NTFS and PGP Interact to Expose EFS Encrypted Data
9 May. 2002
One of NTFS feature of Windows 2000/XP is its support for an "encrypted" attribute. PGP 7.0.3 Freeware, a product of Network Associates, supports wiping files as they are deleted. If you enable file wiping and then set the "encrypted" attribute on the folder, copies of the contents are left un-encrypted on the file system.
The information has been provided by Ry Jones.
As explorer works it is way through the file system encrypting the contents, it first renames the source file to a name in the format of "EFSn.TMP" where n is an increasing series of integers starting at 0. It then encrypts the file into a target file with the same name as the original. The permissions on the temporary file are set to a very restrictive level; the temporary file is then deleted. However, if you have set PGP to wipe deleted files, it appears PGP intercepts the deletion of the file. PGP, running as the user, has insufficient privilege to delete the file, and leaves the temporary file in place.
Anyone who recovers the hard drive can take ownership of these temporary files and read them. In addition, in the default setting, hidden files are not shown in explorer, so a user may not be aware that the temporary files exist at all. Any administrator may take ownership of the temporary files and read the data.
1) Create a directory "efs-pgp-interaction-bug". Copy a text file into the directory.
2) Right click on the PGP icon. Set the "Automatically wipe on delete" flag. Click OK.
3) Right click on the "efs-pgp-interaction-bug" directory in explorer. Click properties, advanced, and check the "Encrypt contents to secure data" flag. Click OK, OK.
4) Double click on efs-pgp-interaction-bug. If you have set the "show hidden files and folders" flag, (tools, folder options, view, show hidden files and folders, OK) you well see the EFSn.TMP files. Attempting to open the temporary files will result in an error (depending on application). Vim reports "[Permission Denied]".
5) Hit the backspace key. Right click on the efs-pgp-interaction-bug directory. Select sharing and security; select security, advanced. Check the "replace permission entries on all child objects..." check box and click OK. Click "Yes", "OK".
6) Re-open efs-pgp-interaction-bug and right click on the temporary file (EFS0.TMP). Select Open With, Notepad. View your file.
Do not enable PGP's Wipe Deleted Files option if you are using Encrypted NTFS.