Questions & Results on a Trivial EFS Experiment

[kiko]

Overview:

I am trying to do a simple EFS test in windows xp pro sp2. I start
off with a clean certificate store for the personal folder. The
following are my steps in order:

1. I create a folder on my desktop

2. Set the attributes to "Encrypt contents..."

3. I create a plain text document in notepad outside the encrypted
folder and add a couple of words and save.

4. I drag the text document into the encrypted folder; the filename
turns green, and the atrributes show up as 'AE', I also check its
attributes and sure enough it is encrypted.

5. I then check my certificate store under the personal folder and
behold there is a certificate with an associated private key. I know
this because when I double click it says so. The thumbprint in the
text file and folder also match perfectly to the certificate with the
private key.

6. Now I want to export the certificate and private key with it,
still in the certifiacte manager I right click my only certifiacte and
select export.

7. All of the following are check off: "Yes, export the private key",
format used .PFX, "include all certifiactes in the certification path
if possible", "Enable strong protection", "Delete the private key if
export is successfull", I set my password it is only 6 charactes
long( I am just doing a test ), and finally set my file name. No
problems were encountered after the export of the certificate with the
private key.

8. I then go to test what I have done so far by logging out and
loging in, why? b/ the private key remains cached, and try to access
the encrypted file, I get an "Access Denied" message. This is perfect
exactly what I expected.

9. Now I import the certificate with the private key. I right
click in blank space in my personal folder of the certifacate manager,
slect "import", find my file, type my password, check off the
following: "Enable strong key protection..." and "Mark this key as
exportable...", then I place this certificate in the "Personal"
folder.

10. Then I try to access the file and still recieve the access
denied. I try logging out and logging back in and the same, I reboot
the machine and still the same.

Things to note:
-In different variations of this simple test I have deleted my
certificate from my certificate store under the personal folder after
a successfull export with the private key attached, but alas still
recieve the same error after importing the certificate containing the
private key.

Machine & Environment Information:
1. windows xp pro sp2
2. logged on as an administrator, I have tried this as different
account with adminstrative access and still have the "access denied"
problems when performing the same test.
3. machine is not part of any Active Domain
4. no recovery agent policy in place (this is fine as I just want to
do a simple test)

My brief of my understanding of EFS:
Upon first use of EFS a certificate and private key is created. A
public key encryptes the "File Encryption Key" which in turn encrypts
the file(data) itself. To decrypt the file(data) a private key must
Decrypt the "File Encryption Key" which in turn decrypts the
file( data ) iteself. I know the "File Encryption Key" is a "symetric
key" and the public & private key pair are "assymetric" keys.

Questions:
1. If my "personal" certifiacte store has multiple certificates with
associated private keys which is tried first are any looked at in the
store or is only the current user's private key tried? I know when
the current user is logged on with and EFS having allready been used
once he/she has an associated private and public key. I assume in the
decryption process the current private key for the current user is
tried first but are the others, in the certificate, even looked at?
2. Any ideas on why the same user who encrypted the file cannot
decrypt it even after the importation of the certificate with the
private key?( the simple test )

Other info:
I don't care about "Recoverty Agents" at this moment.
Here is my result trying to use the cipher command to decrypt:
-------------------------------------------------------------------------------------------------
C:\Documents and Settings\Administrator\Desktop>cipher /d /a enc
\test.txt

Decrypting files in C:\Documents and Settings\Administrator\Desktop
\enc\

test.txt [ERR]
test.txt: Access is denied.

0 file(s) [or directorie(s)] within 1 directorie(s) were decrypted.


C:\Documents and Settings\Administrator\Desktop>

 

[Allan]

Overview:

I am trying to do a simple EFS test in windows xp pro sp2. I start
off with a clean certificate store for the personal folder. The
following are my steps in order:

1. I create a folder on my desktop

2. Set the attributes to "Encrypt contents..."

3. I create a plain text document in notepad outside the encrypted
folder and add a couple of words and save.

4. I drag the text document into the encrypted folder; the filename
turns green, and the atrributes show up as 'AE', I also check its
attributes and sure enough it is encrypted.

5. I then check my certificate store under the personal folder and
behold there is a certificate with an associated private key. I know
this because when I double click it says so. The thumbprint in the
text file and folder also match perfectly to the certificate with the
private key.

