recovery agent cannot decrypt EFS file

[Thomas McLeod]

Dear All,

I'm the domain RA and I restored a file encrypted by another user to my
machine. All machines are Win2k SP4. Using efsinfo, I checked that my RA
cert is on the file and also installed in my personal store with the private
key available. I checked the thumbprints and they match.

But I still can't decrypt the file. What's up?

Thomas

 

[Steven L Umbach]

Sounds like you should be good to go. One thing to check is that you have
full control permissions on that file and you might try using the cipher
command. In a Windows 2000 domain or Windows 2000 local user, if the user
account still exists try resetting the users password then logging on as the
user on the computer where the file was encrypted and see if you can decrypt
the file. The user's profile and certificate/private key would need to be on
the computer in order for such to work. -- Steve

 

[Thomas McLeod]

Yes, I have full control ACL on the file.

I'm doing this in the lab. The file does not have important data. I can
still logon as the original user and decrpt the file. I'm attempting to see
if I can indeed decrypt a file as an RA, but so far it hasn't worked.

This is the output from cipher.

C:\Documents and Settings\Thomas\Desktop>cipher /D /A "to Thomas.txt"

Decrypting files in C:\Documents and Settings\Thomas\Desktop\

to Thomas.txt [ERR]
to Thomas.txt: Access is denied.

0 file(s) [or directorie(s)] within 1 directorie(s) were decrypted.

All help appreciated.

Thomas

 

[Roger Abell]

Was the restore to your RA decryption (test) machine done
using NTbackup (bundled with OS) or some other backup
program?

--
Roger Abell
Microsoft MVP (Windows Security)

Yes, I have full control ACL on the file.

I'm doing this in the lab. The file does not have important data. I can
still logon as the original user and decrpt the file. I'm attempting to see
if I can indeed decrypt a file as an RA, but so far it hasn't worked.

This is the output from cipher.

C:\Documents and Settings\Thomas\Desktop>cipher /D /A "to Thomas.txt"

Decrypting files in C:\Documents and Settings\Thomas\Desktop\

to Thomas.txt [ERR]
to Thomas.txt: Access is denied.

0 file(s) [or directorie(s)] within 1 directorie(s) were decrypted.

All help appreciated.

Thomas

Sounds like you should be good to go. One thing to check is that you have
full control permissions on that file and you might try using the cipher
command. In a Windows 2000 domain or Windows 2000 local user, if the user
account still exists try resetting the users password then logging on as the
user on the computer where the file was encrypted and see if you can decrypt
the file. The user's profile and certificate/private key would need to

be

on
the computer in order for such to work. -- Steve

 

[Steven L Umbach]

Can you decrypt any files as the RA or is the problem specific for this user
or file? Another thing to try to make sure your RA private key is intact is
to export your RA certificate/private key to a password protected .pfx file
[.cer file will not contain private key] and then logon to the user's
computer and import your RA certificate/private key via the .pfx file to see
if that works again making sure you have full control permission to the
file. --- Steve

Yes, I have full control ACL on the file.

I'm doing this in the lab. The file does not have important data. I can
still logon as the original user and decrpt the file. I'm attempting to
see
if I can indeed decrypt a file as an RA, but so far it hasn't worked.

This is the output from cipher.

C:\Documents and Settings\Thomas\Desktop>cipher /D /A "to Thomas.txt"

Decrypting files in C:\Documents and Settings\Thomas\Desktop\

to Thomas.txt [ERR]
to Thomas.txt: Access is denied.

0 file(s) [or directorie(s)] within 1 directorie(s) were decrypted.

All help appreciated.

Thomas

Sounds like you should be good to go. One thing to check is that you have
full control permissions on that file and you might try using the cipher
command. In a Windows 2000 domain or Windows 2000 local user, if the
user
account still exists try resetting the users password then logging on as the
user on the computer where the file was encrypted and see if you can decrypt
the file. The user's profile and certificate/private key would need to be on
the computer in order for such to work. -- Steve

 

[Thomas McLeod]

Roger,

It was NTBackup.

By the way, the decrpytion machine is a domain controller. Does that matter?

Thomas

Was the restore to your RA decryption (test) machine done
using NTbackup (bundled with OS) or some other backup
program?

