If you can’t share files that have multiple Encrypting File System (EFS) certificates in Windows 10, this message may help you. The Encryption File System (EFS) allows users to encrypt files and folders, as well as entire data drives on volumes in NTFS format. NTFS allows you to set permissions on files and folders on an NTFS format volume that controls access to these files and folders. It allows you to encrypt files and folders to further improve the security of those files and folders.
EFS uses industry standard algorithms and public key cryptography to provide strong encryption. Encrypted files are therefore always confidential. Even though NTFS file authentication and file permissions are intended to protect confidential data, you can use EFS to add an additional layer of security.
EFS encrypts data as data is written to disk, and when users open a file, it is decrypted by EFS as data is read from disk. Users are virtually unaware of this process and need to take no action to initiate EFS encryption and decryption.
Unable to share files that have multiple EFS certificates
let’s say you want users to share files encrypted using multiple EFS (Encrypting File System) certificates. A1 and A2 users have valid EFS certificates. The file F1 exists on a computer on which EFS is activated and the users A1 and A2 have read and write permissions on the file.
User A1 follows these steps to encrypt the F1 file:
- Locate the F1 file on the disk.
- Right click on the F1 file.
- Click on Properties.
- Click on Advanced.
- To select Encrypt content to secure data.
- Click on Okay.
- Click on Apply.
User A1 creates the file share for file F1 by adding the appropriate EFS certificate for user A2 to file F1.
The A1 and A2 users follow these steps to access the F1 file:
- Locate the F1 file on the disk.
- Right-click the F1 file.
- Click on Properties.
- Click on Advanced.
- Click on Details.
- Click on Add.
- Select the user you want to add.
- Click on Okay.
User U1 or user U2 modifies the file F1.
In this scenario, the EFS metadata is not preserved and only the current user can decrypt the file. However, you expect the EFS metadata to be preserved and the user you added in step 7 is still there.
According to Microsoft, this behavior is by design – currently, you cannot share files that way.
The underlying cause of this behavior is that, if an application opens and saves a file using the replace file () API, and if this file was encrypted using EFS when multiple certificates were present, the resulting file will contain only the certificate of the user who saved the file.
I hope you find the information in this post clarified!