Search Stanford:

Pages on EFS at Stanford

• EFS Home
• How to Encrypt a File
• How to Back-up Your Keys and Certificate:
     with Windows XP
     with Windows Vista
• How to Remove a Recovery Key From Your Computer
• How to Import Your Keys and Certificate
• Practice Recovery Procedures
• Data Recovery Agent Information
• Responsibility Matrix

Technical Information

• EFS Group Policy for DRA Staff
• Stanford Windows Infrastructure

Related Pages

• Stanford Data Classification Guidelines
• HelpSU for EFS
• Information Security Office: Windows File Encryption

• QUICK LINKS
  • answers.stanford.edu
  • apple.stanford.edu
  • computing.stanford.edu
  • courses.stanford.edu
  • datarates.stanford.edu
  • dell.stanford.edu
  • departmentphone.stanford.edu
  • email.stanford.edu
  • ess.stanford.edu
  • helpsu.stanford.edu
  • ithelp.stanford.edu
  • myitserviceshelp.stanford.edu
  • orderithelp.stanford.edu
  • software.stanford.edu
  • studentphone.stanford.edu
  • techtraining.stanford.edu
  • tools.stanford.edu
  • unixcomputing.stanford.edu
  • vpn.stanford.edu
  • web.stanford.edu
  • windows.stanford.edu
• SERVICES
  • IT Services Only
  • All Campus Providers
    → computing.stanford.edu
• GETTING HELP
  • Self-Help Web Site
  • HelpSU: IT Help Desk
  • Training
• PROJECTS
• ABOUT US
  • What We Do
  • Organization Chart
  • Strategic Plan
  • Jobs
  • Contact info
  • Service & System Metrics
• INTERNAL
• SEARCH

  • Search IT Services:
     

• IT Services
• Windows Desktop File Encryption with EFS

Windows Desktop File Encryption with EFS

Overview

Note: Encryption can result in irretrievable loss of data if the keys/passwords are misplaced or destroyed; consult a qualified system administrator if you feel you need assistance.

The Microsoft Windows Encrypting File System (EFS) is a feature of the Windows XP Professional and Windows Vista operating systems that use the NTFS file system. (NTFS is the standard file system for Windows NT and later.) It lets you encrypt designated files or folders on a local computer so that no other user can access your data. When a file is encrypted, EFS automatically decrypts the file for use and re-encrypts the file when it is saved.

EFS is particularly useful for protecting data on a computer that might be physically stolen, such as a laptop.

If you decide to encrypt your files, IT Services strongly recommends that you request a Stanford Data Recovery Agent (DRA) prior to using EFS.

Is this for me?

If you:

• are using Windows XP or Windows Vista;
• log on to the University Windows Infrastructure Active Directory (AD) forest; and
• want to secure files on your computer in case it is stolen

then you may be a good candidate for using Windows Encrypting File System (EFS). This is recommended especially for Restricted Data stored on your computer.

What It Protects

EFS protects your files if your computer is lost or stolen. If someone tries to break into your system to retrieve files, they will not be able to open the file even if they can see that it exists (as long as they do not have your SUNet ID and password). This is most useful for laptop computers and desktop systems with Restricted Data.

What It Doesn't Protect or Prevent

EFS is limited to protecting the files while they are on your computer. It does not provide encryption to files that are:

• sent via email;
• kept on a separate flash drive/thumb drive/USB drive/floppy disk; or
• moved over the network via shared folders.

When you are about to move an encrypted file, Windows will warn you that you will lose your EFS encryption. Keep in mind that whenever you move a file off of your computer, it is probably no longer protected by EFS.

Getting Started

1. Submit a HelpSU request stating that you’re planning to use EFS to encrypt your files.
   • A Data Recovery Agent (DRA) will be assigned to you. Usually this is your local tech support person. If you ever lose your encryption key, the DRA can recover your files for you if they have access to your computer.
     
     Note: Your DRA needs to complete the instructions on the Data Recovery Information page before you can start encrypting files.
2. Once you have received authorization from your DRA to proceed, choose the files or folders you want to encrypt.
   • We recommend you encrypt all Restricted Data that is stored on your computer.
   • You may create a special folder for encrypted files and encrypt that folder so that anything placed in that folder becomes encrypted.
3. Encrypt your files using the instructions on the How to Encrypt a File page.
4. Copy your EFS key onto removable media using the instructions on How to Back-up Your Keys and Certificate with Windows XP or How to Back-up Your Keys and Certificate with Windows Vista.
5. To be extra safe, you have the option of deleting your key from your computer.
   • This means you will have to have the removable media with your key every time you want to access the file, but it does provide an extra layer of protection.
   • This is most useful for mobile users with laptops where the private key is initially removed before transit, and imported back to the laptop upon arrival.
   • If you lose the removable media, your DRA will be able to recover your files.
   • Use the instructions on the How to Remove a Recovery Key From Your Computer page.

Limitations and Caveats

• The best way to protect Restricted Data is to avoid saving it at all on any desktop system. If you do not have a need to store Restricted Data on your workstation, please delete it.
• The use of encryption technologies always involves the risk of loss of data. For those who depend heavily on EFS for their day to day work, IT Services strongly recommends simulating loss of encryption keys, and practicing file recovery using your DRA. Please submit a HelpSU to schedule time for this practice session.
• Your DRA must have access to the computer on which the files are stored. There are serious limitations to recovering encrypted files from remotely connected machines.
• For those who travel or work remotely often and use EFS, IT Services recommends storing copies of encrypted files on Stanford local file servers to mitigate the probability of needing to access your DRA.
• EFS is an "encryption at rest" technology. Before an EFS file is transferred over a network link, including via email attachment, the file is decrypted. The file can be encrypted again at the destination with the proper settings and share permissions.
• There are some recovery situations where the DRA who recovers your documents will be able to view the file in a decrypted state. If this is an issue, please work with your DRA to set up a practice session where decryption is done without read access to the decrypted file.