Sign in with
Sign up | Sign in
Your question

EFS, Encrypting File System document missing

Tags:
  • File System
  • Document
  • Windows XP
Last response: in Windows XP
Share
Anonymous
March 18, 2005 5:41:47 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

This page is missing:
TITLE: How to restore an EFS private key for encrypted data recovery
http://support.microsoft.com/kb/242296
Note that that link is dead.

Is there another page which contains this information:
"How to restore an EFS private key for encrypted data recovery"

The link is referenced on this page:
http://support.microsoft.com/?id=241201#2

More about : efs encrypting file system document missing

Anonymous
March 18, 2005 5:41:48 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
news:o xdVDH%23KFHA.2804@TK2MSFTNGP10.phx.gbl...
> This page is missing:
> TITLE: How to restore an EFS private key for encrypted data recovery
> http://support.microsoft.com/kb/242296
> Note that that link is dead.
>
> Is there another page which contains this information:
> "How to restore an EFS private key for encrypted data recovery"
>
> The link is referenced on this page:
> http://support.microsoft.com/?id=241201#2
>

You have to import the certificate. Here are some other links. I'm paranoid
about disguising links so they are long and may word wrap.

Kerry

http://www.microsoft.com/resources/documentation/Window...

http://www.microsoft.com/resources/documentation/window...

http://www.microsoft.com/windowsxp/home/using/productdo...
Anonymous
March 18, 2005 7:05:42 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Kerry,

Have you ever copied encrypted files to a USB drive, for example, and been
able to read them on another computer after importing the certificate?

Also, doesn't the certificate contain only the certificate, and not the
private key? Yet they talk about importing and exporting certificates.

I tried exporting and importing a key, and I could not read the files on a
second stand-alone computer.

_____________________

Kerry Brown wrote:
> "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
> news:o xdVDH%23KFHA.2804@TK2MSFTNGP10.phx.gbl...
>
>>This page is missing:
>>TITLE: How to restore an EFS private key for encrypted data recovery
>>http://support.microsoft.com/kb/242296
>>Note that that link is dead.
>>
>>Is there another page which contains this information:
>>"How to restore an EFS private key for encrypted data recovery"
>>
>>The link is referenced on this page:
>>http://support.microsoft.com/?id=241201#2
>>
>
>
> You have to import the certificate. Here are some other links. I'm paranoid
> about disguising links so they are long and may word wrap.
>
> Kerry
>
> http://www.microsoft.com/resources/documentation/Window...
>
> http://www.microsoft.com/resources/documentation/window...
>
> http://www.microsoft.com/windowsxp/home/using/productdo...
>
>
Related resources
Anonymous
March 18, 2005 7:05:43 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
news:%23GjF91%23KFHA.4092@tk2msftngp13.phx.gbl...
> Kerry,
>
> Have you ever copied encrypted files to a USB drive, for example, and been
> able to read them on another computer after importing the certificate?
>
> Also, doesn't the certificate contain only the certificate, and not the
> private key? Yet they talk about importing and exporting certificates.
>
> I tried exporting and importing a key, and I could not read the files on a
> second stand-alone computer.
>

It's been a couple of years, but yes I have done it. It was in a domain
environment but that shouldn't make a difference. I moved some encrypted
files to a home computer running Windows 2000. I successfully imported the
certificate from a floppy and was able to view and edit them, then transport
them back to the network site where they were also usable.

Kerry
Anonymous
March 18, 2005 7:05:43 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
news:%23GjF91%23KFHA.4092@tk2msftngp13.phx.gbl...
> Kerry,
>
> Have you ever copied encrypted files to a USB drive, for example, and been
> able to read them on another computer after importing the certificate?
>
> Also, doesn't the certificate contain only the certificate, and not the
> private key? Yet they talk about importing and exporting certificates.
>
> I tried exporting and importing a key, and I could not read the files on a
> second stand-alone computer.
>

I just tried it again and it worked. When exporting the key make sure you
tick the box "Yes, export private key". After that I just used all the
defaults for the rest of the dialog. When importing I just used the
defaults.

Kerry
Anonymous
March 18, 2005 8:31:09 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Kerry,

Excellent. However, I haven't been able to make it work. I must be doing
something wrong, obviously.

I was worried about backing up the wrong certificate, so I deleted my personal
certificates from:

Local Computer Policy/ Windows Settings/ Security Settings/ Public Key
Policies/ Encrypting File System/

and

Certificates - Current User/ Personal/ Certificates/

and

Certificates - Current User/ Trusted People/ Certificates/

However, I am still able to decrypt a pre-encrypted file.

So, which Certificate is active, and where is it? Second, how can a
certificate be enough, when the certificate does not include the private key?

