Configure 3DES Encryption for EFS
May 29, 2006 at 8:45 PM
—
2102
EFS (Encrypted File System) is a built in feature in Windows 2000, XP and 2003 that allows users to securely encrypt files and folders. But you can change encryption algorithm if needed.
By default EFS use the DESX algorithm for encryption in Windows 2000 and Windows XP. In Windows XP SP1 and Windows Server 2003 default encryption algorithm is Advanced Encryption Standard (AES) using 256-bit key. For users requiring greater symmetric key strength with a FIPS 140-1 compliant algorithm, the 3DES algorithm can be enabled in Windows XP and Windows Server 2003. This can be done via GPO or registry.
When enabling 3DES using Group Policy both IPSec and EFS will use the 3DES algorithm. If you change this in registry changes will aplay only to EFS. Find the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS
Create a new REG_DWORD named AlgorithmID and set the HEX value to 0x6603. After rebooting computer it will use 3DES instead of DESX or AES. Recommended and most secure algorithm is AES in this case. Stay away from 3DES or DESX. [:P]