NTFS encrypted files recovery process

Encrypted files on NTFS file system are stored in special format to handle transparent decryption of file data to whom who have access to these files. To handle transparent encryption the files on disk consist of two parts:

• file data itself in encrypted form;
• encryption metadata, required to decrypt the file.

File data is stored in usaul form, except file content is encrypted with strong encryption method. Encryption metadata is stored as so-called "utility stream" with special name "$EFS" and contains user identification data and copies of protected file encryption key. Only authenticated user from access list can decrypt an instance of file encryption key and thus access the data.

When file is lost, both encrypted data and encryption metadata are lost. The software recovers this information and restores association between these parts. On success, the software can use Windows API to restore encrypted file by supplying both encrypted data and encryption metadata. It does not decrypt file data so recovery operator still does not have access to sensitive user information.

Restored file can be only opened by a user from original file access control list (such as file owner).

In case file can not be restored in encrypted form because operating system does not support this (e.g. non-Windows OS or Windows NT4 OS) or target file system does not support encryption, the file will be restored in special format of encrypted file backup. This format is specified by Microsoft and contains both encrypted data and encryption metadata. These files can be restored by Windows EFS backup/restoration API. You may use free EFS Restoration Tool from UFS Explorer installation package to restore encrypted files from backup to encrypted files on NTFS.