A: Yes, starting with Windows Server 2008 and Windows Vista, Microsoft supports storage of the EFS private key on a user's smart card. Microsoft provides a Group Policy Object (GPO) setting that will require the use of a smart card for EFS. You can find this setting in the properties of the Encrypting File System container in the Computer Configuration\Windows Settings\Security Settings\Public Key Policies folder.

As Figure 1 shows, the Encrypting File System Properties dialog box includes the Create caching-capable user key from smart card configuration option. This setting lets the administrator select either the cached or non-cached mode of operation for the EFS private key storage on smart cards.

EFS_Properties_smFig1
Figure 1: The Encrypting File System Properties dialog box  (Click image for larger view)

Non-cached mode means that all EFS decryption operations that require the user's private key are done on the smart card. Cached mode means that Windows automatically derives a special symmetric key from the user's private key and caches it in protected system memory on the computer, not on the smart card. Cached mode implies that all standard EFS operations that normally involve the user's private key are replaced with symmetric cryptographic operations that use the special symmetric key.

Cached mode positively impacts EFS performance when using smart cards for private key storage because EFS doesn't need to call on the smart card processor for every EFS encryption or decryption operation. Cached mode also eliminates the need to keep the user's smart card plugged in to the smart card reader. You can enable the EFS cached mode of operation for the EFS private key storage on smart cards by selecting the Create caching-capable user key from smart card option on the General tab in the EFS properties dialog box, as Figure 1 shows.