Encryption

  • Thread starter Thread starter Richard
  • Start date Start date
Brian Komar said:
EFS will use the one referenced in the registry by its thumbrpint.
I am on the road this week and cannot look it up, but a registry entry
contains the thumbprint of the active certificate.
Typically, it is the one that was there first when you started encrypting
Click to expand...

Thanks for the input Brian. I'll see if I can pull out the reg path later.
That explains why my expectation, that it would do the reasonable
thing and try the one which matches, does not happen.

Roger
 
Perhaps your most direct route to move forward would then be to
- make sure anything encrypted with the other cert was copied into
a clear, unencrypted form
- export and save the other cert and key pair
- remove the other cert from the account's cert store
- see if things work, and if not yet
remove the copied-in cert/key and then re-add it (do not attempt
to encrypt anything in the meantime, and you will get yet another
EFS cert/key pair generated)
 
Hi Roger

Finally, I am able to open the file. It seems that we have to set the NTFS
permissions to everyone.

Many thanks again for your patience and help.

Richard
 
Richard said:
Hi Roger

Finally, I am able to open the file. It seems that we have to set the NTFS
permissions to everyone.

Many thanks again for your patience and help.
Click to expand...

Well, it is good that you have had success.
However (didn't you just know that was coming?) . . .
it is not necessary to grant to Everyone, but rather something
that is included in that massively permissive grant must have
been missing. In my experience, a modify grant to the account
that is encrypting/decrypting covers the needs.
 
Hi Roger

I have thought about it also, how do I go about checking the permissions?
How would I grant permissions to a user that is not in the domain but is a
remote machine?

I would think that if I set up a user in the remote machine with the same
name and password, they would not have the same Id, right?

Richard
 
Richard said:
Hi Roger

I have thought about it also, how do I go about checking the permissions?
How would I grant permissions to a user that is not in the domain but is a
remote machine?

I would think that if I set up a user in the remote machine with the same
name and password, they would not have the same Id, right?
Click to expand...

Right. Depending on how the machines are configured, having
matching usernames and passwords can work, but basically
without a domain the way you give someone access is by giving
them an account on the accessed machine.
 
Back
Top