Tuning EFS

Learn how to tune the ciphers and parameters that EFS uses.

Jan De Clercq

May 1, 2005

2 Min Read
ITPro Today logo

Q: What ciphers does Microsoft’s Encrypting File System (EFS) use? Also, how can I tune these ciphers and their parameters?

A: The software technology behind EFS is a good example of a hybrid cryptographic solution that combines the power of both asymmetric and symmetric ciphers. EFS uses a symmetric cipher (Advanced Encryption Standard—AES; Triple DES—3DES; or DESX) to perform the bulk encryption and an asymmetric cipher (RSA) to provide secure storage of the bulk encryption key. AES uses a 256-bit symmetric encryption key, 3DES uses a 128-bit key, and DESX uses a 56-bit key. The 256-bit AES cipher is the best and most secure option for EFS symmetric encryption, followed by 128-bit 3DES, then 56-bit DESX.

Windows 2000 Server and Windows XP, by default, use a 56-bit DESX EFS cipher. However, if you've installed the Win2K High Encryption Pack, EFS defaults to 128-bit 3DES. The default encryption algorithm used in Windows Server 2003 and later or Windows XP Service Pack 1 (SP1) and later is 256-bit AES. You can configure both Windows 2003 and XP to use the 3DES algorithm for EFS encryption and decryption operations.

There are two ways to configure EFS to support 3DES instead of DESX. You can use a new Group Policy Object (GPO) setting called “System Cryptography: Use FIPS compliant algorithms for encryption.” This setting affects the encryption-decryption operations not only of EFS but also of other Windows security solutions such as IPsec. The GPO setting is located in the Computer configuration, Windows Settings, Security Settings, Local Policies, Security Options GPO container. You can also modify the registry to make the use of 3DES available only to EFS. To do so, create the AlgorithmID (REG_DWORD) registry value in the HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionEFS registry subkey and set it to 0x6603.

As Table 1 shows, you can use this registry key to force the use of DESX or AES for EFS operations. Even if you've set up Windows 2003, Win2K or XP to use 3DES, DESX or AES support (depending on the platform) isn't lost. The platforms are still able to process files previously encrypted with AES, 3DES, or DESX.Windows 2003 also lets you specify larger default RSA key sizes for keys that are generated for EFS. The default key size used in Windows 2003 and XP is 1024 bits. In Windows 2003, you can change the default size by setting the HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionEFSRSAKeyLength registry subkey. The value (REG_DWORD) in this key must be a power of 2 (i.e., 1024, 16384 …)

Table 1: Registry Values for EFS Symmetric Encryption Algorithm

Supported Algorithm

Registry Value

Comments

DESX (56-bit key)

0x6604

This value can be used on all versions of Windows 2000 and Windows XP.

3DES (128-bit key)

0x6603

This value can be used on Win2K, XP and later OS versions.

AES_256 (256-bit key)

0x6610

This is the default value. It is compatible with only XP Service Pack 1 (SP1) and later.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.