--
Roger Abell
Microsoft MVP (Windows Security)

Yes, I have full control ACL on the file.

I'm doing this in the lab. The file does not have important data. I can
still logon as the original user and decrpt the file. I'm attempting to see
if I can indeed decrypt a file as an RA, but so far it hasn't worked.

This is the output from cipher.

C:\Documents and Settings\Thomas\Desktop>cipher /D /A "to Thomas.txt"

Decrypting files in C:\Documents and Settings\Thomas\Desktop\

to Thomas.txt [ERR]
to Thomas.txt: Access is denied.

0 file(s) [or directorie(s)] within 1 directorie(s) were decrypted.

All help appreciated.

Thomas

Sounds like you should be good to go. One thing to check is that you have
full control permissions on that file and you might try using the cipher
command. In a Windows 2000 domain or Windows 2000 local user, if the user
account still exists try resetting the users password then logging on

as
the

user on the computer where the file was encrypted and see if you can decrypt
the file. The user's profile and certificate/private key would need to

be

on
the computer in order for such to work. -- Steve



Dear All,

I'm the domain RA and I restored a file encrypted by another user to my
machine. All machines are Win2k SP4. Using efsinfo, I checked that

my

RA

 

[Thomas McLeod]

Steve,

I've never been able to decrypt any files as RA. I am able to export to key
pair to a .pfx but I haven't tried importing the RA key pair to the user's
machine to test RA recovery. I guess what I should do in that case is import
the keys into my admin profile on that machine, right? It seems importing
them into the account of the user who encrpted the file wouldn't test RA
recovery.

Thanks,

Thomas

Can you decrypt any files as the RA or is the problem specific for this user
or file? Another thing to try to make sure your RA private key is intact is
to export your RA certificate/private key to a password protected .pfx file
[.cer file will not contain private key] and then logon to the user's
computer and import your RA certificate/private key via the .pfx file to see
if that works again making sure you have full control permission to the
file. --- Steve

Yes, I have full control ACL on the file.

I'm doing this in the lab. The file does not have important data. I can
still logon as the original user and decrpt the file. I'm attempting to
see
if I can indeed decrypt a file as an RA, but so far it hasn't worked.

This is the output from cipher.

C:\Documents and Settings\Thomas\Desktop>cipher /D /A "to Thomas.txt"

Decrypting files in C:\Documents and Settings\Thomas\Desktop\

to Thomas.txt [ERR]
to Thomas.txt: Access is denied.

0 file(s) [or directorie(s)] within 1 directorie(s) were decrypted.

All help appreciated.

Thomas

Sounds like you should be good to go. One thing to check is that you ha ve
full control permissions on that file and you might try using the cipher
command. In a Windows 2000 domain or Windows 2000 local user, if the
user
account still exists try resetting the users password then logging on

as
the

user on the computer where the file was encrypted and see if you can decrypt
the file. The user's profile and certificate/private key would need to

be
on

the computer in order for such to work. -- Steve



Dear All,

I'm the domain RA and I restored a file encrypted by another user to my
machine. All machines are Win2k SP4. Using efsinfo, I checked that my
RA
cert is on the file and also installed in my personal store with the
private
key available. I checked the thumbprints and they match.

But I still can't decrypt the file. What's up?

Thomas

 

[Steven L Umbach]

I would try logging onto a domain computer that has EFS files on it where
you are supposed to be RA and importing your RA .pfx file into that user
account to see if that works. If it does then it would seem there may be a
problem with your backup and restore operation. If it still does not then I
am not sure what the problem is but what I would do is to define an
additional RA, encrypt some files after the domain computers recognizes the
new CA which will need GP to replicate and refresh, and then try again with
the new RA. Logging on as the user and importing the RA would not
demonstrate that the RA was working unless you are 100 percent sure that the
users EFS certificate/private key does not exist on the computer. ---
Steve

Steve,

I've never been able to decrypt any files as RA. I am able to export to
key
pair to a .pfx but I haven't tried importing the RA key pair to the user's
machine to test RA recovery. I guess what I should do in that case is
import
the keys into my admin profile on that machine, right? It seems importing
them into the account of the user who encrpted the file wouldn't test RA
recovery.

