EFS, Encrypting File System document missing

  • Thread starter Thread starter M. Jennings
  • Start date Start date
M. Jennings said:
This page is missing:
TITLE: How to restore an EFS private key for encrypted data recovery
http://support.microsoft.com/kb/242296
Note that that link is dead.

Is there another page which contains this information:
"How to restore an EFS private key for encrypted data recovery"

The link is referenced on this page:
http://support.microsoft.com/?id=241201#2
Click to expand...

You have to import the certificate. Here are some other links. I'm paranoid
about disguising links so they are long and may word wrap.

Kerry

http://www.microsoft.com/resources/...windows/xp/all/reskit/en-us/prnb_efs_uizt.asp

http://www.microsoft.com/resources/...ll/proddocs/en-us/sag_seconceptsimpefsbp.mspx

http://www.microsoft.com/windowsxp/...ome/using/productdoc/en/sag_CMprocsImport.asp
 
Kerry,

Have you ever copied encrypted files to a USB drive, for example, and been
able to read them on another computer after importing the certificate?

Also, doesn't the certificate contain only the certificate, and not the
private key? Yet they talk about importing and exporting certificates.

I tried exporting and importing a key, and I could not read the files on a
second stand-alone computer.

_____________________
 
M. Jennings said:
Kerry,

Have you ever copied encrypted files to a USB drive, for example, and been
able to read them on another computer after importing the certificate?

Also, doesn't the certificate contain only the certificate, and not the
private key? Yet they talk about importing and exporting certificates.

I tried exporting and importing a key, and I could not read the files on a
second stand-alone computer.
Click to expand...

It's been a couple of years, but yes I have done it. It was in a domain
environment but that shouldn't make a difference. I moved some encrypted
files to a home computer running Windows 2000. I successfully imported the
certificate from a floppy and was able to view and edit them, then transport
them back to the network site where they were also usable.

Kerry
 
M. Jennings said:
Kerry,

Have you ever copied encrypted files to a USB drive, for example, and been
able to read them on another computer after importing the certificate?

Also, doesn't the certificate contain only the certificate, and not the
private key? Yet they talk about importing and exporting certificates.

I tried exporting and importing a key, and I could not read the files on a
second stand-alone computer.
Click to expand...

I just tried it again and it worked. When exporting the key make sure you
tick the box "Yes, export private key". After that I just used all the
defaults for the rest of the dialog. When importing I just used the
defaults.

Kerry
 
Kerry,

Excellent. However, I haven't been able to make it work. I must be doing
something wrong, obviously.

I was worried about backing up the wrong certificate, so I deleted my personal
certificates from:

Local Computer Policy/ Windows Settings/ Security Settings/ Public Key
Policies/ Encrypting File System/

and

Certificates - Current User/ Personal/ Certificates/

and

Certificates - Current User/ Trusted People/ Certificates/

However, I am still able to decrypt a pre-encrypted file.

So, which Certificate is active, and where is it? Second, how can a
certificate be enough, when the certificate does not include the private key?

You were logged in as Administrator? Where did you export the Certificate and
private key? Where did you import it.

I'm not on a domain. These are laptop computers I am using for test.

Thanks for the attention.

Michael

_________________________
 
M. Jennings said:
Kerry,

Excellent. However, I haven't been able to make it work. I must be doing
something wrong, obviously.

I was worried about backing up the wrong certificate, so I deleted my
personal certificates from:

Local Computer Policy/ Windows Settings/ Security Settings/ Public Key
Policies/ Encrypting File System/

and

Certificates - Current User/ Personal/ Certificates/

and

Certificates - Current User/ Trusted People/ Certificates/

However, I am still able to decrypt a pre-encrypted file.

So, which Certificate is active, and where is it? Second, how can a
certificate be enough, when the certificate does not include the private
key?
Click to expand...

Run mmc.exe. Add in the Certificates snap in. When prompted pick "Manage
certifcates for my user account". Expand the Personal tree. Look in the
Certificates folder. There was only one cert there it had my user name.
Right click on it and check the properties to make sure it is the efs cert.
Under "All Tasks" pick export and follow the prompts making sure to save the
private key with it.
You were logged in as Administrator? Where did you export the Certificate
and private key? Where did you import it.
Click to expand...

No I wasn't logged in as administrator. I encrypted a file, then logged in
as a different user to confirm I couldn't access the file. I logged back in
as myself and moved the file to a shared folder on a server. At this point
other users could see the file but couldn't access it. I logged in as myself
and exported the certificate to the same shared folder. I went to another
computer, logged in as a different user again and tried to access the file.
Access was denied. I imported the certificate with the Certificates mmc snap
in. I was then able to access the encrypted file no problem.
I'm not on a domain. These are laptop computers I am using for test.
Click to expand...

