2

If I encrypt a USB drive using Windows 2008 EFS, will I be able to view the the contents of the drive on another PC (is there a way to provide credentials?)? The Windows 2008 system is using Windows account and not domain accounts.

Sajee
  • 894
  • 1
  • 12
  • 16

3 Answers3

4

You must export the EFS private key from the first machine using certmgr.msc and import it to the second machine. Only then you will be able to decrypt files. (Passwords and anything else do not matter.)

But having two EFS private keys on one machine can really confuse both the user and the OS...

A better solution would be to use full-drive encryption (such as TrueCrypt, which is cross-platform) - this will also hide the filenames, unlike EFS.

If you only want to encrypt single files, GnuPG (or the commercial version, PGP) may be useful (though it's more suited for email encryption).

user1686
  • 10,162
  • 1
  • 26
  • 42
  • EFS won't hide files because the OS already has that ability. It's called access based enumeration – Jim B Jul 10 '09 at 17:22
  • 1
    But, unlike full-drive encryption, "that ability" is not LiveCD-resistant :) – user1686 Jul 10 '09 at 20:13
  • @Jim B: AFAIK, If someone plug an EFS-encrypted USB drive into another PC they will be able to see all filenames (at least outside the domain). BitLocker might be an alternative, or Truecrypt as already suggested – grojo Jan 26 '10 at 11:19
  • unless you turn on acccess based enumeration, in which case you can only see files you have access to. You don't need any encryption to turn that on and on server 2008 it's just a checkbox. Note that bitlocker was created just for this situation. EFS was not meant to be used on removeable drives. – Jim B Jan 26 '10 at 14:16
  • Jim: It's not about removable drives. It's about someone browsing an internal HD using Linux. "Access-based enumeration" isn't even supported under ntfs-3g. – user1686 Jan 27 '10 at 12:17
0

Not unless they have shared keys, this can be setup but is a massive faff, might be best to use PGP or similar instead to be honest.

Chopper3
  • 101,299
  • 9
  • 108
  • 239
  • It doesn't need to be that complicated: run cipher.exe /x - save certificate - copy to another machine - double click file. – grojo Jan 26 '10 at 11:25
0

If I remember correctly (in 2003 PKI), when you set up your CA, you have the option to create a "master" certificate that will allow you (for emergency purposes) to unlock any files encrypted with a certificate assigned by that CA.

Kara Marfia
  • 7,892
  • 5
  • 33
  • 57