Thanks,

Thomas

Can you decrypt any files as the RA or is the problem specific for this user
or file? Another thing to try to make sure your RA private key is intact is
to export your RA certificate/private key to a password protected .pfx file
[.cer file will not contain private key] and then logon to the user's
computer and import your RA certificate/private key via the .pfx file to see
if that works again making sure you have full control permission to the
file. --- Steve

Yes, I have full control ACL on the file.

I'm doing this in the lab. The file does not have important data. I can
still logon as the original user and decrpt the file. I'm attempting to
see
if I can indeed decrypt a file as an RA, but so far it hasn't worked.

This is the output from cipher.

C:\Documents and Settings\Thomas\Desktop>cipher /D /A "to Thomas.txt"

Decrypting files in C:\Documents and Settings\Thomas\Desktop\

to Thomas.txt [ERR]
to Thomas.txt: Access is denied.

0 file(s) [or directorie(s)] within 1 directorie(s) were decrypted.

All help appreciated.

Thomas



Sounds like you should be good to go. One thing to check is that you
ha ve
full control permissions on that file and you might try using the cipher
command. In a Windows 2000 domain or Windows 2000 local user, if the
user
account still exists try resetting the users password then logging on as
the
user on the computer where the file was encrypted and see if you can
decrypt
the file. The user's profile and certificate/private key would need to be
on
the computer in order for such to work. -- Steve



Dear All,

I'm the domain RA and I restored a file encrypted by another user to my
machine. All machines are Win2k SP4. Using efsinfo, I checked that
my
RA
cert is on the file and also installed in my personal store with the
private
key available. I checked the thumbprints and they match.

But I still can't decrypt the file. What's up?

Thomas

 

[Thomas McLeod]

Steve,

I logged on to a domain computer (not the one where the file was encrpted)
as the user that encrpted the file and imported the RA key pair and was able
to decrypt the file. The question now is: why can't I decrypt the file from
my admin account on the same machine? My admin account has the same RA key
pair installed, in fact that is the profile from where I exported the keys.

Thomas

I would try logging onto a domain computer that has EFS files on it where
you are supposed to be RA and importing your RA .pfx file into that user
account to see if that works. If it does then it would seem there may be a
problem with your backup and restore operation. If it still does not then I
am not sure what the problem is but what I would do is to define an
additional RA, encrypt some files after the domain computers recognizes the
new CA which will need GP to replicate and refresh, and then try again with
the new RA. Logging on as the user and importing the RA would not
demonstrate that the RA was working unless you are 100 percent sure that the
users EFS certificate/private key does not exist on the computer. ---
Steve

Steve,

I've never been able to decrypt any files as RA. I am able to export to
key
pair to a .pfx but I haven't tried importing the RA key pair to the user's
machine to test RA recovery. I guess what I should do in that case is
import
the keys into my admin profile on that machine, right? It seems importing
them into the account of the user who encrpted the file wouldn't test RA
recovery.

Thanks,

Thomas

Can you decrypt any files as the RA or is the problem specific for this user
or file? Another thing to try to make sure your RA private key is

intact
is

to export your RA certificate/private key to a password protected .pfx file
[.cer file will not contain private key] and then logon to the user's
computer and import your RA certificate/private key via the .pfx file

to
see

if that works again making sure you have full control permission to the
file. --- Steve


Yes, I have full control ACL on the file.

I'm doing this in the lab. The file does not have important data. I can
still logon as the original user and decrpt the file. I'm attempting to
see
if I can indeed decrypt a file as an RA, but so far it hasn't worked.

This is the output from cipher.

C:\Documents and Settings\Thomas\Desktop>cipher /D /A "to Thomas.txt"

Decrypting files in C:\Documents and Settings\Thomas\Desktop\

to Thomas.txt [ERR]
to Thomas.txt: Access is denied.

0 file(s) [or directorie(s)] within 1 directorie(s) were decrypted.

All help appreciated.

