How do I let the SYSTEM account use EFS encryption?
I want to encrypt some files used by a Windows service running as Local System (i.e. using the NT AUTHORITY\SYSTEM
account). Since BitLocker doesn't seem to work with software RAID, EFS seems to be the way to go. However, cipher /adduser
doesn't like being used on SYSTEM:
cipher /adduser /user:SYSTEM filename.ext
Error finding user certificate in Active Directory Domain Services: The specified domain either does not exist or could not be contacted.
I'm using Windows 8.1.
I also have some already-encrypted files that I need to give SYSTEM access to. What can I do?
This works on every incarnation of Windows since 7 (and probably earlier), and the server versions too.
The SYSTEM account can indeed use EFS, but it doesn't have an EFS certificate by default. The only person who can enroll a certificate for SYSTEM is SYSTEM, so you'll need to get PsExec. From an admin command prompt with psexec.exe
accessible, run psexec /s /i cmd.exe
to produce a command prompt running as SYSTEM.
Before we start
Note that allowing SYSTEM access to an encrypted file means that anybody with physical access to the machine can decrypt that file. Usually, EFS certificates are protected by a user password, but SYSTEM's password has to be stored on the disk because nobody enters its password. Therefore, these procedures are only advisable if you're worried about the security of off-site backups, where the machine key is not accessible.
If you want only SYSTEM to have access to the files
Use the SYSTEM prompt to encrypt the files. This can be accomplished with the cipher
utility that comes with Windows. cipher /e
followed by the filename encrypts that file, making it only accessible to SYSTEM. To encrypt a directory, the command is cipher /e /s:
, with the target directory name smashed right up against that colon.
If you want to give SYSTEM access to already-encrypted files
The first time a file is encrypted (for any account), an EFS certificate/key is issued. To create a scratch file, do echo. > scratch.txt
in the SYSTEM prompt. Encrypt that file with cipher /e scratch.txt
. You can torch that extra file if you want, the certificate is all ready. EFS certificates can be managed in the Certificates MMC snap-in; you'll need to open the snap-in for the computer (not the user), or just run certlm.msc
. You'll find the certificates of interest under Trusted People.
Now, when you want to give SYSTEM access to an encrypted file/directory, open a command prompt as an owner of the file. Run cipher /adduser /certhash:
with the target user's EFS thumbprint smushed against the colon without spaces. (Double-click an entry in the Certificates MMC window and switch to the Details tab to see the thumbprint.) The target filename is an additional parameter, and /s:<dir>
still works if you're applying this to a folder.
Example commands
Encrypting a file: cipher /e filename.ext
Encrypting a folder: cipher /e /s:Important
Adding a user to a file: cipher /adduser /certhash:6cc1ce89aac7b6f794733e1b6b54a564a9bed9de filename.ext
Further reading: "How IT Works: Encrypting File System", cipher.exe
reference at TechNet