EFS, Encrypting File System document missing

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

This page is missing:
TITLE: How to restore an EFS private key for encrypted data recovery
http://support.microsoft.com/kb/242296
Note that that link is dead.

Is there another page which contains this information:
"How to restore an EFS private key for encrypted data recovery"

The link is referenced on this page:
http://support.microsoft.com/?id=241201#2
13 answers Last reply
More about encrypting file system document missing
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
    news:OxdVDH%23KFHA.2804@TK2MSFTNGP10.phx.gbl...
    > This page is missing:
    > TITLE: How to restore an EFS private key for encrypted data recovery
    > http://support.microsoft.com/kb/242296
    > Note that that link is dead.
    >
    > Is there another page which contains this information:
    > "How to restore an EFS private key for encrypted data recovery"
    >
    > The link is referenced on this page:
    > http://support.microsoft.com/?id=241201#2
    >

    You have to import the certificate. Here are some other links. I'm paranoid
    about disguising links so they are long and may word wrap.

    Kerry

    http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/prnb_efs_uizt.asp

    http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_seconceptsimpefsbp.mspx

    http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/sag_CMprocsImport.asp
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Kerry,

    Have you ever copied encrypted files to a USB drive, for example, and been
    able to read them on another computer after importing the certificate?

    Also, doesn't the certificate contain only the certificate, and not the
    private key? Yet they talk about importing and exporting certificates.

    I tried exporting and importing a key, and I could not read the files on a
    second stand-alone computer.

    _____________________

    Kerry Brown wrote:
    > "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
    > news:OxdVDH%23KFHA.2804@TK2MSFTNGP10.phx.gbl...
    >
    >>This page is missing:
    >>TITLE: How to restore an EFS private key for encrypted data recovery
    >>http://support.microsoft.com/kb/242296
    >>Note that that link is dead.
    >>
    >>Is there another page which contains this information:
    >>"How to restore an EFS private key for encrypted data recovery"
    >>
    >>The link is referenced on this page:
    >>http://support.microsoft.com/?id=241201#2
    >>
    >
    >
    > You have to import the certificate. Here are some other links. I'm paranoid
    > about disguising links so they are long and may word wrap.
    >
    > Kerry
    >
    > http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/windows/xp/all/reskit/en-us/prnb_efs_uizt.asp
    >
    > http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_seconceptsimpefsbp.mspx
    >
    > http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/sag_CMprocsImport.asp
    >
    >
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
    news:%23GjF91%23KFHA.4092@tk2msftngp13.phx.gbl...
    > Kerry,
    >
    > Have you ever copied encrypted files to a USB drive, for example, and been
    > able to read them on another computer after importing the certificate?
    >
    > Also, doesn't the certificate contain only the certificate, and not the
    > private key? Yet they talk about importing and exporting certificates.
    >
    > I tried exporting and importing a key, and I could not read the files on a
    > second stand-alone computer.
    >

    It's been a couple of years, but yes I have done it. It was in a domain
    environment but that shouldn't make a difference. I moved some encrypted
    files to a home computer running Windows 2000. I successfully imported the
    certificate from a floppy and was able to view and edit them, then transport
    them back to the network site where they were also usable.

    Kerry
  4. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
    news:%23GjF91%23KFHA.4092@tk2msftngp13.phx.gbl...
    > Kerry,
    >
    > Have you ever copied encrypted files to a USB drive, for example, and been
    > able to read them on another computer after importing the certificate?
    >
    > Also, doesn't the certificate contain only the certificate, and not the
    > private key? Yet they talk about importing and exporting certificates.
    >
    > I tried exporting and importing a key, and I could not read the files on a
    > second stand-alone computer.
    >

    I just tried it again and it worked. When exporting the key make sure you
    tick the box "Yes, export private key". After that I just used all the
    defaults for the rest of the dialog. When importing I just used the
    defaults.

