Learn about the technologies behind the Internet with The TCP/IP Guide!|
NOTE: Using robot software to mass-download the site degrades the server and is prohibited. See here for more.
Find The PC Guide helpful? Please consider a donation to The PC Guide Tip Jar. Visa/MC/Paypal accepted.
|View over 750 of my fine art photos any time for free at DesktopScenes.com!|
One of NTFS's design goals was to allow for proper access control and security, something that was sorely lacking under the FAT file system. In fact, a rather complex security and permissions system is used by NTFS to ensure that only authorized system users can gain access to, or control of, various system objects. This system works well in most cases, but it has a very serious shortcoming: it only works when users "play within the system". As long as Windows NT/2000 is booted normally, the protections offered by the NTFS security mechanisms work well. Unfortunately, it has always been possible for a malicious user to try to access an NTFS partition using a low-level disk utility, bypassing the NTFS security methods entirely. Since NTFS structures were not encrypted, security could be compromised without a lot of trouble--the average person would not have any way of making sense of an NTFS partition when looking at raw bits and bytes, but knowledgeable people certainly could.
To correct this deficiency, Microsoft introduced an encryption capability in NTFS 5.0, as part of Windows 2000. This feature is called the Encrypting File System or EFS. Using EFS, it is possible to encrypt important data before storing it on the NTFS partition. Without the proper decryption key, the data cannot be accessed. This makes it impossible for anyone to easily access data stored on NTFS volumes by booting the PC with a floppy disk and using a disk sector editor, for example. It also offers some peace of mind to those who carry critically sensitive information around on notebook PCs, which are frequently lost--or "liberated", if you know what I mean...
Not surprisingly, the details of how EFS works are fairly complicated--there's no way to make a capable and secure encryption system without it being fairly complex. The system uses a public key and private key algorithm, with 128-bit security domestically (in North America) and 40-bit keys internationally. The "public key / private key" mechanism is a common one, also used for example in the PGP ("Pretty Good Privacy") encryption system. Trying to explain the encryption system would lead me down a long tangential path I would like to avoid. :^) In a nutshell, it works this way. Each user has a public and a private key; the public key can be known to others, while the private key is, of course, private. When a file is encrypted, this is done using the public key. In order to decrypt the file, the private key must be known. EFS carefully guards these private keys in order to ensure that only the person who encrypted the file can decrypt it. The two-key system means that you can encrypt a file using the public key, but you cannot decrypt the file using it!
Fortunately, the internal details aren't necessary in order to use the feature. Enablying encryption is generally as simple as "turning on" encryption for one or more files or folders, much the way NTFS compression works--using the object's properties settings. Encrypting a folder means that any files added to that folder in the future will be automatically encrypted as well.
Tip: If you are
interested in learning more about the details of how EFS works, try
reading this article.
Technically, EFS is not considered a "built-in" part of NTFS. EFS runs as a system service under Windows 2000, and interacts very closely with the internal services and drivers that operate the NTFS file system, but they are really not the same thing. When a file needs to be encrypted or decrypted, the file system works with the EFS service to handle the translation operations for the file. Again, these implementation details are hidden from the user--the operation of EFS is essentially "seamless" and for all intents and purposes can be considered part of NTFS, which is why I described it here. :^)
Next: Disk Quotas