Useful Links:
Windows 2000 Encrypting File System
Windows 2000 comes with the ability to encrypt files and/or folders on the disk using the DESX algorithm and a combination of symmetric and public key technology. This functionality is called EFS (for Encrypting File System) and is only available on disks formatted with the NTFS file system.
The university's policy on encryption of data (section IV paragraph "F" of the Yale IT Appropriate Use Policy document) specifies that, in most cases, when data is encrypted a recovery mechanism should be available or the key must be provided when a request is made by an properly designated person.
Since the encrypting file system in Windows 2000 is based on a combination of a system-generated key and a user certificate, the only way to decrypt EFS information is via that user's credentials or a built-in mechanism called a "recovery agent" which is a designated account that has the authority to decrypt other users' data if the owner is not available.
This capability is, of course, a very powerful one and policies on who will carry that authority are not defined yet. For that reason, there is no recovery agent currently defined in the Active Directory. The effect of this is that EFS is disabled on all systems that are part of the AD.
Users that attempt to encrypt files with EFS when it is disabled because no key is present will see the following error message:
Until EFS policy is developed, users are encouraged to use Yale's distribution of PGP and/or PGPDisk if they need to encrypt files in a secure manner.
It is expected that EFS will be made available in the future once policies are in place to manage it. For more information on EFS and related policies, please contact the Information Security Office.