EFS is primarily intended to protect the file system on a computer that is not physically secure. For example, a server kept behind locked doors that has no removable storage devices is not a likely candidate for EFS, as someone would have to break into your server room, remove the drive(s), and get out without being caught if they wanted to steal the information on the drives (assuming you’ve protected the data adequately from network-borne attacks.) However, systems that are physically insecure are a candidate for EFS.

For example, any notebook that contains company-sensitive data should use encryption to protect its contents. Consider the thefts in recent years of notebook computers-many of which contained sensitive information-from government employees in public airports and even government offices, and you can appreciate the need to protect your own portable data.

Protecting notebooks is just one use for EFS. Desktop systems that are publicly accessible, such as those in public offices, courtrooms, government offices, and other locations where the public has access to systems and where the systems contain sensitive or private information, should be protected by EFS to prevent data theft and the potential embarrassment, legal trouble, or even loss of business that could ensue. In the server realm, removable storage devices such as Storage Area Network (SAN) devices that contain sensitive data should be protected through encryption. It only takes one unscrupulous or disgruntled employee to hand a drive over to your competition to destroy your company.

Encrypting individual files is certainly a start, but that doesn’t really provide the level of security you might need. Applications typically create temporary files containing at least portions of a document, and if these files are not protected by encryption, they pose a security risk. So, rather than look to solutions that provide file-by-file encryption or encrypting individual files with EFS, you need a solution that can automatically encrypt and decrypt files in an entire folder or volume. EFS does just that.

So how do these two technologies work together? EFS comes into play after Windows boots up, while BitLocker works before Windows and seamlessly operates beneath the operating system. EFS works on the file system level and encrypts at the file level based on user permissions and PKI-protected session keys; BitLocker is a low-level mechanism that encrypts an entire volume and is oblivious to the concept of users and PKI. This means that EFS offers high-level manageability, while BitLocker operates at a low level without the manageability features–but it can protect those spots EFS can’t. Files encrypted by EFS can’t be cracked, although the filename and directory structure is not protected. The Windows partition encrypted by BitLocker is completely scrambled so you can’t even tell what the filename and directory structure is.