Re: EFS
- From: "Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx>
- Date: Thu, 27 Oct 2005 08:29:17 +0200
Hi Tim,
You can export private key from user's profile (if the key was marked as
exportable when it was installed or imported to user's profile). If you can
export it -- then you can import it to another computer...
What you can't do is currently use e.g. smart cards for EFS implementations.
>From reading your scenario it seems to me you will have a lot of troubles
implementing this. EFS encrypted files are usually used by one person -- or
small group of people (e.g. project team). This could be done if you are
using Windows XP since it allows other people to open the file with their
_own_ private key. Problem with this is that there is no easy way of
managing this if there are a lot of users...
Much better solution to your problem would be use of Windows Rights
Management Service (RMS)...
Windows Rights Management Services
http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx
Let me know if you have any more questions on this.
--
Mike
Microsoft MVP - Windows Security
"timB" <timB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2D7B09F4-F388-4F26-9186-4685F72B6733@xxxxxxxxxxxxxxxx
> Hi,
>
> Thanks for your reply again. So you are not presently able export the
> private keys into a user profile?
>
> We are trying to find a solution where all users (that are members of our
> domain) will be able to access encrypted data.
>
> For example; if we store data on a USB storage device, we want to allow
> all
> domain users to be able to access that data. However, if this USB device
> is
> picked up by a user that is not part of our organisation, we do not want
> them
> to be able to access this data.
>
> P.S. I have formatted the USB drive into NTFS
>
> Thanks,
>
> Tim
>
>
> "Miha Pihler [MVP]" wrote:
>
>> Hi,
>>
>> Right now there is no such system. There should be one in next version of
>> operating system (Vista and Longhorn) where you will be able to have
>> private
>> key (used for decryption) on smart card. Note that solution with smart
>> cards
>> requires additional hardware such as smart card readers and of course
>> smart
>> cards.
>>
>> Can you describe a bit more nature of your users work? Why do they need
>> access to EFS encrypted files from more then one PC?
>>
>> Note: EFS only works on NTFS. If you USB device if formatted as FAT or
>> FAT32
>> and you copy documents to it; documents will first be decrypted and then
>> copied to USB where they will be stored unencrypted...
>>
>> --
>> Mike
>> Microsoft MVP - Windows Security
>>
>> "timB" <timB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:5FFDE806-82D8-4EFD-B6D4-E01061DA8957@xxxxxxxxxxxxxxxx
>> > Hi Mike,
>> >
>> > Thanks for your help. One further question, is there any way that the
>> > following can be implemented / have you seen any Microft documentation?
>> >
>> > "If you go to another computer there is no way for the private key to
>> > be
>> > there unless you exported it on the first computer and imported it on
>> > the
>> > next one."
>> >
>> > Thanks again,
>> >
>> > Tim
>> >
>> > "Miha Pihler [MVP]" wrote:
>> >
>> >> No. What you see is expected result (as you describe it).
>> >>
>> >> Beside having document on USB -- you must also bring along private key
>> >> of
>> >> "test" user that is stored in "test" user profile on the first
>> >> computer --
>> >> where document was first encrypted.
>> >>
>> >> If you go to another computer there is no way for the private key to
>> >> be
>> >> there unless you exported it on the first computer and imported it on
>> >> the
>> >> next one.
>> >>
>> >> --
>> >> Mike
>> >> Microsoft MVP - Windows Security
>> >>
>> >>
>> >> "timB" <timB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:9C4EB5C6-AA27-471C-A145-5359E76ED5D8@xxxxxxxxxxxxxxxx
>> >> >I have just implemented an Enterprise Root CA server and I have been
>> >> >looking
>> >> > into EFS. However, if i encrypt (using EFS) a USB device on one
>> >> > machine
>> >> > logged in as a user 'test', I then go to another machine and insert
>> >> > the
>> >> > USB
>> >> > device. I login as 'test' again, I would have thought that I should
>> >> > still
>> >> > be
>> >> > able to access the media, although I cant? Is the configuration of
>> >> > my
>> >> > CA
>> >> > incorrect?
>> >> >
>> >> > Thanks
>> >>
>> >>
>> >>
>>
>>
>>
.
- References:
- Re: EFS
- From: Miha Pihler [MVP]
- Re: EFS
- Prev by Date: Move a CA to another DC.
- Next by Date: Re: Move a CA to another DC.
- Previous by thread: Re: EFS
- Next by thread: Re: EFS
- Index(es):
Relevant Pages
|
