Encrypting File System - EFS
Introduced with Windows 2000 and improved with each new release, EFS provides strong encryption that is transparent to use. Encryption is a complex subject and to fully describe its theory and operation is beyond the scope of this article because it's too long and complicated. For more details look here, and here. Encryption is tricky to understand to set up on a network, but easy on a single PC. Depending on your business or personal life, it could be a must-have.
Encryption can be set on a file by file basis, and it can also be set on an inclusive folder basis, with inheritance for any new files created. It can not be used in conjunction with compression. Here's how to enable basic encryption: From Explorer, right click on a file or folder and select Properties, General, Advanced, Encrypt contents to secure data. Once encrypted the file or folder will appear on Explorer in green text. On a single PC, only someone logged in as you can decrypt the file, and when you are logged in, the file will decrypt transparently. On an active directory server, encryption can involve trusted servers, trusted users, recovery agents, certificates, password policies, and multiple encryption algorithms. It's complicated.
In addition to compression you should set your file permissions appropriately. Make sure an intruder can't read or delete your encrypted files.
Some problems with EFS:
- The first problem with encryption is that if you lose your key or password, you can say goodbye to all your encrypted files. When done correctly, passwords take too long to crack.
- If you use an obvious or guessable password an intruder can guess it and decrypt your files.
- If your PC is not on a domain and someone gets physical access to it, it's very simple to reset your Windows password and log in.
- If you copy an encrypted file to a non-NTFS partition, the file will be copied as un-encrypted. This can happen when copying to a floppy, to a USB drive, or to a re-writeable, CD-RW CDROM.
- If a recovery agent's private key is not archived and removed from the recovery agent's profile, an intruder can log in to the recovery agent's account and decrypt any encrypted files.
- EFS won't protect your whole disk if your laptop is stolen. For that, take a look at Bitlocker.
- EFS is not available on Home, Starter, or Basic versions of Windows.
And yes, Sysinternals has a utility that inspects an encrypted file and lets you know who else has access to it: EFSDump.
Advanced Format Drives
What about these new Advanced Format disk drives with 4096 byte sectors? How does NTFS deal with them? The new AF disks are faster, bigger, more reliable and have 4096 byte sectors instead of the traditional 512 byte sectors. The chances are pretty good there will be one in a future PC you own. Microsoft started planning for these disks when Vista was being developed and as such Vista and Windows 7 know what do to with AF disks. Windows XP and previous versions of Windows do not. 512 byte sectors fit evenly into 4096 byte sectors and these disks provide 512 byte emulation for compatibility with older operating systems. The problem is when a partition is created and does not align to a 4096 byte boundary. This alignment problem will result is much slower performance on your Windows XP system. It can be avoided by using the utilities that come provided with the new disks. Seagate has Smart Align and Western Digital has WD Align. Advanced Format is faster, bigger, and better.
Transactional NTFS (TxF)
With Windows Server 2008 came a server feature called Transactional NTFS, or TxF. TxF allows file system operations to be performed in groups as transactions, like in databases. This is important when you have a set of updates that must be performed as “all or nothing”. Consider the situation where you need to update a set of data files that are dependent on each other. You can't update one without updating all of them. Updating all of them or none of them would be a transaction. A transaction generally has a start, an end, and a commit or rollback. The commit completes the transaction, and rollback undoes all functions in the transaction if they can't be completed.
Sounds like it would be pretty cool for scripting for installs, and web changes, document files, and all sorts of stuff, right? Too bad, because it's only available through API calls and in PowerShell access to the registry. That means if you want TxF functionality, you have to code it yourself. The API includes CreateFileTransacted, DeleteFileTransacted, CommitTransaction, RollbackTransaction and more than a dozen other transaction calls.
Until more utilities and applications are released that are transaction-aware, TxF is useful mostly to developers. And TxF only runs on partitions built with SCSI and Fiber Channel disks.
What Could Have Been - WinFS
Imagine if a file system could have a built in database. Imagine if every application that needed to store and search data didn't have to rewrite its own database, but could use a standard API. Your MP3 collection could always been clean and up to date. Your movie and video collection would be easy to backup and view. Finding photos you took years ago would be easy as pie. What if emails were stored directly in the file system instead of PST files and could be accessed by other applications?
WinFS was the answer to adding real database functions to the file system. It was intended to provide a flexible and efficient API based on real database technologies. It was both a new file system and an extension of NTFS. It was intended for the Longhorn release of Vista. WinFS was to be implemented through .NET objects and accessed with T-SQL. A specific file, such as an MP3 would be able to exist and be updated in multiple files, via a database View. WinFS would be able to synchronize changes to data across multiple systems using database replication. Updating file metadata for a particular file type would be done robustly using database functions.
WinFS promised fast, clean, orthogonal data access to users who were drowning in data.
But it was not to be to be. WinFS was released as Beta 1 in September 2005. Beta 2 was canceled in June of 2006. No explanation was publicly given but a likely factor were the delays in getting Vista released. Vista was years behind schedule. Originally targeted for release in late 2003, Vista didn't ship until January of 2007. WinFS was likely sacrificed to get a ship date for Vista.