Guest Brian Komar Posted October 23, 2008 Posted October 23, 2008 Not a good idea. The first time that you forget to import the PKCS#12 before you attempt to access a file, a new EFS certificate will be generated From that point on, all newly encrypted files will use the new default EFS key If you want to have the removal of the EFS certificate from software, then I recommend you move to Vista and use a smart-card based EFS certificate Brian "bagassa" <not@available.com> wrote in message news:e8Eqa9INJHA.5692@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > Good afternoon everyone, > > What I like to do is lock some of my sensitive files using the windows EFS > encryption so that if someone were to steal my computer and somehow hack > the password into my account, they still would not be able to read the > files. > > If I were to: > > 1. encrypt the files > 2. then export the "encrypting file system" certificate from the > certificate manager (in the personal folder) to a thumb drive (and a > backup drive). > 3. delete the certificate managers copy > 4. Every time I want to access the files, I plug the thumb drive in, and > use it to decrypt the files. > > Is this a good way to do it ? Any red flags here ? > > Thanks for your time and help > > Peter > </span> Quote
Guest bagassa Posted October 23, 2008 Posted October 23, 2008 Good afternoon everyone, What I like to do is lock some of my sensitive files using the windows EFS encryption so that if someone were to steal my computer and somehow hack the password into my account, they still would not be able to read the files. If I were to: 1. encrypt the files 2. then export the "encrypting file system" certificate from the certificate manager (in the personal folder) to a thumb drive (and a backup drive). 3. delete the certificate managers copy 4. Every time I want to access the files, I plug the thumb drive in, and use it to decrypt the files. Is this a good way to do it ? Any red flags here ? Thanks for your time and help Peter Quote
Guest Brian Komar Posted October 23, 2008 Posted October 23, 2008 Inline... "bagassa" <not@available.com> wrote in message news:eFmgzvUNJHA.2824@TK2MSFTNGP06.phx.gbl...<span style="color:blue"> > Good afternoon Brian, > > You raised a good point. Does this mean that the burglar who stole my > computer and broke into my account could still read the files, simply > because Windows will always make a new certificate ?</span> No. They would need access to the removed certificate's private key to open previous files <span style="color:blue"> > > There is no registry change that can stop this automatic generation?</span> No. You need to read the whitepaper on how EFS works. You could prevent the creation of self-signed EFS, but the client would still either request a Basic EFS certificate or autoenroll another certificate. <span style="color:blue"> > > About those smart card readers you mentioned. Where can I get a simple > one at a reasonable price ?</span> You need three things: 1) Smart card 2) Smart card reader 3) Middleware/mini-driver Google is your friend. Search for Gemalto <span style="color:blue"> > > Thanks for your time and input, Brian. > > Peter > > ======================================== ><span style="color:green"> >> Not a good idea. >> The first time that you forget to import the PKCS#12 before you attempt >> to access a file, a new EFS certificate will be generated >> From that point on, all newly encrypted files will use the new default >> EFS key >> If you want to have the removal of the EFS certificate from software, >> then I recommend you move to Vista and use a smart-card based EFS >> certificate >> >> Brian >></span> > ========================================<span style="color:green"><span style="color:darkred"> >>> >>> What I like to do is lock some of my sensitive files using the windows >>> EFS encryption so that if someone were to steal my computer and somehow >>> hack the password into my account, they still would not be able to read >>> the files. >>> >>> If I were to: >>> >>> 1. encrypt the files >>> 2. then export the "encrypting file system" certificate from the >>> certificate manager (in the personal folder) to a thumb drive (and a >>> backup drive). >>> 3. delete the certificate managers copy >>> 4. Every time I want to access the files, I plug the thumb drive in, and >>> use it to decrypt the files. >>> >>> Is this a good way to do it ? Any red flags here ? >>> >>> Thanks for your time and help >>> >>> Peter</span></span> > </span> Quote
Guest bagassa Posted October 24, 2008 Posted October 24, 2008 Good afternoon Brian, You raised a good point. Does this mean that the burglar who stole my computer and broke into my account could still read the files, simply because Windows will always make a new certificate ? There is no registry change that can stop this automatic generation? About those smart card readers you mentioned. Where can I get a simple one at a reasonable price ? Thanks for your time and input, Brian. Peter ======================================== <span style="color:blue"> > Not a good idea. > The first time that you forget to import the PKCS#12 before you attempt to > access a file, a new EFS certificate will be generated > From that point on, all newly encrypted files will use the new default EFS > key > If you want to have the removal of the EFS certificate from software, then > I recommend you move to Vista and use a smart-card based EFS certificate > > Brian ></span> ========================================<span style="color:blue"><span style="color:green"> >> >> What I like to do is lock some of my sensitive files using the windows >> EFS encryption so that if someone were to steal my computer and somehow >> hack the password into my account, they still would not be able to read >> the files. >> >> If I were to: >> >> 1. encrypt the files >> 2. then export the "encrypting file system" certificate from the >> certificate manager (in the personal folder) to a thumb drive (and a >> backup drive). >> 3. delete the certificate managers copy >> 4. Every time I want to access the files, I plug the thumb drive in, and >> use it to decrypt the files. >> >> Is this a good way to do it ? Any red flags here ? >> >> Thanks for your time and help >> >> Peter </span></span> Quote
Guest bagassa Posted October 26, 2008 Posted October 26, 2008 Last question Brian, The only white paper I found on the MS website talks about security in general, or about the BitLocker feature which I don't have (I have Vista Business). Can I get a link to that EFS white paper that you mentioned ? Regards, Peter ========================== "Brian Komar" <brian.komar@nospam.identit.ca> wrote in message news:%23Eyk8%23UNJHA.5232@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > Inline... ><span style="color:green"> >> Good afternoon Brian, >> >> You raised a good point. Does this mean that the burglar who stole my >> computer and broke into my account could still read the files, simply >> because Windows will always make a new certificate ?</span> > No. They would need access to the removed certificate's private key to > open previous files ><span style="color:green"> >> >> There is no registry change that can stop this automatic generation?</span> > No. You need to read the whitepaper on how EFS works. > You could prevent the creation of self-signed EFS, but the client would > still either request a Basic EFS certificate or autoenroll another > certificate. > ><span style="color:green"> >> >> About those smart card readers you mentioned. Where can I get a simple >> one at a reasonable price ?</span> > You need three things: > 1) Smart card > 2) Smart card reader > 3) Middleware/mini-driver > Google is your friend. Search for Gemalto > > Thanks for your time and input, Brian. > > Peter ></span> Quote
Guest GreenieLeBrun Posted October 28, 2008 Posted October 28, 2008 bagassa wrote:<span style="color:blue"> > Last question Brian, > > The only white paper I found on the MS website talks about security in > general, or about the BitLocker feature which I don't have (I have > Vista Business). > > Can I get a link to that EFS white paper that you mentioned ? > > Regards, > > Peter > > ========================== > "Brian Komar" <brian.komar@nospam.identit.ca> wrote in message > news:%23Eyk8%23UNJHA.5232@TK2MSFTNGP05.phx.gbl...<span style="color:green"> >> Inline... >><span style="color:darkred"> >>> Good afternoon Brian, >>> >>> You raised a good point. Does this mean that the burglar who stole >>> my computer and broke into my account could still read the files, >>> simply because Windows will always make a new certificate ?</span> >> No. They would need access to the removed certificate's private key >> to open previous files >><span style="color:darkred"> >>> >>> There is no registry change that can stop this automatic generation?</span> >> No. You need to read the whitepaper on how EFS works. >> You could prevent the creation of self-signed EFS, but the client >> would still either request a Basic EFS certificate or autoenroll >> another certificate. >> >><span style="color:darkred"> >>> >>> About those smart card readers you mentioned. Where can I get a >>> simple one at a reasonable price ?</span> >> You need three things: >> 1) Smart card >> 2) Smart card reader >> 3) Middleware/mini-driver >> Google is your friend. Search for Gemalto >> >> Thanks for your time and input, Brian. >> >> Peter</span></span> These may help:- The Encrypting File System http://www.microsoft.com/technet/security/...phyetc/efs.mspx Best practices for the Encrypting File System http://support.microsoft.com/kb/223316/en-us Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.