EFS multiple certificates associated with single user

[anita]

Hello,
I have a number of files in my account which I cannot decrypt and some that
I can.

I looked at the certificate thumbnails for these files and ofcourse they
were different.

The snap-in shows four certificates (say A,B,C and D) under "Personal" all
with the same user name, Issued By, Issued To and Purpose (for EFS)

When I right click on the non-decryptable file and follow through to "Users
who can transparently access this file" it shows one of the certificates
(lets say A) but that is not my current certificate which is shown through
EFSinfo- say B.
When I clicked on add it shows only B,C- ie., 2 out of 4, from the list of
cerfificates available according to the snap-in.

All this is very mystifying.

Why are there multiple cerfiticates with the same "Intended purpose" of
"Encrypted File System" ? How can I make the system decrypt the old files ?

The only thing I have done is change passwords. I was able to use aefsdr
tool to recover files, but I dont understand why this does not happen
automatically.

Can someone please shed light on this behaviour ? Perhaps I dont really
understand how this works...

thanks
Anita

 

[Guest]

As long as you have an EFS certificate and private key in your Personal
certificates store, EFS can still decrypt files that were encrypted with
it--even if it's not your current EFS key. If you still have the private key
for certificate "A," you should still be able to decrypt files that were
encrypted with "A."

Your EFS keys are encrypted with a hash that is based on your password.
After you change passwords, that hash must be decrypted and then re-encrypted
with your new password. In order to do that, your machine must be able to
reach a domain controller on your network. See this link for more details:
http://support.microsoft.com/default.aspx?scid=kb;en-us;322346

Hope that helps.

Thanks.
Pat

 

[prabhushashi]

Thanks for your reply Pat,
I dont have a domain controller. Its just a regular workstation which I
use to access the net.

I understand that as long as I have the certificate and key that I
encrypted the files with I can decrypt the files. I assumed that this
happened automatically. But apparently not.
I was able to recover SOME of the files through the mentioned s/w
"aefsdr". I had to specify my old passwords to do that.

Could you please tell me what steps I need to do with just OS (no
special softwares ) to recover my files ?

I do have all the previous passwords.
Thanks much

 

[Guest]

Do you make password changes by "resetting" the password? If a user's
password is reset (rather than changed with Crtl+Alt+Del), the EFS
certificate/key will not be automatically decrypted with the old password.
If EFS can't get the previous current key, it will generate a new
certificate/key the next time you encrypt. That may account for the multiple
certificates in your Personal store.

Here are a few things to try for those unrecovered files:
1. Open the properties of a file you haven't been able to recover and click
to the Encryption Details page. Make a note of the "User Name" certificate
and its thumbprint (e.g., 1475 ED32 98B3...).
2. Open your Certificates snap-in, right-click Personal, select View >
Options, and check "Archived certificates" to be sure all of your old EFS
certificates will display.
3. Click the Personal > Certificates node to display all your certificates
in the right pane.
4. Open each certificate and scroll down in the Details page to find the
certificate that has the matching thumbprint--let's say CertA.
5. Right-click CertA and select All Tasks > Export to launch the wizard.
6. Click to the "Export Private Key" page and find the "Yes, export the
private key" radio button. If you can select the option, you have the
private key and should be able to decrypt the file unless the key is
corrupted. If that option is grayed out, you (and EFS) do not have access to
the private key for that certificate. It could be that the key is still
encrypted with one of your former passwords. AEFSDR should be able to help
if you remember that password. There's no software in the OS that can do
that.

Hope that helps. Good luck.

Thanks.
Pat

 

[Guest]

I was just made aware of another password change issue on WXP SP2 that
affects EFS file access. You might check it out in case it applies to what
you're seeing. There's a hotfix for it:
http://support.microsoft.com/?id=890951

Thanks.
Pat

 

[anita1766]

Pat,
The problem does with the hotfix appear to be similar to mine in that I
did make password changes through expired password. But if it was the
same problem as the hotfix one, I should have been able to recover my
files once I changed back to my old password. I could not.
However, I COULD recover files through aefsdr after supplying the same
passwords. Now I know which passwords apply to each of the files.

I am going to talk about specifics here if I may. Currently there are
three certificates in the personal store, CertA, CertB and CertC. CertC
is the current certificate. Problem files are encrypted with
CertA/CertB. (Actually there is another CertD, but I'll get to that
when I've unserstood this problem!)

I tried to do what you suggested, certificates addon: personal
certificates > tasks> export private key. "Yes, export private key" is
available only for the current user certificate. CertA and CertB that
have the option greyed out.
If the private key is not really available/corrupted, how come the
'aefsdr' finds the private keys for CertA,CertB by scanning the drive
and then proceeds to decrypt the file with these keys ?

On each of the files wityh either CertA/CertB, I tried the following:
Adding to "Users who can trans...". The available list of unadded
certificates showed CertC, the current certificate. I clicked on it and
added, it did not complain. Just did nothing, closed the window. Does
not even give me an error message.

So is there some code somewhere which compares certificate thumbnails
while listing potential addable certificates but compares just user
names just before adding ?

Thanks

 

[Guest]

The Certificates snap-in does not have access to the private keys for
CertA/CertB because those keys are encrypted with previous passwords. The
snap-in can only access (or export) keys encrypted with your current
password. AEFSDR is an application that has the functionality to decrypt
keys that are encrypted with previous passwords. That's why AEFSDR can
access those keys.

I couldn't reproduce your add-user scenario. The current certificate did
not get added to the file in my case. Perhaps you can find the answer here:
http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prde_ffs_phvy.asp
Scroll down to the "Authorizing Multi-User Access." There's also much
information about EFS in general in the Resource Kit that might be helpful to
you. (Be sure to run "cipher /x" to back up your current certificate/key.
That's the best protection for any future issues.)

Thanks.
Pat