Should work the same. Hope this helps.

Kerry
 
Kerry,

Thanks very much for the help.

According to the very poor Microsoft documentation, the operation under a
domain is considerably different.

Yet your explanation is logical. I will give it another try.

However, I deleted my certificates. Why can I still decrypt the test files?

I'm reluctant to use a system that I don't completely understand, especially
one as important as this. There are many, many unhappy stories on the news
groups of users not being able to retrieve their files.


________________________________
 
Kerry,

You said, "I logged in as myself and exported the certificate to the same
shared folder."

I don't know what that means. Could you explain? I don't know how to export a
certificate to a folder.

Michael

__________________
 
M. Jennings said:
Kerry,

You said, "I logged in as myself and exported the certificate to the same
shared folder."

I don't know what that means. Could you explain? I don't know how to
export a certificate to a folder.
Click to expand...

You have to pick somewhere to save the exported certificate to. I chose the
same folder where I had saved the encrypted file. It doesn't have to be
there. It could be a floppy disk, a folder on your hard drive, it doesn't
really matter. It just has to be somewhere you can import it when at the
other computer. Once it is exported to a file you can copy that file at
will.

Kerry
 
M. Jennings said:
Kerry,

Thanks very much for the help.

According to the very poor Microsoft documentation, the operation under a
domain is considerably different.

Yet your explanation is logical. I will give it another try.

However, I deleted my certificates. Why can I still decrypt the test
files?

I'm reluctant to use a system that I don't completely understand,
especially one as important as this. There are many, many unhappy stories
on the news groups of users not being able to retrieve their files.
Click to expand...

Once you learn how to export and import the certificates it's no problem.
The people who have problems are the ones who don't take the time to learn
how efs works. They don't save a copy of the certificate. When their
computer has a problem such that they have to reinstall Windows the
certificate is gone and they have lost access to any encrypted files.
Always! always! export the certificate and keep a couple of copies in safe
places. Save it on floppy, save in on CDROM, just make sure to save it. If
you are not comfortable with efs you could also investigate PGP
http://www.pgp.com

Kerry
 
Kerry,

I decided I just don't have enough information to use EFS. In the newsgroups
there are many stories of people losing their information. Microsoft makes it
easy to encrypt, and difficult to know how to make your files safe. The
explanation of how it works is just not there.

I ran EFSInfo on my test directory. Even though I deleted my personal
certificate, the files are automatically decrypted. This shows that I don't
understand how it works.

Also, I'm worried about not being on a domain. I tried what you suggested
before, with stand alone computers, and was not able to make it work.

I cannot copy the test encrypted folder without decrypting the contents. It is
suggested to use NTBackup for this, but NTBackup does not work on the two
computers I tried. (I have only four computers here.) That's another of those
knotty problems that could take many hours to debug.

I don't understand why they say "Recovery Certificate", when supposedly the
Recovery Certificate does not include the private key. With no private key, it
is impossible to decrypt files.

Michael

____________________
 
M. Jennings said:
I decided I just don't have enough information to use EFS. In the
newsgroups there are many stories of people losing their information.
Microsoft makes it easy to encrypt, and difficult to know how to make your
files safe. The explanation of how it works is just not there.

I ran EFSInfo on my test directory. Even though I deleted my personal
certificate, the files are automatically decrypted. This shows that I
don't understand how it works.

Also, I'm worried about not being on a domain. I tried what you suggested
before, with stand alone computers, and was not able to make it work.

I cannot copy the test encrypted folder without decrypting the contents.
It is suggested to use NTBackup for this, but NTBackup does not work on
the two computers I tried. (I have only four computers here.) That's
another of those knotty problems that could take many hours to debug.

I don't understand why they say "Recovery Certificate", when supposedly
the Recovery Certificate does not include the private key. With no private
key, it is impossible to decrypt files.
Click to expand...

EFS is not Microsoft's finest moment. The encryption/decryption works as
advertised. As you have found out making sure you can always decrypt it can
be a problem. I quit using it myself a couple of years ago. None of my data
is that sensitive. I do have to support people who use it though so I made
sure I knew the ins and outs. So far I've not lost any data. Came close once
when I thought I had a copy of the certificate. Turned out I didn't and the
computer it was on was wiped clean and sold. Luckily I had good backups but
it took most of a day to recover the certificate from the backup tape.

Good luck, take a look at PGP it may do what you want.

Kerry
 
Thanks for all the information. It has been very helpful.

Next time you have a knotty problem, send me a message, and I will see if I
can help.

Michael

______________
 
Back
Top