EFS Certificate implementation - Josh Ogden's Wiki

#Microsoft #Security #Encryption #ActiveDirectory #Windows >[!info] Comprehensive Guide for Implementing EFS and Secure File Sharing with Microsoft Security >This guide covers the implementation of [[Microsoft EFS|Encrypting File System (EFS)]], a powerful feature in Windows that allows you to encrypt files and folders to protect sensitive data. This guide will help you seamlessly set up and manage EFS certificates, encrypt files, and ensure that authorized users can access the data securely. For full encryption implementation details, see [[Full Encryption implementation]]. >[!info] EFS Certificate Distribution >Each user who needs to encrypt or decrypt files must have an EFS certificate. Here's how to enable auto-enrollment for these certificates using Group Policy: >[!hint] Group Policy Configuration > > - Open Group Policy Management Console (GPMC) > - On a Domain Controller, open the GPMC. > > - Edit the Group Policy Object (GPO) > - Edit the GPO applied to the Organizational Unit (OU) that contains your users. > > - Navigate to Public Key Policies for EFS > ``` > User Configuration -> Windows Settings -> Security Settings -> Public Key Policies -> Encrypting File System > ``` >[!note] Create Data Recovery Agent (Optional) > - Right-click and choose **Create Data Recovery Agent** to set up recovery agent certificates if needed. >[!hint] Configure Auto-Enrollment for EFS Certificates > - User Configuration -> Windows Settings -> Security Settings -> Public Key Policies -> Automatic Certificate Request Settings >[!success] Add New Automatic Certificate Request for the EFS Template > - Right-click **Automatic Certificate Request Settings**. > - Choose **New** -> **Automatic Certificate Request**. > - Select the EFS template from the list. >[!info] Encrypting Files on the File Share >After distributing the EFS certificates, you can proceed to encrypt files or folders on the file share. >[!hint] Access the File Share > - Use a domain-joined machine to access the file share. >[!success] Encrypt the File or Folder > - **Right-click** the file or folder, select **Properties**. > - Click **Advanced**. > - Check **Encrypt contents to secure data**, then click **OK**. > - Apply changes to the desired scope (file only, or folder and subfolders). >[!hint] Add Additional Users to the Encrypted File/Folder > - Open **Properties** of the encrypted file/folder. > - Go to the **General** tab, then click **Advanced**. > - Click on **Details** to open the Encryption Details window. > - Click **Add**. > - Select the users from Active Directory whose public EFS certificates should be added. > - Each authorized user's public key will be added, enabling them to decrypt the file. >[!info] Accessing Encrypted Files >Authorized users can access encrypted files using their personal EFS private keys. Here's how it works: > > - When an authorized user attempts to open an encrypted file, their private key—protected by Data Protection API (DPAPI)—is used to decrypt the FEK (File Encryption Key). > - Consequently, the file is decrypted and accessible to the user. >[!info] Recovery Agents >Configuring EFS Recovery Agents is crucial in case users lose their keys, allowing file recovery by designated personnel. >[!hint] Add Recovery Agents (Optional but Recommended) > > - Navigate to EFS in Group Policy > ``` > Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies -> Encrypting File System > ``` > > - Add Data Recovery Agent > - Right-click **Encrypting File System**, select **Add Data Recovery Agent**. > - Follow the wizard instructions to add the needed user or group recovery certificates. >[!tip] Key Notes > - **Regular Backups**: Regularly back up your certificates along with the encrypted files. > - **Update Policies**: Ensure to update Group Policies across all client machines. > - **Monitoring**: Regularly monitor for compliance and reassess permission settings.