Sharing Your Encrypted Files with Other Users

Sharing Your Encrypted Files with Other Users
A new feature in Windows XP allows you to share access to your encrypted files with one or more trusted users. The users you specify might share the computer with you or have access to the encrypted files over the network.

The only prerequisite for sharing access to an encrypted file is that each user with whom you want to share the file must have an encryption certificate on your computer. The easiest way for a user who shares your computer to create a certificate is for that user to log on and encrypt a file. Network users should export their own certificate (see Exporting a Personal Encryption Certificate); you can then import the certificate to your computer.

TIP
--------------------------------------------------------------------------------

Checking for encryption certificates

To find out whether another user already has an encryption certificate on your computer, use the Certificates snap-in for Microsoft Management Console. (For details, see Using the Certificates Snap-In.) Self-signed certificates, whether created on your computer or imported to your computer, appear in the Trusted People\Certificates folder. Certificates issued by a certification authority (CA) appear in the Other People\Certificates folder. (Note that EFS will not use certificates issued by an untrusted CA.) If Encrypting File System appears in the Intended Purposes column—you might need to enlarge the window or scroll to the right to see the column—you can share your encrypted files with this person.

To enable another user to use one of your encrypted files, follow these steps:

Right-click an encrypted file and choose Properties. On the General tab, click Advanced.
In the Advanced Attributes dialog box, click Details.
NOTE
--------------------------------------------------------------------------------

The Details button is unavailable when you initially encrypt a file. To use this button, you must encrypt the file and then return to the Advanced Attributes dialog box. Note also that the Details button is available only when you display properties for a single file; if you select a folder or multiple files, the button is unavailable.
In the Encryption Details dialog box, click Add. The Select User dialog box appears, as shown in Figure 18-3.

Figure 18-3. You can provide access to any account that has an Encrypting File System certificate on your computer.
Select the name of the user to whom you want to give access, and then click OK.
The users specified in the Encryption Details dialog box now have access to the encrypted file. Of course, they'll also need sufficient NTFS permissions to use the file and, if the file is in a shared network folder, permissions to access the network share.

CAUTION
--------------------------------------------------------------------------------

Grant EFS access only to users you trust. Users who are granted access permissions also can share files with other users of their choosing. The only way you can prevent such sharing is to remove the user's Write permission for the file—but that might prevent the type of access you need.