In the Part II of this series, you learned how to encrypt files in Vista and verify that users are unable to open the encrypted files. An important point to keep in mind is that although the user is unable to open the file, they can delete the file. You might be confused as to how this is possible.
Here is the answer: The user has full-share and NTFS permissions to the file. These permissions include reading, modifying, and deleting the file. If the user does not try to open the file, the EFS subsystem isn’t required. If the user tries to open the file, the EFS subsystem intervenes and denies access. But users can simply delete the file, which they have rights to do as defined by the NTFS permissions. Remember, file encryption is used to protect the contents of a file from prying eyes. It is not designed to protect the file itself. That’s why a properly designed share and NTFS structure is still critical even when using EFS.
In Vista, multiple users can be granted rights to read and modify encrypted files. Right click the encrypted file that you want to share and click Properties. From the General tab, click the Advanced button. From the Advanced Attributes dialog box, click the Details button. Click the Add button. Select the user to whom you want to grant access to the encrypted file. Click OK. Once the appropriate user has been granted permission, they will be able to open the file.
When an encrypted file is moved or copied from its source location to a new location, it is first decrypted. But this isn’t a hole in the security scheme. To copy or move an encrypted file, you must have the ability to open the encrypted file. In fact, even if a user has NTFS rights but doesn’t have rights to decrypt the file, he or she will be greeted with an error message.