Windows Encryption Software
Curtis Maurand
cmaurand at xyonet.com
Fri Dec 10 15:06:09 UTC 2010
On 12/10/2010 9:33 AM, Michael Holstein wrote:
>> After some research, I find that recovery of EFS (available for Win
>> 2000/2003/XP/Vista/7) encrypted files in the case of disaster can be
>> problematic. It has to do with keys, file ownerships, etc., etc.,
>> etc. Plan for disaster and know how to recover before you encrypt
>> with EFS.
> This is an interesting point .. it depends on what the "disaster" is
> that you plan for.
>
> In many cases, the "disaster" is the seizure or loss of the device, it
> which case it's appropriate NOT to have any method of key recovery. In a
> corporate context, it's debatable if key escrow and multikey methods
> mitigate the risk or compound it.
Good point, but I'm thinking in terms of failure of the machine that
physically houses the files. You and I both know that you're not going
to be able to replace server hardware with identical hardware and even
if you do, the Windows SID will change. Restoring the system state is
going to be a useless exercise. Therefore you will need the keys to
decrypt/re-encrypt the files on a new device after you restore from
backup. If the disk is lost or stolen, then hell no, I don't want the
thief to be able to restore the data.
All of this is moot if you're running in a virtual environment and you
have good snapshots/backups of your VM.
--Curtis
More information about the NANOG
mailing list