At http://blogs.msdn.com/b/b8/archive/2012/01/16/building-the-next-generation-file-system-for-windows-refs.aspx the new Windows 8 ReFS file system is described as the "Next generation file system for Windows".
In the same article about the question "What semantics or features of NTFS are no longer supported on ReFS?" it is replied that "The NTFS features we have chosen to not support in ReFS are: named streams, object IDs, short names, compression, file level encryption (EFS), user data transactions, sparse, hard-links, extended attributes, and quotas"
It seems to me obvious to ask myself if, in the Microsoft future operating systems, efs will still be an option.
Bilocker nowadays has much less impact on computer performance than the one it had in the past thanks to the new AES Intel processors instructions and, in windows 8, thanks to the support for Encrypted Hard Drives (that is hard drives where the encryption process is offloaded to the storage controller on the drive) and this will be true even more for the future operating systems and hardware architectures.
So, assuming that in the future it won't be possible to install windows on a partition not protected by bitlocker or to create a data partition not protected by bitlocker, let's discuss if further encrypting a file with efs will add real protection to the file content.
The efs works by deriving a key from the user logon password and using this derived key to decrypt the user's DPAPI Master Key that is used to decrypt the user's RSA private key that is used to decrypt each file's FEK that, finally, is used to decrypt/encrypt each file's data.
Like said before, in the next reasonings I assume we have a pc where all the disk partitions are bitlocker protected.
In this scenario the user encrypts a file with sensitive data with efs and he/she does so in order to avoid other network or local users to access his/her file and this seems certainly a good thing.
In my first example let's assume that the user who encrypted the file with efs has local administrator rights. If another local user has local administrator rights, encrypting a file with efs doesn't add a real protection to the file since the other local administrator could install a key logger or other programs that are able to access the protected memory that contains the DPAPI master key in order to steal the user password or the user DPAPI master key.
In my second example let's assume that the user who encrypted the file is the only one local administrator of the pc. If no other user has local administrator rights there is no need to encrypt a file that contains sensitive data because no other user could bypass the file acls, obviously assuming that the user who has local administrator rights set the file acls correctly without granting access to other users. In this second example the case of a local or remote user successfully attacking the operating system gaining administrator rights is equivalent to my first example so, even if the user encrypted the file with efs, the local or remote user who attacked successfully the operating system could access anyway the encrypted file installing a key logger or other programs that are able to access the protected memory.
In my third example let's assume that the user who encrypted the file with efs has local administrator rights and he/she used EFS with a Smart Card in Uncached Key Mode (EFS used with uncached smart card key storage uses the smart card to contain the user's RSA private key used to decrypt the fek of each encrypted file and the key derived from the rsa private key to decrypt the fek is never cached in ram, that is the fek is decrypted directly with the rsa private key by the smart card processor). In this third example the efs only partially mitigates the risk of a platform attack because the local or remote user who attacked successfully the operating system gaining administrator rights could install a program that can steal the clear fek used to encrypt the file while the user who encrypted the file is using the file for reading or writing operations.(http://answers.microsoft.com/en-us/windows/forum/windows_7-security/efs-with-smart-card-in-uncached-key-mode/ea166543-5ce8-4683-92d3-52582d08f137)
At the end, in my opinion, using efs on a pc where all the disk partitions are bitlocker protected doesn't add a real protection.
I explained why, in my opinion, the fact that Microsoft is going to abandon the encrypting file system, if true, is a logic and acceptable thing.
I would like to have your opinions, hoping that also someone at Microsoft could take his/her time to read my post and comment it.
Thanks a lot
- 已编辑 Evolve_or_Die 2012年3月24日 15:37