6. Now I want to export the certificate and private key with it,
still in the certifiacte manager I right click my only certifiacte and
select export.

7. All of the following are check off: "Yes, export the private key",
format used .PFX, "include all certifiactes in the certification path
if possible", "Enable strong protection", "Delete the private key if
export is successfull", I set my password it is only 6 charactes
long( I am just doing a test ), and finally set my file name. No
problems were encountered after the export of the certificate with the
private key.

8. I then go to test what I have done so far by logging out and
loging in, why? b/ the private key remains cached, and try to access
the encrypted file, I get an "Access Denied" message. This is perfect
exactly what I expected.

9. Now I import the certificate with the private key. I right
click in blank space in my personal folder of the certifacate manager,
slect "import", find my file, type my password, check off the
following: "Enable strong key protection..." and "Mark this key as
exportable...", then I place this certificate in the "Personal"
folder.

10. Then I try to access the file and still recieve the access
denied. I try logging out and logging back in and the same, I reboot
the machine and still the same.

Things to note:
-In different variations of this simple test I have deleted my
certificate from my certificate store under the personal folder after
a successfull export with the private key attached, but alas still
recieve the same error after importing the certificate containing the
private key.

Machine & Environment Information:
1. windows xp pro sp2
2. logged on as an administrator, I have tried this as different
account with adminstrative access and still have the "access denied"
problems when performing the same test.
3. machine is not part of any Active Domain
4. no recovery agent policy in place (this is fine as I just want to
do a simple test)

My brief of my understanding of EFS:
Upon first use of EFS a certificate and private key is created. A
public key encryptes the "File Encryption Key" which in turn encrypts
the file(data) itself. To decrypt the file(data) a private key must
Decrypt the "File Encryption Key" which in turn decrypts the
file( data ) iteself. I know the "File Encryption Key" is a "symetric
key" and the public & private key pair are "assymetric" keys.

Questions:
1. If my "personal" certifiacte store has multiple certificates with
associated private keys which is tried first are any looked at in the
store or is only the current user's private key tried? I know when
the current user is logged on with and EFS having allready been used
once he/she has an associated private and public key. I assume in the
decryption process the current private key for the current user is
tried first but are the others, in the certificate, even looked at?
2. Any ideas on why the same user who encrypted the file cannot
decrypt it even after the importation of the certificate with the
private key?( the simple test )

Other info:
I don't care about "Recoverty Agents" at this moment.
Here is my result trying to use the cipher command to decrypt:
-------------------------------------------------------------------------------------------------
C:\Documents and Settings\Administrator\Desktop>cipher /d /a enc
\test.txt

Decrypting files in C:\Documents and Settings\Administrator\Desktop
\enc\

test.txt [ERR]
test.txt: Access is denied.

0 file(s) [or directorie(s)] within 1 directorie(s) were decrypted.


C:\Documents and Settings\Administrator\Desktop>

When exporting a certificate there is normally no reason to delete the
private key as far as I know; please explain your need/desire to delete the
private key upon export. I think the encryption system may be working
properly in your simple experiment.

 

[kiko]

Overview:

I am trying to do a simple EFS test in windows xp pro sp2. I start
off with a clean certificate store for the personal folder. The
following are my steps in order:

1. I create a folder on my desktop

2. Set the attributes to "Encrypt contents..."

3. I create a plain text document in notepad outside the encrypted
folder and add a couple of words and save.

4. I drag the text document into the encrypted folder; the filename
turns green, and the atrributes show up as 'AE', I also check its
attributes and sure enough it is encrypted.

5. I then check my certificate store under the personal folder and
behold there is a certificate with an associated private key. I know
this because when I double click it says so. The thumbprint in the
text file and folder also match perfectly to the certificate with the
private key.

6. Now I want to export the certificate and private key with it,
still in the certifiacte manager I right click my only certifiacte and
select export.

7. All of the following are check off: "Yes, export the private key",
format used .PFX, "include all certifiactes in the certification path
if possible", "Enable strong protection", "Delete the private key if
export is successfull", I set my password it is only 6 charactes
long( I am just doing a test ), and finally set my file name. No
problems were encountered after the export of the certificate with the
private key.

8. I then go to test what I have done so far by logging out and
loging in, why? b/ the private key remains cached, and try to access
the encrypted file, I get an "Access Denied" message. This is perfect
exactly what I expected.

