Encrypting File System - New Features Available By Windows Version

New Features Available By Windows Version

Windows XP

• Encryption of the Client-Side Cache (Offline Files database)
• Protection of DPAPI Master Key backup using domain-wide public key
• Autoenrollment of user certificates (including EFS certificates)
• Multiple-user (shared) access to encrypted files (on a file-by-file basis) and revocation checking on certificates used when sharing encrypted files
• Encrypted files can be shown in an alternate color (green by default)
• No requirement for mandatory Recovery Agent
• Warning when files may be getting silently decrypted when moving to an unsupported file system
• Password reset disk
• EFS over WebDAV and remote encryption for servers delegated in Active Directory

Windows XP SP1

• Support for and default use of AES-256 symmetric encryption algorithm for all EFS-encrypted files

Windows XP SP2 + KB 912761

• Prevent enrollment of self-signed EFS certificates

Windows Server 2003

• Digital Identity Management Service
• Enforcement of RSAKeyLength setting for enforcing a minimum key length when enrolling self-signed EFS certificates

Windows Vista and Windows Server 2008

• Per-user encryption of Client-Side Cache (Offline Files)
• Support for storing (user or DRA) RSA private keys on a PC/SC smart card
• EFS Re-Key Wizard
• EFS Key backup prompts
• Support for deriving DPAPI Master Key from PC/SC smart card
• Support for encryption of pagefile.sys
• Protection of EFS-related secrets using BitLocker (Enterprise or Ultimate edition of Windows Vista)
• Group Policy controls to enforce:
  • Encryption of Documents folder
  • Offline files encryption
  • Indexing of encrypted files
  • Requiring smart card for EFS
  • Creating a caching-capable user key from smart card
  • Displaying a key backup notification when a user key is created or changed
  • Specifying the certificate template used for enrolling EFS certificates automatically

Windows Server 2008

• EFS self-signed certificates enrolled on the Windows Server 2008 server will default to 2048-bit RSA key length
• All EFS templates (user and data recovery agent certificates) default to 2048-bit RSA key length

Windows 7 and Windows Server 2008 R2

• Elliptic-curve cryptographic algorithms (ECC). Windows 7 supports a mixed mode operation of ECC and RSA algorithms for backward compatibility
• EFS self-signed certificates, when using ECC, will use 256-bit key by default.
• EFS can be configured to use 1K/2k/4k/8k/16k-bit keys when using self-signed RSA certificates, or 256/384/512-bit keys when using ECC certificates.