Friday, July 20, 2012

Decrypting EFS

One of the many pains of NTFS's EFS is that if you decide to no longer use it, you can get in a situation where you are waiting hours and hours for your HDD or SSD to decrypt each file and folder, and change its attributes.

Worst, if you abort that operation, or have inaccessible files, you can end up with MIXED filesytems, with some files encrypted, and others not. This can cause complications with some backup solutions that use direct copies (if the destination can't be encrypted, for example).

So, how to fix? Well, you could toggle that Encrypted attribute checkbox in the folder properties, start to encrypt, then abort. Then do the opposite, being sure to include all subdirectories and files.

OR you can use the CIPHER tool, built into Windows. Cipher let's you get and control all sorts of EFS information. Anything EFS related - it has. Including what we want, decrypting an entire directory tree.

For example, say I want to make sure there are no EFS files left on drive D:\. The command might be:


In my case, on a drive I had 21 'stray' EFS files and folders still encrypted. Fixed now.

Run Cipher /? to get a full list of options.

Why is EFS bad? One, the filename problem. Filenames are visible. Also, since they let the attacker know likely points of plaintext (e.g. this plaintext data is likely at location X in file type Y), the key becomes quite attackable. Then there is the issue of backing up your certificate, which has been made more clear in Vista and above, but can still be a bit of a pain. TrueCrypt or BitLocker are definitely the thing to use. I prefer TrueCrypt myself, one of the best F/OSS applications ever created. EFS, in my mind, is an illusion of security more likely to cause data loss than protect your privacy.

No comments:

Post a Comment