I am trying to decrypt data encrypted by EFS on Win 7 and XP boxes. We have a large domain Server 2003 PKI infrastructure. I have genereated file reocvery and EFS certicates using a DRA\KRA account.
I then log onto a machine with theDRA\KRA account, mount encrypted drive as a slave. I then import certificates into local computer on the DRA\KRA account.
Unfortunately I am not able to decrypt the drive. There is another user who had master certs installed on his machine a year ago. He is able to decrypt any encrypted drive. This is evidence that our infrastructure is correctly configured. I fairly new to this and so I have more than likely generated or applied the certificates incorrectly.
Just to provide some feedback on some exact steps taken so far:
1. On the first Dc in the domain I logged in with DRA/KRA account.
2. Opened up certificate snap in - in mmc
3. Used Certificates - Current User console
4. Right clicked on Personal -> Certificates - > Request new certificate
5. In the wizard chose current EFS Recovery Agent template that has been used successfully in the past.
6. The certificate then appears in Personal -> Certificates window
7. R/click on the certificate -> Export
8. In the export wizard I choose " Yes,export the private key " option.
9. In the next screen - "enable strong protection" is ticked and "Include all certificates in the certification path if possible" is ticked.
10. I then specify password, perform the export and copy cert to my laptop
11. Logged in under my own account I then double - click on the cert and allow it to install to default place.