    Kerry
  5. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Kerry,

    Excellent. However, I haven't been able to make it work. I must be doing
    something wrong, obviously.

    I was worried about backing up the wrong certificate, so I deleted my personal
    certificates from:

    Local Computer Policy/ Windows Settings/ Security Settings/ Public Key
    Policies/ Encrypting File System/

    and

    Certificates - Current User/ Personal/ Certificates/

    and

    Certificates - Current User/ Trusted People/ Certificates/

    However, I am still able to decrypt a pre-encrypted file.

    So, which Certificate is active, and where is it? Second, how can a
    certificate be enough, when the certificate does not include the private key?

    You were logged in as Administrator? Where did you export the Certificate and
    private key? Where did you import it.

    I'm not on a domain. These are laptop computers I am using for test.

    Thanks for the attention.

    Michael

    _________________________

    Kerry Brown wrote:
    > "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
    > news:%23GjF91%23KFHA.4092@tk2msftngp13.phx.gbl...
    >
    >>Kerry,
    >>
    >>Have you ever copied encrypted files to a USB drive, for example, and been
    >>able to read them on another computer after importing the certificate?
    >>
    >>Also, doesn't the certificate contain only the certificate, and not the
    >>private key? Yet they talk about importing and exporting certificates.
    >>
    >>I tried exporting and importing a key, and I could not read the files on a
    >>second stand-alone computer.
    >>
    >
    >
    > I just tried it again and it worked. When exporting the key make sure you
    > tick the box "Yes, export private key". After that I just used all the
    > defaults for the rest of the dialog. When importing I just used the
    > defaults.
    >
    > Kerry
    >
    >
  6. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
    news:uYWTtl$KFHA.3356@TK2MSFTNGP12.phx.gbl...
    > Kerry,
    >
    > Excellent. However, I haven't been able to make it work. I must be doing
    > something wrong, obviously.
    >
    > I was worried about backing up the wrong certificate, so I deleted my
    > personal certificates from:
    >
    > Local Computer Policy/ Windows Settings/ Security Settings/ Public Key
    > Policies/ Encrypting File System/
    >
    > and
    >
    > Certificates - Current User/ Personal/ Certificates/
    >
    > and
    >
    > Certificates - Current User/ Trusted People/ Certificates/
    >
    > However, I am still able to decrypt a pre-encrypted file.
    >
    > So, which Certificate is active, and where is it? Second, how can a
    > certificate be enough, when the certificate does not include the private
    > key?
    >

    Run mmc.exe. Add in the Certificates snap in. When prompted pick "Manage
    certifcates for my user account". Expand the Personal tree. Look in the
    Certificates folder. There was only one cert there it had my user name.
    Right click on it and check the properties to make sure it is the efs cert.
    Under "All Tasks" pick export and follow the prompts making sure to save the
    private key with it.

    > You were logged in as Administrator? Where did you export the Certificate
    > and private key? Where did you import it.
    >

    No I wasn't logged in as administrator. I encrypted a file, then logged in
    as a different user to confirm I couldn't access the file. I logged back in
    as myself and moved the file to a shared folder on a server. At this point
    other users could see the file but couldn't access it. I logged in as myself
    and exported the certificate to the same shared folder. I went to another
    computer, logged in as a different user again and tried to access the file.
    Access was denied. I imported the certificate with the Certificates mmc snap
    in. I was then able to access the encrypted file no problem.

    > I'm not on a domain. These are laptop computers I am using for test.
    >

    Should work the same. Hope this helps.

    Kerry
  7. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Kerry,

    Thanks very much for the help.

    According to the very poor Microsoft documentation, the operation under a
    domain is considerably different.

    Yet your explanation is logical. I will give it another try.

    However, I deleted my certificates. Why can I still decrypt the test files?

    I'm reluctant to use a system that I don't completely understand, especially
    one as important as this. There are many, many unhappy stories on the news
    groups of users not being able to retrieve their files.


