Who can decrypt EFS files?

3

I'm running Windows 7 Professional at home and decided to encrypt some of my files using the built-in EFS. My understanding is that only the account that encrypted the files can also read them again - any other user (even administrators) cannot read them. (And of course access is completely lost after a reinstall.)

Is that correct? What users exactly can decrypt the files I secured? And out of curiosity, was that different in previous versions of Windows? I wonder since I recently read "administrators can decrypt any files" at some site stated by a Microsoft employee.

mafu

Posted 2010-09-08T09:20:53.743

Reputation: 2 565

I don't know if administrator can directly access encrypted data, but administrator can always access account of user who can. – AndrejaKo – 2010-09-08T09:47:15.060

1Using EFS is a bad idea. Backup is a real pain since you also need to backup the encryption certificate and key. If disaster strikes you may find that nobody can decrypt the backup files, including yourself. As usual for Microsoft : Good idea, horrible implementation. Use TrueCrypt instead. – harrymc – 2010-09-08T11:30:00.277

@And I don't think so. An administrator can gain access to everything, but that does not mean he can also decrypt and read it. – mafu – 2010-09-08T12:01:06.023

@har Yes, I actually have those files stored in a secure subversion repository elsewhere as VC and backup, I just want to make sure that the local copy is unreadable for intruders. – mafu – 2010-09-08T12:02:46.973

1@Harry: You have to back up the encryption key in all asymmetric crypto implementations. EFS is no different. (Win7 even nags you to back up the key, so no more "users don't know where to find it" excuses.) – user1686 – 2010-09-08T13:22:44.257

Answers

4

In short:

The user and the local administrator (if he is a Data Recovery Agent)

In detail:

At Basic ideas

However, the cryptography keys for EFS are in practice protected by the user account password.

Source: Wikipedia

This password is also stored in the SAM, which is encrypted with a system key...

Which means that not only the user can access it! Here are the details:

At Decrypting files using the local Administrator account

In Windows 2000, the local administrator is the default Data Recovery Agent, capable of decrypting all files encrypted with EFS by any local user. EFS in Windows 2000 cannot function without a recovery agent, so there is always someone who can decrypt encrypted files of the users. Any non-domain-joined Windows 2000 computer will be susceptible to unauthorized EFS decryption by anyone who can take over the local Administrator account, which is trivial given many tools available freely on the Internet.

In Windows XP and later, there is no default local Data Recovery Agent and no requirement to have one. Setting SYSKEY to mode 2 or 3 (syskey typed in during bootup or stored on a floppy disk) will mitigate the risk of unauthorized decryption through the local Administrator account. This is because the local user's password hashes, stored in the SAM file, are encrypted with the Syskey, and the Syskey value is not available to an offline attacker who does not possess the Syskey passphrase/floppy.

Source: Wikipedia

This hasn't changed towards Windows 7, if you want to know feature changes see this Wikipedia portion.

Tamara Wijsman

Posted 2010-09-08T09:20:53.743

Reputation: 54 163

Asked: 2010-09-08T09:20:53.743

Viewed: 6 616 times

Active: 2010-09-08T10:46:30.307