RA doesn't work after encrypting in XP

[Guest]

I am setting up a standard procedure for encrypting the data folders on some
of our laptops. Here is the plan that I have followed.

Login as the local admin on the laptop.
Run the Cipher command to create the RA CER and PFX files.
Use certmgr.msc to import the RA certificate.
Use Secpol.msc to Add the RA.

My procedure also has references to backing up the User and RA key as well
as deleting the RA private key using certmgr.msc.

But, after I do all of this, I log back in as the domain user and encrypt
some files and folders. This works fine and I am able to decrypt them as well
as the domain user.

However, if I try and do anything to the encrypted data such as look at it,
execute it, or decrypt it with the RA, I get an access denied message. I
have checked the Advanced Properties of various files and it shows the domain
user as the one who can "transparently access the file" and it shows the
local admin as the recovery agent.

What am I missing?

Thanx...Jon

 

[Miha Pihler [MVP]]

Hi Jon,

Why don't you set RA on domain or OU level? Why are you implementing local
RAs?

 

[Guest]

You need the RA private key in order to access the files. Import the RA's
..pfx file to get that. It's usually better to designate one computer as your
central recovery workstation, if that's possible in your organization, so
that the recovery key isn't compromised. This link has more information
about Data Recovery and best practices:
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx#EHAA

Thanks.
Pat

 

[Roger Abell [MVP]]

you said your steps included removing the private key from
the system - hence dra cannot decrypt

 

[Guest]

I have only a handful of laptops out of my entier network that I want to
implement this on. It just seemed simplier to do it this way.
Jon

 

[Guest]

Thanx...I'll give it a look.
Jon

You need the RA private key in order to access the files. Import the RA's
.pfx file to get that. It's usually better to designate one computer as your
central recovery workstation, if that's possible in your organization, so
that the recovery key isn't compromised. This link has more information
about Data Recovery and best practices:
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx#EHAA

Thanks.
Pat

 

[Guest]

Doh!!! You are so right. I totally zoned out that I had done that step. I
added back in the key and it workds perfectly.
Thanx...Jon

 

[Miha Pihler [MVP]]

It would be easier to manage even with handful of laptops. You could put all
your laptops on one OU and configure RA on that OU.

Did you disable EFS for other users in your domain?

 

[Guest]

No, we have not disabled EFS.
I'll have to take a look at doing this for the entire domain.
Jon

 

[Miha Pihler [MVP]]

Hi,

You should probably disable EFS on the domain until you set RA for entire
domain. If you don't users will be able to use EFS for encryption -- but you
won't have any RAs (except default one -- if you still have access to those
private keys).

To disable EFS on domain follow this article:

HOW TO: Disable EFS for All Computers in a Windows 2000-Based Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;222022&sd=tech

Step-by-Step Guide to Using the Encrypting File System
http://www.microsoft.com/technet/pr...directory/activedirectory/stepbystep/efs.mspx

 

[Guest]

Thanx for the help and the links.
Jon