Re: EFS | Encryption | import private key

From: Louis (deimen_at_hotmail.com)
Date: 03/12/04 

Date: Fri, 12 Mar 2004 11:14:20 -0500

Correction,

I said "So if the private key of a user "crash", we want to be able to
recover the user's data. The easiest way we found to do that is to import
the certificate of 1 DRA on all the laptops" It's not 100% true. In fact
we don't want to import the certificate after a crash, but we want the data
to be encrypted with the DRA's certificate and the user certificate (to
allow both decryption). To do so we assume that we have to "import" the
same DRA certificat on all laptops when we will "deploy" the EFS encryption.

What do you mean about "recovery policy" does it's a GUI or you mean ???
"policy method" that you will use ... " I just want you to be aware that
the laptopas are not connect to the network, so we cannot manage them with
policies.

"Louis" <deimen@hotmail.com> a écrit dans le message de
news:eAv4HrECEHA.688@tk2msftngp13.phx.gbl...
> Ok I'll explain my problem, but your solution seems to be fine, I'll try
it.
>
> My 300 laptops are in my domain but they are not connect to it. They are
> standalone users that just connect to the network with RAS (phone line) to
> take their Lotus Notes (Our method of deployement is with Lotus Notes
> actually). Thoses users are "noob" I mean they know everything about
> inssurance but nothing about computer :), so they will not be able to
> encrypt-decrypt folders ... anyway it's not their job to do that. The
> informations contains in the files on those laptops is very confidential.
> It's why we want to encrypt it.
>
> So if the private key of a user "crash", we want to be able to recover the
> user's data. The easiest way we found to do that is to import the
> certificate of 1 DRA on all the laptops (I said private key on my last
post
> but I think it's the certificate, i'm new to encryption ...). Since we
> don't want to manage 300 DRA certificate (by creating separate DRA on each
> laptop), we only want to import 1 DRA certificate on all of them. I will
> use the cipher command to automate the files to encrypt.
>
> I think you have a better idea of my problem now. Like I said, I will try
> your solution, I will give you the result if it works.
>
> Thanks a lot
>
> Louis
>
> P.S. Sorry if the "sense" of some sentenses is not correct, I did my best
> :)
>
>
> "Drew Cooper [MSFT]" <dcoop@online.microsoft.com> a écrit dans le message
de
> news:eZ9eiw9BEHA.1452@TK2MSFTNGP09.phx.gbl...
> > Why do you want to import the DRA private key onto all of those laptops?
> >
> > (lame attempt at mind-reading)
> > I think you want to put the same DRA public key (certificate) in the
local
> > machine default recovery policy on each of the machines in an automated
> way.
> >
> > Assuming that's what you want to do, it's possible, but I don't see any
> > documentation. The preferred way is to do it through group policy. I
> > don't know how to script that. A workaround is to add entries directly
to
> > the registry (which can be scripted). If you set a DRA for one machine,
> > you'll notice that its entries under
HKLM\SOFTWARE\Policies\Microsoft\EFS
> > differ from those on a machine without a DRA. You can use a reg script
to
> > add those same entries to a machine's registry and run the script once
on
> > all machines.
> > The above solution is not supported, the registry locations/values/etc.
> may
> > change from one release of Windows to the next, and all the other
caveats
> I
> > should offer someone about to muck with the registry.
> >
> > Good luck!
> > --
> > Drew Cooper [MSFT]
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> > "Louis" <deimen@hotmail.com> wrote in message
> > news:eSeJlB7BEHA.1588@tk2msftngp13.phx.gbl...
> > > Hi,
> > >
> > > I want to know if there is any method to import a private key of a DRA
> > with
> > > a command line.
> > >
> > > I have to activate encryption for 300 laptops that are not in my
domain,
> I
> > > want to do it with some batch (autologon, 3DES encryption, etc)
> > >
> > > I don't want my users to do anything in a MMC console. The only
> solution
> > I
> > > found to import a private key is with the MMC.
> > >
> > > Any solution ?
> > >
> > > thanks
> > >
> > > Louis Paré
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: EFS | Encryption | import private key
    ... My 300 laptops are in my domain but they are not connect to it. ... So if the private key of a user "crash", we want to be able to recover the ... certificate of 1 DRA on all the laptops (I said private key on my last post ... but I think it's the certificate, ...
    (microsoft.public.security)
  • Re: EFS | Encryption | import private key
    ... the .cer into a local recovery policy on one machine. ... > the certificate of 1 DRA on all the laptops" It's not 100% true. ... >> but I think it's the certificate, i'm new to encryption ...). ...
    (microsoft.public.security)
  • Re: EFS | Encryption | import private key
    ... DRA is a user responsible for recovering ... EFS data. ... > I have to activate encryption for 300 laptops that are not in my domain, ...
    (microsoft.public.security)
  • Re: The ugly side of using disk encryption
    ... That is good info about DriveCrypt. ... because compusec only supports 128 bit AES encryption. ... My forensic laptops are all DriveCrypted, I have let at least 50 different ... > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ...
    (Security-Basics)
  • RE: Questions regarding EFS
    ... Actually, it's not at all like adding a recovery agent, nor is the ... UserBob has an EFS certificate. ... Symmetric keys are used for file encryption ... Option 1- UserBob has UserJoe log on to Ripped2 and create a file, ...
    (Focus-Microsoft)