CA deleted - Can't decrypt files

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

OK, I've messed up!

I've deleted my domain CA (test environment!) without realising that I did
in fact have some EFS encrypted files using certificates issued from it. I've
kicked myself a number of times now....

efsinfo.exe describes the files as encrypted using one of two certificates.
One of which I have in my certificate store, the other I'm assuming is lost.
Even with the certificate I have, I no longer have the CA that issued it. It
also describes the RA for the files, however, I'm unable to identify the
thumbprint for the RA certificate and so am unable to confirm if I have that
certificate. Again, though, I wont have the issuing CA.

Exporer GUI and cipher.exe are unable to decrypt the files - Access Denied,
unsurprisingly :-(

I know the future is, in this case, not very bright at all but I wondered if
you gurus might have any options before I delete the files.

.....and before you say it :-) I know that Certificate Services uninstall
warns about EFS enycrypted files - I just completly forgot that I'd encrypted
them.

Cheers for your advice, guys.

Dave.
 
microsoft.public.win2000.security news group, =?Utf-8?B?RGF2aWQgQWRhbXM=?=
OK, I've messed up!

I've deleted my domain CA (test environment!) without realising that I did
in fact have some EFS encrypted files using certificates issued from it. I've
kicked myself a number of times now....

efsinfo.exe describes the files as encrypted using one of two certificates.
One of which I have in my certificate store, the other I'm assuming is lost.
Even with the certificate I have, I no longer have the CA that issued it. It
also describes the RA for the files, however, I'm unable to identify the
thumbprint for the RA certificate and so am unable to confirm if I have that
certificate. Again, though, I wont have the issuing CA.

Exporer GUI and cipher.exe are unable to decrypt the files - Access Denied,
unsurprisingly :-(

I know the future is, in this case, not very bright at all but I wondered if
you gurus might have any options before I delete the files.

....and before you say it :-) I know that Certificate Services uninstall
warns about EFS enycrypted files - I just completly forgot that I'd encrypted
them.
Click to expand...

You're going to have to look elsewhere for the solution to your inability to access your
encrypted files as uninstalling Certificate Services will have zero impact on your
ability to access those files.

--
Paul Adare - MVP Virtual Machines
http://www.identit.ca
It all began with Adam. He was the first man to tell
a joke--or a lie. How lucky Adam was. He knew when he
said a good thing, nobody had said it before. Adam was
not alone in the Garden of Eden, however, and does not
deserve all the credit; much is due to Eve, the first
woman, and Satan, the first consultant." - Mark Twain
 
When you found the certificate for EFS make sure that the general page of
the certificate properties says that you have a private key that corresponds
with this certificate and if that is the case make sure you can export that
certificate and private key to a password protected.pfx file. If you can not
export it there is some sort of problem with the certificate/private key
such as corruption which would explain why you can not decrypt the files
assuming it indeed has the matching thumbprint. It would be worth trying to
track down the RA. For a domain usually the RA is the built in administrator
account on the first domain controller created for the domain so that is
where I would look first. It may also be worth trying the free version of
the EFS recovery program from Elcomsoft on your computer where the EFS files
are located to see if it can find and allow you to access the correct EFS
private key for your EFS files. If it can then it may be worth purchasing
the full version to recover your files if they are worth $100 to you. ---
Steve

http://www.elcomsoft.com/aefsdr.html
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316 --- EFS
best practices.
 
.... additionally, one of the best discussion of recovery of EFS-encrypted
files is at www.beginningtoseethelight.org

Typically, unless the computer was joined to a Windows AD domain, recovery
requires that you have the ability to access, undelete or otherwise recover
the files from the user profile in c:\documents and settings\ used to encrypt
the file.

I agree that I am not familiar with any situation where a CA would be
involved in EFS file encryption.
 
Back
Top