Vista includes two encryption technologies: Encrypting File System (EFS) and BitLocker Drive Encryption. Some prior planning is required to implement either technology effectively.

EFS is designed so that it’s not necessary to have a Certificate Authority (CA) on the network to use file encryption. If there’s no CA, the EFS component will issue a self signed certificate to each user the first time the user requests to encrypt a file. There are, however, some advantages to using a CA to create EFS certificates, if you’re in a high-security or enterprise environment. It allows the network administrator to manage the certificates centrally, and using certificate services, you can revoke certificates and specify the length of time certificates are valid. It’s also possible to set up computers as dedicated recovery computers and issue specific recovery certificates to them, instead of issuing the recovery certificate to the domain controller.

In a domain environment, a recovery policy is normally defined at the domain controller, and, by default, the domain administrator is the designated recovery agent. A recovery agent is issued a special recovery agent certificate that allows for decrypting files that were encrypted by other users. There must be at least one recovery key configured on the system; otherwise, no one will be able to encrypt files. When you try, you will get an error message.

When considering an EFS implementation as a part of your overall security infrastructure, also consider implementing roaming profiles. EFS works by using sets of public and private certificates. The certificate for the currently logged in user is used to encrypt the file and access to this certificate is required for successful decryption.

When running in an environment without roaming profiles, if a user encrypts files using different client computers, he or she will be unable to access the files from other systems. For example, if the user encrypts a file on the server named file1 from the system Vista1, and he encrypts a file named file2 from Vista2, the user will be unable to access file2 from Vista1 and vice versa. This could quickly become a significant problem for an organization.

When roaming profiles are used, users don’t experience such problems. Because the certificate is stored with the central profile, the same certificate will always be used for encryption regardless of which machine the user accesses.