9. Now I import the certificate with the private key. I right
click in blank space in my personal folder of the certifacate manager,
slect "import", find my file, type my password, check off the
following: "Enable strong key protection..." and "Mark this key as
exportable...", then I place this certificate in the "Personal"
folder.

10. Then I try to access the file and still recieve the access
denied. I try logging out and logging back in and the same, I reboot
the machine and still the same.

Things to note:
-In different variations of this simple test I have deleted my
certificate from my certificate store under the personal folder after
a successfull export with the private key attached, but alas still
recieve the same error after importing the certificate containing the
private key.

Machine & Environment Information:
1. windows xp pro sp2
2. logged on as an administrator, I have tried this as different
account with adminstrative access and still have the "access denied"
problems when performing the same test.
3. machine is not part of any Active Domain
4. no recovery agent policy in place (this is fine as I just want to
do a simple test)

My brief of my understanding of EFS:
Upon first use of EFS a certificate and private key is created. A
public key encryptes the "File Encryption Key" which in turn encrypts
the file(data) itself. To decrypt the file(data) a private key must
Decrypt the "File Encryption Key" which in turn decrypts the
file( data ) iteself. I know the "File Encryption Key" is a "symetric
key" and the public & private key pair are "assymetric" keys.

Questions:
1. If my "personal" certifiacte store has multiple certificates with
associated private keys which is tried first are any looked at in the
store or is only the current user's private key tried? I know when
the current user is logged on with and EFS having allready been used
once he/she has an associated private and public key. I assume in the
decryption process the current private key for the current user is
tried first but are the others, in the certificate, even looked at?
2. Any ideas on why the same user who encrypted the file cannot
decrypt it even after the importation of the certificate with the
private key?( the simple test )

Other info:
I don't care about "Recoverty Agents" at this moment.
Here is my result trying to use the cipher command to decrypt:
---------------------------------------------------------------------------­----------------------
C:\Documents and Settings\Administrator\Desktop>cipher /d /a enc
\test.txt

Decrypting files in C:\Documents and Settings\Administrator\Desktop
\enc\

test.txt [ERR]
test.txt: Access is denied.

0 file(s) [or directorie(s)] within 1 directorie(s) were decrypted.

C:\Documents and Settings\Administrator\Desktop>
---------------------------------------------------------------------------­----------------------
- I have called microsoft( "India" ) and they have no clue about EFS
well at least I find myself explaining all the basic concepts to them
for more than 2hrs.

When exporting a certificate there is normally no reason to delete the
private key as far as I know; please explain your need/desire to delete the
private key upon export. I think the encryption system may be working
properly in your simple experiment.- Hide quoted text -

- Show quoted text -

If the key is left then if a rouge user were to some how get on the
machine with the account of a user encrypting the files whats to stop
him/her to decrypt?

 

[Allan]

Overview:

I am trying to do a simple EFS test in windows xp pro sp2. I start
off with a clean certificate store for the personal folder. The
following are my steps in order:

1. I create a folder on my desktop

2. Set the attributes to "Encrypt contents..."

3. I create a plain text document in notepad outside the encrypted
folder and add a couple of words and save.

4. I drag the text document into the encrypted folder; the filename
turns green, and the atrributes show up as 'AE', I also check its
attributes and sure enough it is encrypted.

5. I then check my certificate store under the personal folder and
behold there is a certificate with an associated private key. I know
this because when I double click it says so. The thumbprint in the
text file and folder also match perfectly to the certificate with the
private key.

6. Now I want to export the certificate and private key with it,
still in the certifiacte manager I right click my only certifiacte and
select export.

7. All of the following are check off: "Yes, export the private key",
format used .PFX, "include all certifiactes in the certification path
if possible", "Enable strong protection", "Delete the private key if
export is successfull", I set my password it is only 6 charactes
long( I am just doing a test ), and finally set my file name. No
problems were encountered after the export of the certificate with the
private key.

8. I then go to test what I have done so far by logging out and
loging in, why? b/ the private key remains cached, and try to access
the encrypted file, I get an "Access Denied" message. This is perfect
exactly what I expected.

9. Now I import the certificate with the private key. I right
click in blank space in my personal folder of the certifacate manager,
slect "import", find my file, type my password, check off the
following: "Enable strong key protection..." and "Mark this key as
exportable...", then I place this certificate in the "Personal"
folder.

