Yet Another update. The information below is irrelevant as further tests show that some files are able to be decrypted after encryption and some files are still left damaged. I give up – turning EFS off.

I’ve been doing a little more research into EFS on Windows 7 and i have found something curious. Windows 7 has incorporated a new system for its encryption algorithms called ECC (elliptic curve cryptography). Using the policy manager i have disabled ECC on the system and so far i have been able to encrypt and decrypt files without any problems like it should work in the first place. I have only tried it on a temporary basis so far so more tests will need to be performed to ensure that EFS works correctly from now on. ECC is a new system that allows EFS to work to “Suite B” standards, however on a home computer that is of no help to me for just basic encryption/decryption of files. None of the information however has stated that Encryption with ECC turned on should mess up your files, but i guess Windows 7 has not been evaluated enough for complaints to come forward.

More information on EFS can be found here: http://en.wikipedia.org/wiki/Encrypting_File_System

More information on ECC (elliptic curve cryptography) can be found here: http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography

There is more information on EFS updates from Windows here:

Changes in EFS

Updated: March 27, 2009

Encrypting File System (EFS) is a core file encryption technology used to store encrypted files on NTFS file system volumes. Encrypted files cannot be used unless the user has access to the keys required to decrypt the information. EFS supports industry-standard encryption algorithms including Advanced Encryption Standard (AES), Secure Hash Algorithm (SHA), elliptic curve cryptography (ECC), smart card–based encryption, and other features. As encryption standards continue to progress and old algorithms become less secure, new encryption algorithms must be incorporated to help users protect their data.

EFS support of ECC

In Windows 7, the architecture of EFS has changed to incorporate ECC. This enables EFS to be compliant with Suite B encryption requirements as defined by the National Security Agency to meet the needs of United States government agencies for protecting classified information. Suite B compliance requires the use of AES, SHA, and ECC cryptographic algorithms for data protection. Suite B does not allow RSA cryptography.

EFS in Windows 7 supports a "mixed-mode" operation of ECC and RSA algorithms. This provides backward compatibility with EFS files that were created by using algorithms supported in previous versions of Windows. This might be useful in organizations that use RSA and also want to use the ECC algorithm to prepare for Suite B compliance.

Use of self-signed certificates

The default setting for EFS public key policies allows EFS to generate self-signed certificates when a certification authority (CA) is not available. Some organizations do not allow self-signed certificates to be used because of concerns about information security risks. If you disable this setting, users must be granted a certificate from a trusted CA before they can use EFS.

If you allow the use of self-signed certificates, you can specify the encryption key length used when encrypting files and folders. By default, EFS uses the 2,048-bit key size for self-signed RSA certificates and the 256-bit key for ECC certificates. The following RSA and ECC keys are available:

• 1,024-bit RSA
• 2,048-bit RSA
• 4,096-bit RSA
• 8,192-bit RSA
• 16,384-bit RSA
• 256-bit ECC
• 384-bit ECC
• 531-bit ECC

Group Policy changes for EFS

The steps to enable EFS have not changed as a result of supporting ECC; however, additional administrative options related to ECC have been added. Specifically, Group Policy settings can be used by administrators to deny the creation of EFS files by using algorithms that are not Suite B–compliant. The policy setting for EFS is located in the Local Group Policy Editor under Local Computer Policy\Windows Settings\Security Settings\Public Key Policies\Encrypting File System.

After the EFS policy settings are enabled and configured, you use Group Policy settings to specify how ECC is supported. Under Public Key Policies, open the Encrypting File System properties. Then, on the General tab under Elliptic Curve Cryptography, select the appropriate option: either Allow to enable the use of both ECC algorithms and RSA algorithms, Require to permit only ECC encryption algorithms be used, or Don’t allow to use only RSA encryption.