Question about Windows Encrypting File System (EFS)  

Hi
I've been playing around with EFS but I cannot currently test this one thing that popped to my mind.
I have a laptop with an SSD (Local disk C:\) and a HD (Local disk D:\).
Windows installed on SSD, personal files kept on HD.
Windows is protected with a user account with password.
I used EFS (not BitLocker, just EFS) on some files on the HD.

If my laptop gets stolen, and if the thief removes that HD and connects it to another computer that he has access on, if he uses a Linux live USB/CD to boot, what stops him from copying the encrypted files from my HD and then being able to access them?
I'm assuming that he won't be asked for Windows password since that stays on the SSD and he removed the HD and put it on another computer...

If anyone haven't played around with EFS, once you get access to the encrypted files, nothing stops you from copying them to another media and then pasting them to another computer and access them.

You are able to copy the EFS encrypted files because are are logged in using the user account that has access to those encrypted files. When you copy the files to another location, Windows decrypts the files on the fly to place them on a non-encrypted device. It's been a few years so forgive my lack of memory on all details, but I think that if you were copying to say a thumb drive that is formatted with NTFS the file would remain encrypted since that destination is capable of storing EFS encrypted files.

So, if a user connects the HD to another system, they would not be logged on with the correct credentials and as a result the file would remain encrypted and inaccessible to them. I think that they may be able to copy the file, but it stays encrypted and inaccessible.

Easy way to test this:

Set File Explorer to show EFS encrypted files in an alternate color.
Encrypt a test file on your computer.
Format a thumb drive with NTFS.
Copy the EFS encrypted file to that thumb drive. It should show in the alternate color indicating it is still encrypted.
Move that thumb drive to another machine that you have not added you EFS encryption certificate to.
The file should remain inaccessible (it won't decrypt).

Here is a good tutorial on the topic:

Encrypt Files and Folders with EFS in Windows 10

hsehestedt said:

You are able to copy the EFS encrypted files because are are logged in using the user account that has access to those encrypted files. When you copy the files to another location, Windows decrypts the files on the fly to place them on a non-encrypted device. It's been a few years so forgive my lack of memory on all details, but I think that if you were copying to say a thumb drive that is formatted with NTFS the file would remain encrypted since that destination is capable of storing EFS encrypted files.

So, if a user connects the HD to another system, they would not be logged on with the correct credentials and as a result the file would remain encrypted and inaccessible to them. I think that they may be able to copy the file, but it stays encrypted and inaccessible.

Easy way to test this:

Set File Explorer to show EFS encrypted files in an alternate color.
Encrypt a test file on your computer.
Format a thumb drive with NTFS.
Copy the EFS encrypted file to that thumb drive. It should show in the alternate color indicating it is still encrypted.
Move that thumb drive to another machine that you have not added you EFS encryption certificate to.
The file should remain inaccessible (it won't decrypt).

Thanks for your reply.
Copying an ecrypted EFS file from my HD to NTFS usb makes the file accessible on another computer.
That's because as you said, since I'm logged in, the file gets decrypted on the fly and doesn't matter if the USB is NTFS.
However, copying the files to an USB and then encrypting them, then pasting them to another machine, they stay encrypted.

I still need to be sure about the scenario I mentioned in my opening post... what bugs me is that Windows is installed on C:\, the SSD and the HD is separate... so I think there's a possiblity that when you remove only the HD and connect it to another computer, it won't ask for the windows credentials because they are on the SSD where the OS is...

Let me try explaining this in another way...

When you encrypt a file on your computer, no one, not even you, can access the contents of that file unless Windows decrypts the file for you. Clearly, Windows must have some mechanism to determine whether or not it will decrypt that file for you or not. That mechanism is a verification that you are the user linked to the certificate for EFS encryption.

As that authorized user, everything you do with that file is completely transparent. You can open the file, edit it, copy it, etc. To perform any of those operations, Windows has to decrypt the file for you. So, if you now copy that file to a destination that doesn't support EFS encryption, it will be stored there unencrypted.

So I also don't think you quite understood my test. The idea is to place a file on the drive that is encrypted. When you look at that file using File Explorer it should show up in green to indicate that it is EFS encrypted. Now, try taking that thumb drive to another computer. You will not be able to open that file unless you import your certificate.

Think about this way: If it did not work like this, then what's the point of encrypting the file in the first place? It would be no more secure than any non-encrypted file on your drive.

So, in summary, it does not matter what drive the encrypted files are on, OS or otherwise. If the files are EFS encrypted, you are not getting access to them unless you are logged on with the account that is authorized via the certificate to decrypt those files.

If you place EFS encrypted files on your OS drive, even if someone connects that drive to another computer, they ARE NOT getting access to those encrypted files.

See this article, it specifically addresses that point:

Encrypting File System - Wikipedia

The Encrypting File System was specifically designed for situations like that given.

Encryption isn't like locking a door that can somehow be bypassed. Encryption scrambles the file contents and that is what makes the system secure. If the disk containing these files was taken to another computer with a Windows OS it would recognize the file as encrypted but without the encryption certificate of the account that encrypted them they would not be accessible. Even an account with the same name and password is an entirely different account and would have no access.

If the disk was accessed with a Linux Live CD things are somewhat different, but not much better for the hacker. Linux doesn't understand the EFS so would be able to read the files. But they are still scrambled and useless to him.

Thanks both.
I tried accessing the files from a linux live cd and of course they stayed encrypted. One thing less to worry about :)

That was good thinking - a good test.

hsehestedt said:

That was good thinking - a good test.

Yeah, also copying the file was disabled.