10. Then I try to access the file and still recieve the access
denied. I try logging out and logging back in and the same, I reboot
the machine and still the same.

Things to note:
-In different variations of this simple test I have deleted my
certificate from my certificate store under the personal folder after
a successfull export with the private key attached, but alas still
recieve the same error after importing the certificate containing the
private key.

Machine & Environment Information:
1. windows xp pro sp2
2. logged on as an administrator, I have tried this as different
account with adminstrative access and still have the "access denied"
problems when performing the same test.
3. machine is not part of any Active Domain
4. no recovery agent policy in place (this is fine as I just want to
do a simple test)

My brief of my understanding of EFS:
Upon first use of EFS a certificate and private key is created. A
public key encryptes the "File Encryption Key" which in turn encrypts
the file(data) itself. To decrypt the file(data) a private key must
Decrypt the "File Encryption Key" which in turn decrypts the
file( data ) iteself. I know the "File Encryption Key" is a "symetric
key" and the public & private key pair are "assymetric" keys.

Questions:
1. If my "personal" certifiacte store has multiple certificates with
associated private keys which is tried first are any looked at in the
store or is only the current user's private key tried? I know when
the current user is logged on with and EFS having allready been used
once he/she has an associated private and public key. I assume in the
decryption process the current private key for the current user is
tried first but are the others, in the certificate, even looked at?
2. Any ideas on why the same user who encrypted the file cannot
decrypt it even after the importation of the certificate with the
private key?( the simple test )

Other info:
I don't care about "Recoverty Agents" at this moment.
Here is my result trying to use the cipher command to decrypt:
---------------------------------------------------------------------------­----------------------
C:\Documents and Settings\Administrator\Desktop>cipher /d /a enc
\test.txt

Decrypting files in C:\Documents and Settings\Administrator\Desktop
\enc\

test.txt [ERR]
test.txt: Access is denied.

0 file(s) [or directorie(s)] within 1 directorie(s) were decrypted.

C:\Documents and Settings\Administrator\Desktop>
---------------------------------------------------------------------------­----------------------
- I have called microsoft( "India" ) and they have no clue about EFS
well at least I find myself explaining all the basic concepts to them
for more than 2hrs.

When exporting a certificate there is normally no reason to delete the
private key as far as I know; please explain your need/desire to delete
the
private key upon export. I think the encryption system may be working
properly in your simple experiment.- Hide quoted text -

- Show quoted text -

If the key is left then if a rouge user were to some how get on the
machine with the account of a user encrypting the files whats to stop
him/her to decrypt?
Don't you still need the passphrase (pw) to decrypt the file? If what you
mentioned is a possible risk you can back up the encrypted folder and delete
its entire contents including the data.

 

[Guest]

:

When exporting a certificate there is normally no reason to delete the
private key as far as I know;

There is if the objective is to test backup and recovery. Otherwise, how do
you know if the backup will work?

IIRC the encryption key uses both the certificate and your logon password,
thus provided your password cannot be recovered the file is still safe. HST,
there are ways of recovering "saved" passwords from persistent network
shares, email accounts, etc. thus if any of these match your logon password,
the encryption may not be as secure as you think.

Bottom line is, EFS is both questionably secure, and dangerous. Questionably
secure because of the key being stored in the user's profile (which with
roaming profiles might mean it's on a dozen different computers around the
office!) Dangerous because it's all-too-easy to activate it wthout
understanding the need for a disaster-recovery plan.

 

[Allan]

:



There is if the objective is to test backup and recovery. Otherwise, how
do
you know if the backup will work?

IIRC the encryption key uses both the certificate and your logon password,
thus provided your password cannot be recovered the file is still safe.
HST,
there are ways of recovering "saved" passwords from persistent network
shares, email accounts, etc. thus if any of these match your logon
password,
the encryption may not be as secure as you think.

Bottom line is, EFS is both questionably secure, and dangerous.
Questionably
secure because of the key being stored in the user's profile (which with
roaming profiles might mean it's on a dozen different computers around the
office!) Dangerous because it's all-too-easy to activate it wthout
understanding the need for a disaster-recovery plan.

At this stage the OP appears to be just experimenting with EFS, but of
course backing up is in practice vitally important. I actually use GNU GPG
not EFS : http://www.gnupg.org/ . I just have the standalone 1.4.7 version
installed but it is all I need right now.

