EFS files still accessible when key deleted

[Carl Holland]

After having encrypted a folder I exported the private key
to a floppy and deleted it from the system. The
folder/files are still accessible? Why?

 

[Jeff Patterson [MSFT]]

Carl,

Run through the steps listed in the following article to export your private
key and delete it from the local system:

241201 HOW TO: Back Up the Recovery Agent Encrypting File System Private Key
in
http://support.microsoft.com/?id=241201

Link to EFS White Paper:
http://www.microsoft.com/windows2000/techinfo/howitworks/security/encrypt.asp

Jeff Patterson
Microsoft Support

 

[Drew Cooper [MSFT]]

EFS caches the key handle after a successful use. If you've
encrypted/decrypted/opened/etc. something, there will be a handle held open.
The file (the private key in the file system) is marked for deletion by the
export wizard, but is not actually gone until all handles are closed.

The easiest way to flush the EFS cache on Windows 2000 is to reboot. (The
less pleasant way is to flood the cache with other entries until yours is
bumped. Cache size IIRC is 100.) After the cache is flushed, you should
not be able to access those encrypted files.