Re: EFS certificate requirements

From: Martin Rublik <martin.rublik@xxxxxxxxxxx>
Date: Thu, 20 Apr 2006 08:36:40 +0200

Hi,

according to article "Encrypting File System Tools and Settings" (http://technet2.microsoft.com/WindowsServer/en/Library/04122595-5d30-4b19-945a-b6e4bb33bd6f1033.mspx) Flag identifies the encryption algorithm used to encrypt and decrypt new EFS files.

If this is meant to be 3DES, AES or DESX than it confuses me a little because according to http://support.microsoft.com/default.aspx?scid=kb;en-us;329741&sd=tech this is done through AlgorithmID key.

Martin

Mitch Gallant wrote:

Thanks Martin. What is that Flag named-value for?
- Mitch

"Martin Rublik" <martin.rublik@xxxxxxxxxxx> wrote in message news:O$Tz6v7YGHA.4060@xxxxxxxxxxxxxxxxxxxxxxx
Change the hash in registry
HKCU\Software\Microsoft\WindowsNT\CurrentVersion\EFS\CurrentKeys\CertificateHash
to the hash of the certificate you want to use.

I think (but I'm not sure) that if multiple certificates with EKU EFS exists and the registry key is not set up the first one enumerated is used.

As for the requirements, it is not possible to use strong private key protection and the certificates cannot be stored on smart cards or usb tokens.

Regards

Martin

Mitch Gallant wrote:
Some questions on EFS:

(1) Is it possible to force use of a specific EFS CU certificate?
I know cipher /k creates a new EFS cert/keypair for the current user and uses that one from that point onwards,
but I want to create one with specific characteristics (for testing).

(2) I think that EFS will only recognize/use client certs that have the EKU:
Encrypting File System (1.3.6.1.4.1.311.10.3.4)
Are there any other requirements for the EFS certs (not the recovery one .. )

- Mitch

Follow-Ups:
- Re: EFS certificate requirements
  - From: Mitch Gallant
- Re: EFS certificate requirements
  - From: Mitch Gallant

References:
- EFS certificate requirements
  - From: Mitch Gallant
- Re: EFS certificate requirements
  - From: Martin Rublik
- Re: EFS certificate requirements
  - From: Mitch Gallant

Prev by Date: Re: Importing a Private Key into the Microsoft Base Smart Card Crypto Provider
Next by Date: Re: Viewing or moving raw EFS encrypted files
Previous by thread: Re: EFS certificate requirements
Next by thread: Re: EFS certificate requirements
Index(es):
- Date
- Thread

Relevant Pages

Re: Encryption Across Network File Shares
... the user should be able to decrypt and work on the EFS files. ... for Delegation" and the user that is encrypting/decrypting will have to be ... certificate/private key into your domain account, by encrypting a file ...
(microsoft.public.windowsxp.security_admin)
Re: Encryption Across Network File Shares
... The computer with the share that you want to contain EFS files and the ... certificate/private key into your domain account, by encrypting a file while ... "Rick Blake" wrote in message ...
(microsoft.public.windowsxp.security_admin)
Re: Certificates, Keys, Mobile Users, Intended Usage
... Option that you think about uses self signed EFS certificates. ... Better then exporting user's private key as backup is to setup DRA (Data ... there is no EFS certificate and it will generate a new one. ... Mobile computer users benefit from encrypting sensitive ...
(microsoft.public.win2000.security)
Re: EFS Certificate Needed
... Backup and save on non-degrading media the EFS DRA .pfx file ... Foe sure I will follow "Windows Recommendations". ... that recovery agent will only have ... Best practices for the Encrypting File System ...
(microsoft.public.security)
Re: EFS Certificate Issue
... It's most useful for EFS certs when users have roaming profiles. ... user's Personal cert store, ... >> Keys are stored in a user's profile. ... >> generate) another keypair when encrypting a file. ...
(microsoft.public.win2000.security)