    ________________________________


    Kerry Brown wrote:
    > "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
    > news:uYWTtl$KFHA.3356@TK2MSFTNGP12.phx.gbl...
    >
    >>Kerry,
    >>
    >>Excellent. However, I haven't been able to make it work. I must be doing
    >>something wrong, obviously.
    >>
    >>I was worried about backing up the wrong certificate, so I deleted my
    >>personal certificates from:
    >>
    >>Local Computer Policy/ Windows Settings/ Security Settings/ Public Key
    >>Policies/ Encrypting File System/
    >>
    >>and
    >>
    >>Certificates - Current User/ Personal/ Certificates/
    >>
    >>and
    >>
    >>Certificates - Current User/ Trusted People/ Certificates/
    >>
    >>However, I am still able to decrypt a pre-encrypted file.
    >>
    >>So, which Certificate is active, and where is it? Second, how can a
    >>certificate be enough, when the certificate does not include the private
    >>key?
    >>
    >
    >
    > Run mmc.exe. Add in the Certificates snap in. When prompted pick "Manage
    > certifcates for my user account". Expand the Personal tree. Look in the
    > Certificates folder. There was only one cert there it had my user name.
    > Right click on it and check the properties to make sure it is the efs cert.
    > Under "All Tasks" pick export and follow the prompts making sure to save the
    > private key with it.
    >
    >
    >>You were logged in as Administrator? Where did you export the Certificate
    >>and private key? Where did you import it.
    >>
    >
    >
    > No I wasn't logged in as administrator. I encrypted a file, then logged in
    > as a different user to confirm I couldn't access the file. I logged back in
    > as myself and moved the file to a shared folder on a server. At this point
    > other users could see the file but couldn't access it. I logged in as myself
    > and exported the certificate to the same shared folder. I went to another
    > computer, logged in as a different user again and tried to access the file.
    > Access was denied. I imported the certificate with the Certificates mmc snap
    > in. I was then able to access the encrypted file no problem.
    >
    >
    >>I'm not on a domain. These are laptop computers I am using for test.
    >>
    >
    >
    > Should work the same. Hope this helps.
    >
    > Kerry
    >
    >
  8. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
    news:%23UHZHYALFHA.1284@TK2MSFTNGP14.phx.gbl...
    > Kerry,
    >
    > Thanks very much for the help.
    >
    > According to the very poor Microsoft documentation, the operation under a
    > domain is considerably different.
    >
    > Yet your explanation is logical. I will give it another try.
    >
    > However, I deleted my certificates. Why can I still decrypt the test
    > files?
    >
    > I'm reluctant to use a system that I don't completely understand,
    > especially one as important as this. There are many, many unhappy stories
    > on the news groups of users not being able to retrieve their files.
    >
    >

    Once you learn how to export and import the certificates it's no problem.
    The people who have problems are the ones who don't take the time to learn
    how efs works. They don't save a copy of the certificate. When their
    computer has a problem such that they have to reinstall Windows the
    certificate is gone and they have lost access to any encrypted files.
    Always! always! export the certificate and keep a couple of copies in safe
    places. Save it on floppy, save in on CDROM, just make sure to save it. If
    you are not comfortable with efs you could also investigate PGP
    http://www.pgp.com

    Kerry
  9. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Kerry,

    You said, "I logged in as myself and exported the certificate to the same
    shared folder."

    I don't know what that means. Could you explain? I don't know how to export a
    certificate to a folder.