 

[Allan]

Overview:

I am trying to do a simple EFS test in windows xp pro sp2. I start
off with a clean certificate store for the personal folder. The
following are my steps in order:

1. I create a folder on my desktop

2. Set the attributes to "Encrypt contents..."

3. I create a plain text document in notepad outside the encrypted
folder and add a couple of words and save.

4. I drag the text document into the encrypted folder; the filename
turns green, and the atrributes show up as 'AE', I also check its
attributes and sure enough it is encrypted.

5. I then check my certificate store under the personal folder and
behold there is a certificate with an associated private key. I know
this because when I double click it says so. The thumbprint in the
text file and folder also match perfectly to the certificate with the
private key.

6. Now I want to export the certificate and private key with it,
still in the certifiacte manager I right click my only certifiacte and
select export.

7. All of the following are check off: "Yes, export the private key",
format used .PFX, "include all certifiactes in the certification path
if possible", "Enable strong protection", "Delete the private key if
export is successfull", I set my password it is only 6 charactes
long( I am just doing a test ), and finally set my file name. No
problems were encountered after the export of the certificate with the
private key.

8. I then go to test what I have done so far by logging out and
loging in, why? b/ the private key remains cached, and try to access
the encrypted file, I get an "Access Denied" message. This is perfect
exactly what I expected.

9. Now I import the certificate with the private key. I right
click in blank space in my personal folder of the certifacate manager,
slect "import", find my file, type my password, check off the
following: "Enable strong key protection..." and "Mark this key as
exportable...", then I place this certificate in the "Personal"
folder.

10. Then I try to access the file and still recieve the access
denied. I try logging out and logging back in and the same, I reboot
the machine and still the same.

Things to note:
-In different variations of this simple test I have deleted my
certificate from my certificate store under the personal folder after
a successfull export with the private key attached, but alas still
recieve the same error after importing the certificate containing the
private key.

Machine & Environment Information:
1. windows xp pro sp2
2. logged on as an administrator, I have tried this as different
account with adminstrative access and still have the "access denied"
problems when performing the same test.
3. machine is not part of any Active Domain
4. no recovery agent policy in place (this is fine as I just want to
do a simple test)

My brief of my understanding of EFS:
Upon first use of EFS a certificate and private key is created. A
public key encryptes the "File Encryption Key" which in turn encrypts
the file(data) itself. To decrypt the file(data) a private key must
Decrypt the "File Encryption Key" which in turn decrypts the
file( data ) iteself. I know the "File Encryption Key" is a "symetric
key" and the public & private key pair are "assymetric" keys.

Questions:
1. If my "personal" certifiacte store has multiple certificates with
associated private keys which is tried first are any looked at in the
store or is only the current user's private key tried? I know when
the current user is logged on with and EFS having allready been used
once he/she has an associated private and public key. I assume in the
decryption process the current private key for the current user is
tried first but are the others, in the certificate, even looked at?
2. Any ideas on why the same user who encrypted the file cannot
decrypt it even after the importation of the certificate with the
private key?( the simple test )

Other info:
I don't care about "Recoverty Agents" at this moment.
Here is my result trying to use the cipher command to decrypt:
---------------------------------------------------------------------------­----------------------
C:\Documents and Settings\Administrator\Desktop>cipher /d /a enc
\test.txt

Decrypting files in C:\Documents and Settings\Administrator\Desktop
\enc\

test.txt [ERR]
test.txt: Access is denied.

0 file(s) [or directorie(s)] within 1 directorie(s) were decrypted.

C:\Documents and Settings\Administrator\Desktop>
---------------------------------------------------------------------------­----------------------
- I have called microsoft( "India" ) and they have no clue about EFS
well at least I find myself explaining all the basic concepts to them
for more than 2hrs.

When exporting a certificate there is normally no reason to delete the
private key as far as I know; please explain your need/desire to delete
the
private key upon export. I think the encryption system may be working
properly in your simple experiment.- Hide quoted text -

- Show quoted text -

If the key is left then if a rouge user were to some how get on the
machine with the account of a user encrypting the files whats to stop
him/her to decrypt?
Hi kiko:
I found this hyperlink that might pertain to your question :
http://support.microsoft.com/kb/241201/en-us . Have you seen it already?