You were logged in as Administrator? Where did you export the Certificate and
private key? Where did you import it.

I'm not on a domain. These are laptop computers I am using for test.

Thanks for the attention.

Michael

_________________________

Kerry Brown wrote:
> "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
> news:%23GjF91%23KFHA.4092@tk2msftngp13.phx.gbl...
>
>>Kerry,
>>
>>Have you ever copied encrypted files to a USB drive, for example, and been
>>able to read them on another computer after importing the certificate?
>>
>>Also, doesn't the certificate contain only the certificate, and not the
>>private key? Yet they talk about importing and exporting certificates.
>>
>>I tried exporting and importing a key, and I could not read the files on a
>>second stand-alone computer.
>>
>
>
> I just tried it again and it worked. When exporting the key make sure you
> tick the box "Yes, export private key". After that I just used all the
> defaults for the rest of the dialog. When importing I just used the
> defaults.
>
> Kerry
>
>
Anonymous
March 18, 2005 8:31:10 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
news:uYWTtl$KFHA.3356@TK2MSFTNGP12.phx.gbl...
> Kerry,
>
> Excellent. However, I haven't been able to make it work. I must be doing
> something wrong, obviously.
>
> I was worried about backing up the wrong certificate, so I deleted my
> personal certificates from:
>
> Local Computer Policy/ Windows Settings/ Security Settings/ Public Key
> Policies/ Encrypting File System/
>
> and
>
> Certificates - Current User/ Personal/ Certificates/
>
> and
>
> Certificates - Current User/ Trusted People/ Certificates/
>
> However, I am still able to decrypt a pre-encrypted file.
>
> So, which Certificate is active, and where is it? Second, how can a
> certificate be enough, when the certificate does not include the private
> key?
>

Run mmc.exe. Add in the Certificates snap in. When prompted pick "Manage
certifcates for my user account". Expand the Personal tree. Look in the
Certificates folder. There was only one cert there it had my user name.
Right click on it and check the properties to make sure it is the efs cert.
Under "All Tasks" pick export and follow the prompts making sure to save the
private key with it.

> You were logged in as Administrator? Where did you export the Certificate
> and private key? Where did you import it.
>

No I wasn't logged in as administrator. I encrypted a file, then logged in
as a different user to confirm I couldn't access the file. I logged back in
as myself and moved the file to a shared folder on a server. At this point
other users could see the file but couldn't access it. I logged in as myself
and exported the certificate to the same shared folder. I went to another
computer, logged in as a different user again and tried to access the file.
Access was denied. I imported the certificate with the Certificates mmc snap
in. I was then able to access the encrypted file no problem.

> I'm not on a domain. These are laptop computers I am using for test.
>

Should work the same. Hope this helps.

Kerry
Anonymous
March 18, 2005 10:01:22 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Kerry,

Thanks very much for the help.

According to the very poor Microsoft documentation, the operation under a
domain is considerably different.

Yet your explanation is logical. I will give it another try.

However, I deleted my certificates. Why can I still decrypt the test files?

I'm reluctant to use a system that I don't completely understand, especially
one as important as this. There are many, many unhappy stories on the news
groups of users not being able to retrieve their files.


________________________________


Kerry Brown wrote:
> "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
> news:uYWTtl$KFHA.3356@TK2MSFTNGP12.phx.gbl...
>
>>Kerry,
>>
>>Excellent. However, I haven't been able to make it work. I must be doing
>>something wrong, obviously.
>>
>>I was worried about backing up the wrong certificate, so I deleted my
>>personal certificates from:
>>
>>Local Computer Policy/ Windows Settings/ Security Settings/ Public Key
>>Policies/ Encrypting File System/
>>
>>and
>>
>>Certificates - Current User/ Personal/ Certificates/
>>
>>and
>>
>>Certificates - Current User/ Trusted People/ Certificates/
>>
>>However, I am still able to decrypt a pre-encrypted file.
>>
>>So, which Certificate is active, and where is it? Second, how can a
>>certificate be enough, when the certificate does not include the private
>>key?
>>
>
>
> Run mmc.exe. Add in the Certificates snap in. When prompted pick "Manage
> certifcates for my user account". Expand the Personal tree. Look in the
> Certificates folder. There was only one cert there it had my user name.
> Right click on it and check the properties to make sure it is the efs cert.
> Under "All Tasks" pick export and follow the prompts making sure to save the
> private key with it.
>
>
>>You were logged in as Administrator? Where did you export the Certificate
>>and private key? Where did you import it.
>>
>
>
> No I wasn't logged in as administrator. I encrypted a file, then logged in
> as a different user to confirm I couldn't access the file. I logged back in
> as myself and moved the file to a shared folder on a server. At this point
> other users could see the file but couldn't access it. I logged in as myself
> and exported the certificate to the same shared folder. I went to another
> computer, logged in as a different user again and tried to access the file.
> Access was denied. I imported the certificate with the Certificates mmc snap
> in. I was then able to access the encrypted file no problem.
>
>
>>I'm not on a domain. These are laptop computers I am using for test.
>>
>
>
> Should work the same. Hope this helps.
>
> Kerry
>
>
Anonymous
March 18, 2005 10:01:23 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
news:%23UHZHYALFHA.1284@TK2MSFTNGP14.phx.gbl...
> Kerry,
>
> Thanks very much for the help.
>
> According to the very poor Microsoft documentation, the operation under a
> domain is considerably different.
>
> Yet your explanation is logical. I will give it another try.
>
> However, I deleted my certificates. Why can I still decrypt the test
> files?
>
> I'm reluctant to use a system that I don't completely understand,
> especially one as important as this. There are many, many unhappy stories
> on the news groups of users not being able to retrieve their files.
>
>

