EFS On Drive Works With >1 Computer?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

If I encrypt my files with EFS on a slave drive and then remove the drive
from the computer to use in another computer (ex. if the original computer
breaks down), will I still be able to read them from the other computer or do
I need the master drive? -Mihir
 
You need the keys which will probably be on the master drive.
If you format, lose or otherwise lose access to the primary, your data is as
good as gone and you should not expect to regain access EVER.
See the links near the bottom of this page for proper procedures to help you
protect your data:
http://www3.telus.net/dandemar/encrypt.htm
 
So if I export the certificate from Internet Explorer and save it on my slave
drive, I should be able to see the files on an XP Pro computer after
importing the certificate, right? -Mihir
 
Mihir Kotwal said:
So if I export the certificate from Internet Explorer and save it on my
slave
drive, I should be able to see the files on an XP Pro computer after
importing the certificate, right? -Mihir

Probably if you are in a AD environment. If you are are not then a lot of
trial and error is usually involved in getting it working. If you are not in
a domain I suggest you search for an alternate encryption method.

Kerry
 
So it isn't as easy as importing the certificate on the second computer and
then being able to use the files as if it was on the first computer? -Mihir
 
Mihir Kotwal said:
So it isn't as easy as importing the certificate on the second computer
and
then being able to use the files as if it was on the first
omputer? -Mihir

If you are using AD yes, If not, then no. It can be made to work out of a
domain but it is complicated, time consuming, and fraught with the
possibilty of data loss. If you use it make sure you test encrypting and
decrypting several times on several computers so you know how it works
inside out. Make sure you have copies of the certificates with keys stored
in a safe place, like on several floppies and/or CDROMs stored away
somewhere. It is best to have an image of the system used to encrypt the
files stored somewhere as well.

Kerry
 
I have Windows Server 2003 as a domain controller and it has the slave drive
I am talking about. I also have a Win XP Pro computer. I want to be able to
read the files on the slave drive of the Server on the XP computer in case
the server breaks down (meaning the domain would also not work) and I need
the files urgently. What is the barrier that makes the process so time
consuming? -Mihir
 
Mihir Kotwal said:
I have Windows Server 2003 as a domain controller and it has the slave
drive
I am talking about. I also have a Win XP Pro computer. I want to be able
to
read the files on the slave drive of the Server on the XP computer in case
the server breaks down (meaning the domain would also not work) and I need
the files urgently. What is the barrier that makes the process so time
consuming? -Mihir

There are several steps that must be done in exactly the right order. That
is why I recommend you test it on several computers first. Make sure one of
the computers you test it on is not and never has been joined to the domain.
The testing and learning how it works is the time consuming part. EFS works
exactly as advertised. It is impossible to decrypt if something goes wrong.
Theoretically if you had access to a super computer and the MS algorithms
you may be able to break it. You are better off with using physical security
(i.e. locking up the data in a safe place) if at all possible. In any case
make sure you have the server backed up. You may not be able to decrypt the
files until AD is up and running again.

Kerry
 
I just went to Help and Support Center to see if it says anything. On
ms-its:C:\WINDOWS\Help\encrypt.chm::/encrypt_to_recover_agent.htm, it says
"An alternate procedure would involve physically transporting the recovery
agent's private key and certificate, importing the private key and
certificate, decrypting the file or folder, and then deleting the imported
private key and certificate. This procedure exposes the private key more than
the procedure above but does not require any backup or restore operations or
file transportation."

In ms-its:C:\WINDOWS\Help\encrypt.chm::/encrypt_to_recover_encrypted.htm, it
says "You can recover an encrypted file or folder yourself if you have kept a
backup copy of your file encryption certificate and private key in a .pfx
file format on a floppy disk. Use the import command from Certificates in
Microsoft Management Console (MMC) to import the .pfx file from the floppy
disk into the Personal store."

I am very sorry that I didn't go to Help and Support Center before sending a
message to this newsgroup. -Mihir
 
Mihir Kotwal said:
I just went to Help and Support Center to see if it says anything. On
ms-its:C:\WINDOWS\Help\encrypt.chm::/encrypt_to_recover_agent.htm, it says
"An alternate procedure would involve physically transporting the recovery
agent's private key and certificate, importing the private key and
certificate, decrypting the file or folder, and then deleting the imported
private key and certificate. This procedure exposes the private key more
than
the procedure above but does not require any backup or restore operations
or
file transportation."

In ms-its:C:\WINDOWS\Help\encrypt.chm::/encrypt_to_recover_encrypted.htm,
it
says "You can recover an encrypted file or folder yourself if you have
kept a
backup copy of your file encryption certificate and private key in a .pfx
file format on a floppy disk. Use the import command from Certificates in
Microsoft Management Console (MMC) to import the .pfx file from the floppy
disk into the Personal store."

I am very sorry that I didn't go to Help and Support Center before sending
a
message to this newsgroup. -Mihir

As I have already said numerous times. Try it to see if it works for you.
Encrypt a test file. Try to decrypt it on a computer that is not and has
never been in the domain. Until you test this and can do it several times
with different files in different situations do not rely on doing it in a
panic situation. Google to see all the problems people have with EFS. It
works great. It can be made to do what you want to do. If something goes
wrong you will lose your data. There are many things that can go wrong.

Kerry
 
Here are a few tips to make it work:

1. The second computer must be using the same (or higher) encryption
algorithm as the first. (WS2003 and WXPsp2 both use AES.)
2. When exporting, select to export the private key. (The export should
create a .pfx file.)
3. When importing the .pfx file, *do not* select to enable strong private
key protection. (Take the default settings during the import and you'll be
okay.)
4. You'll need at least READ permission on the files. You may have to take
ownership when on the second computer.

Thanks.
Pat

Thanks.
Pat
 
Back
Top