All versions of Windows 2000 support the Encrypted File System (EFS), an extension to NTFS that allows users to encrypt files on-disk. EFS uses system-level certificates to encrypt the data. However, the algorithms used in these encryption certificates vary with each version of Windows 2000 (including XP and Windows .NET Server 2003).
Because of this, there can be problems decrypting EFS-stored files across versions of Windows. For instance, if you create an EFS file on Windows .NET Server 2003 or Windows XP with Service Pack 1 or later installed, and then try to view it using Windows 2000 (any version) or Windows XP with no service packs installed (the "RTM" version), the file may appear to be garbled or damaged. If you attempt to decrypt such a file completely, it may be irreversibly destroyed.
The reason for this is simple. Windows XP Service Pack 1 and Windows .NET Server 2003 use an algorithm for encryption known as AES (Advanced Encryption Standard). Windows 2000 and Windows XP RTM cannot use the AES algorithm, and therefore cannot access these files. This may become a problem if you are using EFS in a strongly heterogeneous environment -- i.e., many Windows 2000 and XP computers.
One way to get around this is to force Windows XP to use a downwardly-compatible encryption standard, or to use a third-party product that supports the same encryption standards across multiple platforms. The first option is a little easier to implement, since it involves making a Registry change in XP that can be rolled out to target systems as a .REG file, but it requires that all existing encrypted files on those systems be decrypted first.
To force Windows XP to use an earlier encryption standard:
- Decrypt any encrypted files.
- Open the Registry and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS.
- Add a REG_DWORD value named AlgorithmID.
- Set the value of AlgorithmID to one of the following (all values are in hex):
0x6604: Use the DESX algorithm, which is compatible with all versions of Windows 2000 and Windows XP.
0x6603: Use the 3DES algorithm, which is compatible with all versions of Windows XP and .NET Server.
0x6610: Use the AES 256-bit algorithm (the default value, which is only compatible with Windows XP SP1 or higher).
- Restart the computer and re-encrypt the files.
Aside from using a new encryption standard, the newer EFS encryption uses a slightly different encryption strategy. The key created by EFS is itself encrypted using the public keys for the user encrypting the files as well as anyone else who is permitted to access the file or behave as a recovery agent for it. This way, an original unencrypted copy of the key is not accessible.
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!
This was first published in November 2003