Once you learn how to export and import the certificates it's no problem.
The people who have problems are the ones who don't take the time to learn
how efs works. They don't save a copy of the certificate. When their
computer has a problem such that they have to reinstall Windows the
certificate is gone and they have lost access to any encrypted files.
Always! always! export the certificate and keep a couple of copies in safe
places. Save it on floppy, save in on CDROM, just make sure to save it. If
you are not comfortable with efs you could also investigate PGP
http://www.pgp.com

Kerry
Anonymous
March 18, 2005 10:25:11 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Kerry,

You said, "I logged in as myself and exported the certificate to the same
shared folder."

I don't know what that means. Could you explain? I don't know how to export a
certificate to a folder.

Michael

__________________


Kerry Brown wrote:
> "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
> news:uYWTtl$KFHA.3356@TK2MSFTNGP12.phx.gbl...
>
>>Kerry,
>>
>>Excellent. However, I haven't been able to make it work. I must be doing
>>something wrong, obviously.
>>
>>I was worried about backing up the wrong certificate, so I deleted my
>>personal certificates from:
>>
>>Local Computer Policy/ Windows Settings/ Security Settings/ Public Key
>>Policies/ Encrypting File System/
>>
>>and
>>
>>Certificates - Current User/ Personal/ Certificates/
>>
>>and
>>
>>Certificates - Current User/ Trusted People/ Certificates/
>>
>>However, I am still able to decrypt a pre-encrypted file.
>>
>>So, which Certificate is active, and where is it? Second, how can a
>>certificate be enough, when the certificate does not include the private
>>key?
>>
>
>
> Run mmc.exe. Add in the Certificates snap in. When prompted pick "Manage
> certifcates for my user account". Expand the Personal tree. Look in the
> Certificates folder. There was only one cert there it had my user name.
> Right click on it and check the properties to make sure it is the efs cert.
> Under "All Tasks" pick export and follow the prompts making sure to save the
> private key with it.
>
>
>>You were logged in as Administrator? Where did you export the Certificate
>>and private key? Where did you import it.
>>
>
>
> No I wasn't logged in as administrator. I encrypted a file, then logged in
> as a different user to confirm I couldn't access the file. I logged back in
> as myself and moved the file to a shared folder on a server. At this point
> other users could see the file but couldn't access it. I logged in as myself
> and exported the certificate to the same shared folder. I went to another
> computer, logged in as a different user again and tried to access the file.
> Access was denied. I imported the certificate with the Certificates mmc snap
> in. I was then able to access the encrypted file no problem.
>
>
>>I'm not on a domain. These are laptop computers I am using for test.
>>
>
>
> Should work the same. Hope this helps.
>
> Kerry
>
>
Anonymous
March 18, 2005 10:25:12 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
news:e83DblALFHA.656@TK2MSFTNGP14.phx.gbl...
> Kerry,
>
> You said, "I logged in as myself and exported the certificate to the same
> shared folder."
>
> I don't know what that means. Could you explain? I don't know how to
> export a certificate to a folder.
>

You have to pick somewhere to save the exported certificate to. I chose the
same folder where I had saved the encrypted file. It doesn't have to be
there. It could be a floppy disk, a folder on your hard drive, it doesn't
really matter. It just has to be somewhere you can import it when at the
other computer. Once it is exported to a file you can copy that file at
will.

Kerry
Anonymous
March 19, 2005 6:01:19 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Kerry,

I decided I just don't have enough information to use EFS. In the newsgroups
there are many stories of people losing their information. Microsoft makes it
easy to encrypt, and difficult to know how to make your files safe. The
explanation of how it works is just not there.

I ran EFSInfo on my test directory. Even though I deleted my personal
certificate, the files are automatically decrypted. This shows that I don't
understand how it works.

