Hi Windows EFS - can decryption keys be kept on an HSM for "online" use. I have file servers (2003 and 2008) that are accessed by application servers (processes) and regular users. I want to use EFS for file and folder encryption, but want to store keys on an HSM and/or other physical device so that the keys aren't on the server. I want to use the HSM or similar both for users and the processes. (I prefer that the regular users don't user smartcards) I'd appreciate any help. Thank you. sk

You must have either lots of money for your deployment or a very small # of client computers. Each client would have to be set up as a client of the HSM ($$ / client) Today's network attached HSM will support up to 100 clients, so for each 100 clients, you need one HSM + 100 client access licenses You cannot use DHCP since the client must have a static IP address I am not even sure if an HSM protected certificate is supported If you want that level, the only supported method (running on Vista or later) is smart cards. So if you want that level of key protection, this is your solution Brian

You must have either lots of money for your deployment or a very small # of client computers. Each client would have to be set up as a client of the HSM ($$ / client) Today's network attached HSM will support up to 100 clients, so for each 100 clients, you need one HSM + 100 client access licenses You cannot use DHCP since the client must have a static IP address I am not even sure if an HSM protected certificate is supported If you want that level, the only supported method (running on Vista or later) is smart cards. So if you want that level of key protection, this is your solution Brian