How Does Win2k's Encrypted File System Really Work?

cyberbrian asks: "At work, I administer Windows NT 4.0 and 2000 servers and I have been researching Win 2000's EFS (Encrypted File System) and I have detected some Very Odd Behavior. I am currently leaning towards using PGP Disk instead of EFS but I really want to know what is going on here. For instance, one of the tests I made is that I backed up an encrypted file and restored it to a FAT partition. The resulting file had zero bytes. For true encryption, shouldn't there be data in the file, but scrambled according to the encryption algorythem and key file? IMHO, Microsoft may not be using encryption at all, but instead perhaps the "encryption" is actually a hidden NTFS deny/allow permission that is tied to a certificate. Has anyone tested this by trying to decrypt a EFS file under Linux? Also, I would be very interested in any URLs people could point me to where this is explained in detail."

Not Surprised

[forkspoon]

Actually I wouldn't be surprised if it was only a flag and they didn't really encrypt the data. First, when my 2000 Pro system crashed last winter, I simply reinstalled 2000 Pro onto the same drive. The new administrator account had access to all the files on the hard drive, whether they were "encrypted" or their permissions were explicitly for another group. It seems that the actual files are simply on the disk, the installed instance of the OS is what performs access control, so there is no real alteration of data with permissions or encryption. However, the compressed files were still compressed when I installed the second time.

Thanks,

Travis
forkspoon@hotmail.com