A subset of my users need a way to share an encrypted folder on the file server. Security is the most important, followed closely by ease of use. It appears that TrueCrypt is easier to set up. Does EFS have any advantages over TC to justify the extra setup?
Windows Server 2003 and XP, Active Directory, 100 user LAN.
Edit: I originally missed the limitation of single-user R/W access for Truecrypt. Looks like EFS is better once I get past the setup.
-
The section on Sharing over a Network from the TrueCrypt user's guide makes it look like you have a couple of solutions-- mounting the shared file hosting the volume locally on computers or mounting the file hosting the volume on the server computer. The big difference between the two is that the volume's contents will be accessible read-write to all client computers when it's mounted on the server computer and shared (albeit access to the data will cross the wire "in the clear") versus the volume being mounted read-only on all computers when mounted locally on each machine.
If your users need seamless read/write access to the encrypted files either a TrueCrypt server-side mount or EFS is probably a better choice. The data is still going to cross the wire in the clear with EFS, as with TrueCrypt and the server-side mount.
Some people get really down on EFS but I think it fills a niche and solves a problem. It's well designed for what it is, but the problem that it seeks to solve is fundamentally awkward to solve.
Configuring EFS in an AD envrionment really isn't too difficult to setup. The most difficult part is wrapping your mind around the recovery agent functionality and exporting the recovery key to a safe offline location. You will need a PKI, but Microsoft's Certificate Services can automate most of the process for issuing certificates to users (have a look here for information about autoenrollment in Windows XP: http://technet.microsoft.com/en-us/library/bb456981.aspx)
Have some a look at the docs from Microsoft: http://technet.microsoft.com/en-us/library/cc962122.aspx (and another at http://technet.microsoft.com/en-us/library/bb457116.aspx)
Multi-user access to EFS files is a bit of a "wart" on the part of Microsoft, but it's not too hard to deal with. There's a very good answer here re: multi-user access to EFS-encrypted files.
Nathan Hartley : I thought I read that data to and from an EFS share WAS encrypted. [time passes] Ah! It is encrypted on-the-wire when ran in WebDav mode... Remote EFS Operations on File Shares and Web Folders http://technet.microsoft.com/en-us/library/bb457116.aspx#EHAAJim B : on a side note if you want all traffic encrypted you simply need to enable domain isolation.Evan Anderson : @JimB: You're absolutely right in the sense that you should use an over-the-wire encryption mechanism, such as IPsec, if you want over-the-wire encryption of any data, EFS-stored or otherwise. The "domain isolation" term was always one that rubbed me the wrong way-- sounded like a marketing-ism.Jim B : @Evan- It's a pretty accurate term. If you are not a domain menber you can't see any traffic in that domain. There are a couple of downloadable labs on the technet site to play with it.From Evan Anderson -
EFS will allow you to use your existing AD and kerberos credentials to access the encrypted data.
Truecrypt doesn't support multi-user access, and has no way of storing access credentials in a directory. Additionally, Truecrypt hasn't been FIPS 140-2 validated, so if you are encrypting to protect yourself against breaches of personally identifying information it isn't the right tool.
Also consider commercial products like McAfee File & Folder encryption.
From duffbeer703 -
I'd recommend going with TrueCrypt for this scenario. Its probably going to be easier than EFS in this case.
From KPWINC
0 comments:
Post a Comment