    Michael

    __________________


    Kerry Brown wrote:
    > "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
    > news:uYWTtl$KFHA.3356@TK2MSFTNGP12.phx.gbl...
    >
    >>Kerry,
    >>
    >>Excellent. However, I haven't been able to make it work. I must be doing
    >>something wrong, obviously.
    >>
    >>I was worried about backing up the wrong certificate, so I deleted my
    >>personal certificates from:
    >>
    >>Local Computer Policy/ Windows Settings/ Security Settings/ Public Key
    >>Policies/ Encrypting File System/
    >>
    >>and
    >>
    >>Certificates - Current User/ Personal/ Certificates/
    >>
    >>and
    >>
    >>Certificates - Current User/ Trusted People/ Certificates/
    >>
    >>However, I am still able to decrypt a pre-encrypted file.
    >>
    >>So, which Certificate is active, and where is it? Second, how can a
    >>certificate be enough, when the certificate does not include the private
    >>key?
    >>
    >
    >
    > Run mmc.exe. Add in the Certificates snap in. When prompted pick "Manage
    > certifcates for my user account". Expand the Personal tree. Look in the
    > Certificates folder. There was only one cert there it had my user name.
    > Right click on it and check the properties to make sure it is the efs cert.
    > Under "All Tasks" pick export and follow the prompts making sure to save the
    > private key with it.
    >
    >
    >>You were logged in as Administrator? Where did you export the Certificate
    >>and private key? Where did you import it.
    >>
    >
    >
    > No I wasn't logged in as administrator. I encrypted a file, then logged in
    > as a different user to confirm I couldn't access the file. I logged back in
    > as myself and moved the file to a shared folder on a server. At this point
    > other users could see the file but couldn't access it. I logged in as myself
    > and exported the certificate to the same shared folder. I went to another
    > computer, logged in as a different user again and tried to access the file.
    > Access was denied. I imported the certificate with the Certificates mmc snap
    > in. I was then able to access the encrypted file no problem.
    >
    >
    >>I'm not on a domain. These are laptop computers I am using for test.
    >>
    >
    >
    > Should work the same. Hope this helps.
    >
    > Kerry
    >
    >
  10. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
    news:e83DblALFHA.656@TK2MSFTNGP14.phx.gbl...
    > Kerry,
    >
    > You said, "I logged in as myself and exported the certificate to the same
    > shared folder."
    >
    > I don't know what that means. Could you explain? I don't know how to
    > export a certificate to a folder.
    >

    You have to pick somewhere to save the exported certificate to. I chose the
    same folder where I had saved the encrypted file. It doesn't have to be
    there. It could be a floppy disk, a folder on your hard drive, it doesn't
    really matter. It just has to be somewhere you can import it when at the
    other computer. Once it is exported to a file you can copy that file at
    will.

    Kerry
  11. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Kerry,

    I decided I just don't have enough information to use EFS. In the newsgroups
    there are many stories of people losing their information. Microsoft makes it
    easy to encrypt, and difficult to know how to make your files safe. The
    explanation of how it works is just not there.

    I ran EFSInfo on my test directory. Even though I deleted my personal
    certificate, the files are automatically decrypted. This shows that I don't
    understand how it works.

    Also, I'm worried about not being on a domain. I tried what you suggested
    before, with stand alone computers, and was not able to make it work.

    I cannot copy the test encrypted folder without decrypting the contents. It is
    suggested to use NTBackup for this, but NTBackup does not work on the two
    computers I tried. (I have only four computers here.) That's another of those
    knotty problems that could take many hours to debug.

    I don't understand why they say "Recovery Certificate", when supposedly the
    Recovery Certificate does not include the private key. With no private key, it
    is impossible to decrypt files.

