3. How to Grant an Additional User Access to an EFS-encrypted File
By default, only the user who encrypted a file is able to access it. However, Windows 7 (as well as Windows Vista, Windows XP, and Windows Server 2003, but not Microsoft Windows 2000) allows you to grant more than one user access to an EFS-encrypted file. This is possible because EFS doesn’t encrypt files using the user’s personal EFS key; instead, EFS encrypts files with a File Encryption Key (FEK) and then encrypts the FEK with the user’s personal EFS key. Therefore, decryption requires two separate keys. However, the FEK key can be encrypted multiple times for different users, and each user can access his or her own encrypted copy of the FEK key to decrypt files.
To allow encrypted files to be shared between users on a computer, perform these steps:
- In Windows Explorer, right-click the file, and then click Properties.
- On the General tab, click Advanced.
- In the Advanced Attributes dialog box, click Details.The User Access dialog box appears, showing the users who have access to the file and the users who can act as recovery agents.
- Click Add.The Encrypting File System dialog box appears and displays a list of users who have logged on to the local computer and who have an EFS certificate. A domain administrator can generate EFS certificates, or Windows 7 will generate one automatically the first time a user encrypts a file.
- To add a domain user who is not on the list but who has a valid encryption certificate, click the Find User button. If EFS informs you that no appropriate certificates correspond to the selected user, the user has not been granted an EFS certificate. The user can generate by encrypting a file, or a domain administrator can distribute an EFS certificate to the user.
IMPORTING A CERTIFICATE MANUALLY
If a user has a certificate but you can’t find it, you can manually import it. First, have the user export the certificate as described in the previous section. Then, import the certificate as described in the next section.
- Select the user that you want to add, and then click OK.
- Repeat steps 3–5 to add more users, and then click OK three times.
You cannot share encrypted folders with multiple users, only individual files. In fact, you cannot even share multiple encrypted files in a single action—you must share each individual file. However, you can use the Cipher.exe command-line tool to automate the process of sharing files.
Granting a user EFS access to a file does not override NTFS permissions. Therefore, if a user still lacks the file permissions to access a file, Windows will still prevent that user from accessing a file.
Any users who have access to an EFS-encrypted file can, in turn, grant other users access to the file.
EFS DOESN’T AFFECT SHARING ACROSS A NETWORK
EFS has no effect on sharing files and folders across a network. Therefore, you need to follow these steps only when you want to share a folder with another local user on the same computer.
4. How to Import Personal Certificates
You can share encrypted files with other users if you have the certificate for the other user. To allow another user to use a file that you have encrypted, you need to import the user’s certificate onto your computer and add the user’s name to the list of users who are permitted access to the file, as described in the previous section.
To import a user certificate, perform these steps:
- Click Start, type mmc, and then press Enter to open a blank MMC.
- Click File, and then click Add/Remove Snap-in.
- Select Certificates and click Add. Select My User Account and click Finish. Click OK to close the Add Or Remove Snap-ins dialog box.
- Select Certificates, and then select Trusted People.
- Right-click Trusted People. On the All Tasks menu, click Import to open the Certificate Import Wizard.
- Click Next and then browse to the location of the certificate you want to import.
- Select the certificate and then click Next.
- Type the password for the certificate and then click Next.
- Click Next to place the certificate in the Trusted People store.
- Click Finish to complete the import.
- Click OK to acknowledge the successful import, and then exit the MMC.
Now you can grant that user access to EFS-encrypted files.