Thomas



Sounds like you should be good to go. One thing to check is that you
ha ve
full control permissions on that file and you might try using the cipher
command. In a Windows 2000 domain or Windows 2000 local user, if the
user
account still exists try resetting the users password then logging

on
as

the
user on the computer where the file was encrypted and see if you can
decrypt
the file. The user's profile and certificate/private key would need

to
be

on
the computer in order for such to work. -- Steve



Dear All,

I'm the domain RA and I restored a file encrypted by another user

to
my

machine. All machines are Win2k SP4. Using efsinfo, I checked that
my
RA
cert is on the file and also installed in my personal store with the
private
key available. I checked the thumbprints and they match.

But I still can't decrypt the file. What's up?

Thomas

 

[Steven L Umbach]

I don't really know what is going on offhand with your admin account on that
particular computer. I do know that the RA certificate/key does not seem to
care what user account it is imported into to be able to decrypt files as a
RA as I have experienced similar results. What I would try is to restore the
files to another computer, logon as your administrator account on that
computer [best done on a computer where a fresh profile will be generated at
logon], import your RA .pfx file and see if that works or not again being
sure that your account has proper ntfs permissions to that EFS file.
Unfortunately it can be difficult to track down such EFS problems as from my
experience there are usually no events recorded in the security/system logs
that would be of help and you end up with that "access denied" message
though you should still check those logs to see if anything pertinent
ows. --- Steve

Steve,

I logged on to a domain computer (not the one where the file was encrpted)
as the user that encrpted the file and imported the RA key pair and was
able
to decrypt the file. The question now is: why can't I decrypt the file
from
my admin account on the same machine? My admin account has the same RA key
pair installed, in fact that is the profile from where I exported the
keys.

Thomas

I would try logging onto a domain computer that has EFS files on it where
you are supposed to be RA and importing your RA .pfx file into that user
account to see if that works. If it does then it would seem there may be
a
problem with your backup and restore operation. If it still does not then I
am not sure what the problem is but what I would do is to define an
additional RA, encrypt some files after the domain computers recognizes the
new CA which will need GP to replicate and refresh, and then try again with
the new RA. Logging on as the user and importing the RA would not
demonstrate that the RA was working unless you are 100 percent sure that the
users EFS certificate/private key does not exist on the computer. ---
Steve

Steve,

I've never been able to decrypt any files as RA. I am able to export to
key
pair to a .pfx but I haven't tried importing the RA key pair to the user's
machine to test RA recovery. I guess what I should do in that case is
import
the keys into my admin profile on that machine, right? It seems importing
them into the account of the user who encrpted the file wouldn't test
RA
recovery.

Thanks,

Thomas



Can you decrypt any files as the RA or is the problem specific for
this
user
or file? Another thing to try to make sure your RA private key is intact
is
to export your RA certificate/private key to a password protected .pfx
file
[.cer file will not contain private key] and then logon to the user's
computer and import your RA certificate/private key via the .pfx file to
see
if that works again making sure you have full control permission to
the
file. --- Steve


Yes, I have full control ACL on the file.

I'm doing this in the lab. The file does not have important data. I can
still logon as the original user and decrpt the file. I'm attempting to
see
if I can indeed decrypt a file as an RA, but so far it hasn't
worked.

This is the output from cipher.

C:\Documents and Settings\Thomas\Desktop>cipher /D /A "to
Thomas.txt"

Decrypting files in C:\Documents and Settings\Thomas\Desktop\

to Thomas.txt [ERR]
to Thomas.txt: Access is denied.

0 file(s) [or directorie(s)] within 1 directorie(s) were decrypted.

All help appreciated.

Thomas



Sounds like you should be good to go. One thing to check is that
you
ha
ve
full control permissions on that file and you might try using the
cipher
command. In a Windows 2000 domain or Windows 2000 local user, if the
user
account still exists try resetting the users password then logging on
as
the
user on the computer where the file was encrypted and see if you
can
decrypt
the file. The user's profile and certificate/private key would need to
be
on
the computer in order for such to work. -- Steve



Dear All,

I'm the domain RA and I restored a file encrypted by another user to
my
machine. All machines are Win2k SP4. Using efsinfo, I checked
that
my
RA
cert is on the file and also installed in my personal store with the
private
key available. I checked the thumbprints and they match.

But I still can't decrypt the file. What's up?

Thomas