(See ???Understand Private/Public Key Encryption,???
later in this chapter.) Therefore, the owner with her or his private key matching the public
key is the only one who can open the encrypted file??”except for the recovery administrator.
When the file is created or re-created and a symmetric key is made, the key is actually
encrypted twice, once for the owner and once for the recovery administrator. Then if the
need arises, the recovery administrator can use his or her private key to decrypt the file.
The encrypted symmetric key is stored as a part of the file. When an application requests
the file, NTFS goes and gets it, sees that the file is encrypted, and calls EFS. EFS
works with the security protocols to authenticate the user, use his or her private key to
decrypt the file, and pass an unencrypted file to the calling application, all in the background,
without any outward sign that it is taking place. The encryption and decryption
552 Microsoft Windows Server 2008: A Beginner??™s Guide
routines are so fast that on most computers that can run Windows Server 2008, you seldom
notice the added time.
TIP Because many applications save temporary and secondary files during normal execution, it is
recommended that folders rather than files be the encrypting container. If an application is then told to
store all files in that folder where all files are automatically encrypted upon saving, security is improved.
Pages:
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610