Also, I'm worried about not being on a domain. I tried what you suggested
before, with stand alone computers, and was not able to make it work.

I cannot copy the test encrypted folder without decrypting the contents. It is
suggested to use NTBackup for this, but NTBackup does not work on the two
computers I tried. (I have only four computers here.) That's another of those
knotty problems that could take many hours to debug.

I don't understand why they say "Recovery Certificate", when supposedly the
Recovery Certificate does not include the private key. With no private key, it
is impossible to decrypt files.

Michael

____________________


Kerry Brown wrote:
> "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
> news:e83DblALFHA.656@TK2MSFTNGP14.phx.gbl...
>
>>Kerry,
>>
>>You said, "I logged in as myself and exported the certificate to the same
>>shared folder."
>>
>>I don't know what that means. Could you explain? I don't know how to
>>export a certificate to a folder.
>>
>
>
> You have to pick somewhere to save the exported certificate to. I chose the
> same folder where I had saved the encrypted file. It doesn't have to be
> there. It could be a floppy disk, a folder on your hard drive, it doesn't
> really matter. It just has to be somewhere you can import it when at the
> other computer. Once it is exported to a file you can copy that file at
> will.
>
> Kerry
>
>
Anonymous
March 19, 2005 6:01:20 AM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
news:uDATUkELFHA.1916@TK2MSFTNGP12.phx.gbl...
> I decided I just don't have enough information to use EFS. In the
> newsgroups there are many stories of people losing their information.
> Microsoft makes it easy to encrypt, and difficult to know how to make your
> files safe. The explanation of how it works is just not there.
>
> I ran EFSInfo on my test directory. Even though I deleted my personal
> certificate, the files are automatically decrypted. This shows that I
> don't understand how it works.
>
> Also, I'm worried about not being on a domain. I tried what you suggested
> before, with stand alone computers, and was not able to make it work.
>
> I cannot copy the test encrypted folder without decrypting the contents.
> It is suggested to use NTBackup for this, but NTBackup does not work on
> the two computers I tried. (I have only four computers here.) That's
> another of those knotty problems that could take many hours to debug.
>
> I don't understand why they say "Recovery Certificate", when supposedly
> the Recovery Certificate does not include the private key. With no private
> key, it is impossible to decrypt files.
>

EFS is not Microsoft's finest moment. The encryption/decryption works as
advertised. As you have found out making sure you can always decrypt it can
be a problem. I quit using it myself a couple of years ago. None of my data
is that sensitive. I do have to support people who use it though so I made
sure I knew the ins and outs. So far I've not lost any data. Came close once
when I thought I had a copy of the certificate. Turned out I didn't and the
computer it was on was wiped clean and sold. Luckily I had good backups but
it took most of a day to recover the certificate from the backup tape.

Good luck, take a look at PGP it may do what you want.

Kerry
Anonymous
March 19, 2005 4:08:45 PM

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thanks for all the information. It has been very helpful.

Next time you have a knotty problem, send me a message, and I will see if I
can help.

Michael

______________


Kerry Brown wrote:
> "M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
> news:uDATUkELFHA.1916@TK2MSFTNGP12.phx.gbl...
>
>>I decided I just don't have enough information to use EFS. In the
>>newsgroups there are many stories of people losing their information.
>>Microsoft makes it easy to encrypt, and difficult to know how to make your
>>files safe. The explanation of how it works is just not there.
>>
>>I ran EFSInfo on my test directory. Even though I deleted my personal
>>certificate, the files are automatically decrypted. This shows that I
>>don't understand how it works.
>>
>>Also, I'm worried about not being on a domain. I tried what you suggested
>>before, with stand alone computers, and was not able to make it work.
>>
>>I cannot copy the test encrypted folder without decrypting the contents.
>>It is suggested to use NTBackup for this, but NTBackup does not work on
>>the two computers I tried. (I have only four computers here.) That's
>>another of those knotty problems that could take many hours to debug.
>>
>>I don't understand why they say "Recovery Certificate", when supposedly
>>the Recovery Certificate does not include the private key. With no private
>>key, it is impossible to decrypt files.
>>
>
>
> EFS is not Microsoft's finest moment. The encryption/decryption works as
> advertised. As you have found out making sure you can always decrypt it can
> be a problem. I quit using it myself a couple of years ago. None of my data
> is that sensitive. I do have to support people who use it though so I made
> sure I knew the ins and outs. So far I've not lost any data. Came close once
> when I thought I had a copy of the certificate. Turned out I didn't and the
> computer it was on was wiped clean and sold. Luckily I had good backups but
> it took most of a day to recover the certificate from the backup tape.
>
> Good luck, take a look at PGP it may do what you want.
>
> Kerry
>
>
!