⭕EFS

Encrypting File System

❊ What is EFS?

The Encrypting File System on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

❊ EFS vs Bitlocker

BitLocker helps protect an entire drive against offline attacks, whereas EFS can provide additional user-based file level encryption for security separation between multiple users of the same computer. EFS can also be used in Windows to encrypt files on other drives that aren't encrypted by BitLocker.

In short, BitLocker is full disk encryption, and EFS is individual file encryption.

❊ How It Works with Yubikey

Usually with Bitlocker, you unlock your drive once with your Yubikey / smart card and the drive stays unlocked until you lock it again or restart your computer.

EFS on the other hand is much more adamate about ensuring your files are only accessed by the correct people.

With EFS, you can specify the "cache" time between authentication requests. This means that when you attempt to access or open a file, you will immediately be prompted by your Yubikey to authenticate. After that successful authentication, the computer will "remember" you for a period of time and lets you continue using the file uninterrupted. However, after that cache period is over, you will be asked again to authenticate the next time you access the file.

The cache duration can be increased or even decreased to as little as asking you to authenticate every 5 minutes. Or you can make EFS remember you for the entire day once you authenticate successfully the first time.

❊ Configure EFS

Click -> Run -> type gpedit.msc

You will need to navigate to the following location:

📃 Local Computer Policy
   💻 Computer Configuration
      📁 Windows Settings
         🔒 Security Settings
           📁 Public Key Policies
              📁 Encrypting File System

Once you locate Encrypting File System, right-click and select Properties:

You will see a new dialog with a few tabs and options:

The settings you select depend on your preferences. In our demo, we want a pretty locked down system, so we've selected the following:

Require a smart card for EFS
Display key backup notifications when user key is created or changed

Then select the Cache tab.

In this section, we're only going to allow it to cache the encryption key for 120 minutes (2 hours).

You can set the cache timeout for as long or short as you want. The lower the time, the more it'll ask for authentication directly from your Yubikey.

Once you've configured the desired settings, click Apply and OK.

❊ Encrypting Files

The process of encrypting a few of your files is rather simple. Locate a file you wish to test with first, in case something happens or it is not configured properly, you won't lose anything valuable. Then once you have the process down and understand how ti works, you can then encrypt your valuable data.

To encrypt, right -click on a file and select Properties.

At the bottom of the dialog box, select

You will then see another dialog box appear:

Enable / check the option at the bottom Encrypt contents to secure data.

Once checked, press

A dialog appear:

For this tutorial, we will select Encrypt the file only.

Once you press OK to encrypt the file, physically look at your Yubikey. If the "Y" is blinking, you will need to touch your device in order to complete the encryption process.

Touching your Yubikey will be a requirement each time you wish to access your encrypted file depending on how you've configured your PIV touch policies. You will not see a dialog appear on-screen telling you to touch the key, so you will need to physically pay attention to it and touch it if it blinks.

At this point, if you click the button again and look at the checkbox to encrypt data, a new button should be enabled labeled

The dialog should display certificates that are able to access this file.

If you do not see anything in this list, that is fine. Close out all the dialog boxes and return to the file you were encrypting.

Depending on the file, you should now see a yellow lock integrated into the icon:

After you first enabled encryption for your file, that counts as one authentication. Which means your key is cached and you can freely access the file for a certain amount of time.

If you attempt to access the file and remove your Yubikey, a dialog box will appear:

Be sure to pay attention to the icons near your clock. If you attempt to access an encrypted file and it appears that your computer may have froze and is not responding, that is a graphical glitch in Windows. Somewhere near your clock should be an icon indicating that EFS requires you to enter your Yubikey or type of your PIN.

If your Yubikey is not inserted into the USB port, you will see the following:

Once you enter your Yubikey, Windows will find your certificate and ask you to enter your PIN.

❊ EFS Certificate

EFS appears to prefer using the certificate that has been assigned to the user account via the Windows control panel.

To locate this area, click -> type Control Panel.

Select User Accounts option:

On the next dialog, select Manage your file encryption certificates:

A dialog box will appear:

Select to see the following:

You may not see any certificates in the box above.

If not, then click which should make a dialog appear which asks you to select the certificate you wish to use for EFS / Bitlocker.

Once you select the correct certificate, another box will appear asking you to enter your PIV PIN.

Once the PIN has been entered, you will see:

For the purposes of EFS, you can leave this alone and click and yet another dialog will appear asking for your PIV PIN again.

Once entered, the final dialog will show a summary of your assigned certificate:

You can now close this window and your EFS certificate should be associated to your account.

When you now right-click on a file and select you can then click on the in the below window:

Selecting the option Encrypt contents to secure data will now use the certificate you selected earlier in order to access or edit the file.

Side Note:

You may notice once you enable encryption on a particular file that any time you attempt to access it afterward will result in a very slight delay between selecting it and the action taking place. You'll also notice your Yubikey light will turn on. This is due to the computer reading your Yubikey each time you access the encrypted file.

❊ Adding Additional Certificates

On top of the primary certificate Windows will use for EFS, you can add secondary certificates which can access the same file.

This can be done by right-clicking on the file, select and access the properties page:

Select and then on the far right near the option to encrypt, select

You will then see a dialog box which lists your current PIV certificate name, and an

You will then go through the normal process of being prompted with a list of your compatible certificates and you'll be able to select another certificate which will have access to this file.

Once you've selected a new certificate, enter the PIV PIN, and then apply your changes.

You can now access the selected file with any Yubikey which has one of the two specified keys imported.

When accessing an encrypted file, be sure you physically check the Yubikey. If you have the touch policy enabled, you will see the light on the Yubikey blink and you will be required to actually touch the Yubikey in order to access the file; otherwise the system will just sit there and eventually time out with an access violation error.

❊ Notes to Consider

I've setup the EFS system with my Yubikey a few times, and I've noticed the process can seem very buggy.

At times it will seem like once you encrypt a file, it stays unlocked, while other files will ask you to enter your Yubikey PIN or Touch almost every time you interact with them.

Lucky for you, I've spent the time trying to figure out why.

In the first part of the instructions where you were asked to click -> Run -> type gpedit.msc, you will a dialog box which includes settings for EFS:

If you enable these settings, and then encrypt a file, all the files you encrypt will take on these settings.

If you come back to the EFS settings later and modify File Encryption using Encrypting File System (EFS) and set it to Not Defined or Don't Allow, the settings you had before disabling EFS will still apply to the already encrypted files.

This means that if you decide to change your EFS settings later, you must decrypt all of your files. Then come back to the above EFS settings, change the settings, and then go back to re-encrypt your files if you've just modified something like the cache time. If you disable EFS, then there's no need to re-encrypt.

The other note to take into account, if you uncheck / disable the option Create caching-capable user key from smart card, then caching will be disabled completely. You will need to enter your Yubikey PIN / Touch the yubikey almost every time you interact with the encrypted file. This means that if you disable that feature, then the settings in the Cache tab will do nothing.

PreviousCode Signing NextGithub Desktop

Last updated 1 year ago