    Michael

    ____________________


    Kerry Brown wrote:
    > "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
    > news:e83DblALFHA.656@TK2MSFTNGP14.phx.gbl...
    >
    >>Kerry,
    >>
    >>You said, "I logged in as myself and exported the certificate to the same
    >>shared folder."
    >>
    >>I don't know what that means. Could you explain? I don't know how to
    >>export a certificate to a folder.
    >>
    >
    >
    > You have to pick somewhere to save the exported certificate to. I chose the
    > same folder where I had saved the encrypted file. It doesn't have to be
    > there. It could be a floppy disk, a folder on your hard drive, it doesn't
    > really matter. It just has to be somewhere you can import it when at the
    > other computer. Once it is exported to a file you can copy that file at
    > will.
    >
    > Kerry
    >
    >
  12. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
    news:uDATUkELFHA.1916@TK2MSFTNGP12.phx.gbl...
    > I decided I just don't have enough information to use EFS. In the
    > newsgroups there are many stories of people losing their information.
    > Microsoft makes it easy to encrypt, and difficult to know how to make your
    > files safe. The explanation of how it works is just not there.
    >
    > I ran EFSInfo on my test directory. Even though I deleted my personal
    > certificate, the files are automatically decrypted. This shows that I
    > don't understand how it works.
    >
    > Also, I'm worried about not being on a domain. I tried what you suggested
    > before, with stand alone computers, and was not able to make it work.
    >
    > I cannot copy the test encrypted folder without decrypting the contents.
    > It is suggested to use NTBackup for this, but NTBackup does not work on
    > the two computers I tried. (I have only four computers here.) That's
    > another of those knotty problems that could take many hours to debug.
    >
    > I don't understand why they say "Recovery Certificate", when supposedly
    > the Recovery Certificate does not include the private key. With no private
    > key, it is impossible to decrypt files.
    >

    EFS is not Microsoft's finest moment. The encryption/decryption works as
    advertised. As you have found out making sure you can always decrypt it can
    be a problem. I quit using it myself a couple of years ago. None of my data
    is that sensitive. I do have to support people who use it though so I made
    sure I knew the ins and outs. So far I've not lost any data. Came close once
    when I thought I had a copy of the certificate. Turned out I didn't and the
    computer it was on was wiped clean and sold. Luckily I had good backups but
    it took most of a day to recover the certificate from the backup tape.

    Good luck, take a look at PGP it may do what you want.

    Kerry
  13. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Thanks for all the information. It has been very helpful.

    Next time you have a knotty problem, send me a message, and I will see if I
    can help.

    Michael

    ______________


    Kerry Brown wrote:
    > "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
    > news:uDATUkELFHA.1916@TK2MSFTNGP12.phx.gbl...
    >
    >>I decided I just don't have enough information to use EFS. In the
    >>newsgroups there are many stories of people losing their information.
    >>Microsoft makes it easy to encrypt, and difficult to know how to make your
    >>files safe. The explanation of how it works is just not there.
    >>
    >>I ran EFSInfo on my test directory. Even though I deleted my personal
    >>certificate, the files are automatically decrypted. This shows that I
    >>don't understand how it works.
    >>
    >>Also, I'm worried about not being on a domain. I tried what you suggested
    >>before, with stand alone computers, and was not able to make it work.
    >>
    >>I cannot copy the test encrypted folder without decrypting the contents.
    >>It is suggested to use NTBackup for this, but NTBackup does not work on
    >>the two computers I tried. (I have only four computers here.) That's
    >>another of those knotty problems that could take many hours to debug.
    >>
    >>I don't understand why they say "Recovery Certificate", when supposedly
    >>the Recovery Certificate does not include the private key. With no private
    >>key, it is impossible to decrypt files.
    >>
    >
    >
    > EFS is not Microsoft's finest moment. The encryption/decryption works as
    > advertised. As you have found out making sure you can always decrypt it can
    > be a problem. I quit using it myself a couple of years ago. None of my data
    > is that sensitive. I do have to support people who use it though so I made
    > sure I knew the ins and outs. So far I've not lost any data. Came close once
    > when I thought I had a copy of the certificate. Turned out I didn't and the
    > computer it was on was wiped clean and sold. Luckily I had good backups but
    > it took most of a day to recover the certificate from the backup tape.
    >
    > Good luck, take a look at PGP it may do what you want.
    >
    > Kerry
    >
    >
Ask a new question

Read More

File System Document Windows XP