In the name of separation of duties, I was wondering if there is a simple (or even not-so-simple) way of dividing the ability to decrypt an EFS encrypted file such that it would require two DRAs to decrypt the file, while still enabling the owner of the file to decrypt it by him/her self. Is that possible?
If there are alternatives to EFS which have this option, that would also be useful information.
Yes this is possible, but I do not believe EFS directly supports it. There is a secret sharing technique called Shamir's Secret Sharing which provides information theoretic secure sharing of a given secret where an arbitrary number of individual parties are required to calculate the original secret. From the Wikipedia article, one of the properties provided seems to describe what you want perfectly:
In organizations where hierarchy is important, we can supply each participant different number of pieces according to their importance inside the organization. For instance, the president can unlock the safe alone, whereas 3 secretaries are required together to unlock it.
In your situation, you would want to use the secret as the file encryption key. You could split the secret so two any two DRAs are required to decrypt a file, but the owner of the file has enough "parts" of the secret that they can derive the final secret required to decrypt it without any other information from the outside. A simple implementation would the open source ssss or sss utilities.
