encrypted with the public key of the user.
When a user authenticates himself, the Encrypting File System component driver checks the digital certificate to retrieve the private key and then decrypts the symmetric key using that private key. All files and directories later are encrypted and decrypted using the symmetric key.
Folders or directories whose contents are to be encrypted in the file system are marked with a special field. If a folder or directory is marked to be encrypted, then all subfolders or subdirectories under it are marked to be encrypted.
If a file or directory is copied to a volume formatted with a different file system, then the file or directory is first decrypted with the symmetric key and then copied. But, usually, at the time of backup, the files are copied in encrypted form. The backup applications take care of that.
What are the vulnerabilities of the Encrypting File System?
There are mainly two vulnerabilities in the Encrypting File System.
- Usually, the local administrator is the default data recovery agent. He can decrypt the encrypted files of all users. So, an attacker can hack the local administrator’s account and steal the data. However, some Encrypting File Systems prevent this vulnerability by keeping no default data recovery agent. Instead, the password files of all users are again encrypted with another key and that passphrase and key are kept safeguarded from the attacker.
- The attacker can hack a user’s account and reset the local user’s password. This will enable him to gain access to the RSA private key and decrypt all the files. Some Encrypting File Systems prevent this vulnerability by encrypting the user’s private key with the hash of the user’s password as well as a salt. So, the attacker would still need the user’s passphrase to get access to the user’s private key.
0 Comments