Arbeitsordner - Problem mit Verschlüsselung

 Encryption under the cover

The encryption technology that Work Folders leverages on Windows to protect the data is called “ Selective Wipe ” [1] . At a high level, the encryption uses a key which is associated an Enterprise ID (EID), which is the company’s top-level domain (for example contoso.com). The selective-wipe encryption mechanism is very similar to EFS, but a major difference is that it is non-PKI based. The encryption key is stored in the Windows Vault (a.k.a. Credentials Manager), which is not stored in Active Directory as part of the users’ profile, and windows does not offer a backup mechanism for it (the built-in credentials manager backup mechanism doesn’t backup that key as part of the backup process). One potential mitigation comes from the fact that when a device is domain-joined (note that this is different than “Workplace joined”), the EID encryption will use both the EID key on the user device and the domain’s Data Recovery Agent (DRA) key. This will allow an enterprise administrator to decrypt the files in case of the key revocation or loss on the domain joined devices.

How can a file be encrypted and decrypted with both the user’s key and the DRA?

The answer to this is in the basic design of the Windows Encrypting File System (EFS). EFS doesn’t encrypt the file using the user’s key but using a unique and random key generated specifically for each and every file EFS has to encrypt. The file’s key is then encrypted using the user’s key and attached to the file. If the device is domain-joined, the file’s key is then encrypted once again, this time using the DRA, and also attached to the file.

When it’s time to decrypt the file, if it’s the user who is decrypting, then EFS decrypts the file key that was encrypted with the user’s key, and if it’s the DRA, then the file key that was encrypted with the DRA is decrypted.