EFS Assistant Feedback

Coordinator
Apr 12, 2007 at 9:05 PM
Because the Codeplex Issue Tracker is currently unavailable, we will instead be accepting bugs, feature requests, etc. on this discussion thread.
Apr 20, 2007 at 2:24 PM
Could the 'folders not to encrypt' feature be enhanced to decrypt new file locations added to the key after installation? One of the things you can run into is trying to encrypt a folder, finding an issue and then needing to decrypt it.
Coordinator
Apr 20, 2007 at 3:29 PM

fredduncan wrote:
Could the 'folders not to encrypt' feature be enhanced to decrypt new file locations added to the key after installation? One of the things you can run into is trying to encrypt a folder, finding an issue and then needing to decrypt it.


This is a great feature request that we've discussed. One of the reasons we did not add this feature is that we wanted to let the user encrypt more than the tool wanted to encrypt, if he/she knows that it won't cause problems. This feature could turn off encryption that the user turned on, which could be a problem...

That said, I think this is a feature that should be kept in mind and possibly implemented in a future version. I will convert your feedback to a work item.
Coordinator
Apr 20, 2007 at 3:31 PM
This discussion has been copied to Work Item 250. You may wish to continue further discussion there.
Apr 21, 2007 at 2:33 AM
We developed a custom EFS wrapper like this is and have been using this over the past 2 years. Some of the things we have learned and had to add enhancements for are:
1) We added option to encrypt at file level instead of folder so that all files within a folder would not be encrypted unless met extension list. This was needed for files used by running services since the service could not decrypt the files.
2) The wrapper continually ran when started at login so that "real time" file level encryption would occur. This provided the protection for new files being created during user login. Many user put computer in sleep mode instead of powerdown or log off so the encryption protection was maintained for files
3) We had to add a "snooze" function for the file encryption monitoring. When installing software, especially if a msi install, the installation files could become encrypted before the installation process got ready to use. If the file got encrypted, the msi installer was unable to decrypt the file and continue.
4) For compliance reporting, a database connection function was added to send stats to a database on intervals which reports could then be created to validate data protection.
Each of these would be extremely usefull if could be built into this tools as well.
Apr 21, 2007 at 3:15 AM
Edited Apr 21, 2007 at 3:16 AM
While I am at it, I could not verify at this time but it was also critical to us that the file's Last Modified date did not change when a current file was first encrypted. Users depend many times to be able to search for files by this date to get the most recent version of files by same name. When the date was change to the same date for all files during initial encryption scan, they lost that ability. We added the function to restore the date back to the original file date after encryption to solve this.

Decrypting files was the same issue. It wold be great if the cipher command could have a switch added to also maintain the date during decryption. I had to write a wrapper for teh cipher to grab the date, decrypt the file, then write the original date back to solve this.
Coordinator
Apr 21, 2007 at 3:34 PM
Edited Apr 21, 2007 at 3:34 PM

bbrown wrote:
While I am at it, I could not verify at this time but it was also critical to us that the file's Last Modified date did not change when a current file was first encrypted. Users depend many times to be able to search for files by this date to get the most recent version of files by same name. When the date was change to the same date for all files during initial encryption scan, they lost that ability. We added the function to restore the date back to the original file date after encryption to solve this.

Decrypting files was the same issue. It wold be great if the cipher command could have a switch added to also maintain the date during decryption. I had to write a wrapper for teh cipher to grab the date, decrypt the file, then write the original date back to solve this.


Thanks for your input. Our tool does preserve last modified dates. You are right about the cipher utility, it should have this capability. We will mention this to the EFS program manager.
Coordinator
Apr 21, 2007 at 3:53 PM

bbrown wrote:
We developed a custom EFS wrapper like this is and have been using this over the past 2 years. Some of the things we have learned and had to add enhancements for are:
1) We added option to encrypt at file level instead of folder so that all files within a folder would not be encrypted unless met extension list. This was needed for files used by running services since the service could not decrypt the files.
2) The wrapper continually ran when started at login so that "real time" file level encryption would occur. This provided the protection for new files being created during user login. Many user put computer in sleep mode instead of powerdown or log off so the encryption protection was maintained for files
3) We had to add a "snooze" function for the file encryption monitoring. When installing software, especially if a msi install, the installation files could become encrypted before the installation process got ready to use. If the file got encrypted, the msi installer was unable to decrypt the file and continue.
4) For compliance reporting, a database connection function was added to send stats to a database on intervals which reports could then be created to validate data protection.
Each of these would be extremely usefull if could be built into this tools as well.



These are all great ideas! Our goal is to release a V1 of the EFS Assistant while helping to foster a community that can continue developing the tool after our release. We are looking for people to help out in this effort. Would you be willing?

Bill
Jul 24, 2009 at 10:43 PM

I think maybe a scenario was forgotten in the EFSAssistant Functional Specification:

The next day, Quentin docks his laptop and starts it up. He logs into the network. After he has been logged in for a few minutes, he notices a small balloon in the corner of his screen. The balloon says that his computer is encrypting his files to protect the sensitive data they contain. He's a bit nervous about this, as his laptop is quite slow and its difficult to use his normal applications with any degree of productivity. Quentin is savvy enough to check what's going on with Task Manager and notices that EFSAssistant is hogging the CPU and making his laptop's fan sound like a vacuum cleaner. He uses Task Manager to kill EFSAssistant. However, EFSAssistant has by now fragmented his hard drive with all of the newly encrypted files. His applications are still slow and Quentin becomes very frustrated. The next day, the process is repeated due to the Local Policies put in place by Meg Collins. Quentin screams bloody murder and throws his office chair through his window, followed by his laptop.