Using a Certificate Authority for the Encrypting File Service

• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Professional

SUMMARY

The Encrypting File System (EFS) is a feature of Windows 2000 that allows users to encrypt data directly on volumes that use the NTFS file system. It operates by using certificates based on the X.509 standard. If no Certificate Authority (CA) is available from which to request certificates, the EFS subsystem automatically generates its own self-signed certificates for users and default recovery agents.

There are several circumstances in which an organization may want to implement Certificate Authorities, as opposed to allowing EFS to generate its own self-signed certificates.

MORE INFORMATION

The following are some reasons why an organization might want to use a Certificate Authority for EFS certificate generation:

• More flexible EFS recovery management. With a Certificate Authority infrastructure, it is possible for an organization to issue specific recovery certificates for dedicated recovery computers, rather than to domain controllers.



• Centralized certificate management. Administrators can control the lifetime of issued EFS certificates, and can publish certificate revocation lists to control how long recovery certificates are valid.



• Scalability. Certificate Authorities can be distributed throughout an organization, providing their own set of templates that define the types of certificates that can be issued at each level.

http://www.microsoft.com/NTServer/windowsnt5/exec/feature/EncryptFile.asp

Additional query words:

Keywords : kbenv ntsecurity
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo