Re: EFS: Move User+WKS to other forest

Thnx Jesper and Brian for your replies

Unfortunately it is not possible to export our private keys :-(

I guess there is no other way than to decrypt en recrypt the files.

Greetz,
Mike

"Brian Komar [MVP]" wrote:

In article <0D5A0361-F7B4-438E-9E7D-60BE1E014480@xxxxxxxxxxxxx>,
MikeSchmeitz@xxxxxxxxxxxxxxxxxxxxxxxxx says...
Hi,

Want to move Workstation to another forest. Workstation contains EFS
encrypted files. What would be the best automated and safest way to keep EFS
encryped (local) files available to users after migration. Both forest have
their own CA root.

in other words:
User1@domain1 has encrypted files on D: drive
Workstation and user is migrated to domain2 in a different forest
Trusts are available between the domains
Different CA's are used for both forests
User1@domain2 wants to get access to his encrypted files on D: drive

- Would it be possible to add User1@domain2 before migration of WKS to other
domain? (This would mean that decryption can be done by user1@domain1,
user1@domain2 and the efs recovery agent)
- Is the only way to do this, by decrypting all files, migrating, and then
start a re-encryption with new certificate of user1@domain2?

Greetz,

Mike


Two alternatives exist...
1) You could proceed with the decryption, and re-encrytion...
2) Another way is to do the following:
- Have the user export their existing EFS certificate to a PFX file
- Move the account to the new forest
- Have the user log on with the new credentials, creating the new user profile
- Issue the user a new EFS certificate and have them encryption a new file (establishing the
new EFS certificate as the default EFS certificate). This certificate would be issued by the
CA in the new forest
- Import the old EFS certificate exported in the first step

This configuration allows the user to open previously encrypted files (they have teh private
key needed to decrypt the FEK). Also, when they save the file, the FEK is re-encrypted with
the user's new EFS private key.

They can also run "cipher /U" at this point to update the user encryption key to their new
encryption key against all files on the local drive.

So to summarize.
1) export the user's current EFS private key (cipher /X)
2) move user and computer account to new forest
3) Log on with new account
4) Import EFS certificate into new account
5) cipher /U

Brian

.

Relevant Pages

  • Re: EFS: Move User+WKS to other forest
    ... Want to move Workstation to another forest. ... What would be the best automated and safest way to keep EFS ... User1@domain1 has encrypted files on D: ... Issue the user a new EFS certificate and have them encryption a new file (establishing the ...
    (microsoft.public.security)
  • Re: EFS: Move User+WKS to other forest
    ... can not export my certificate using MMC Certificates (SP1 does not have ... Want to move Workstation to another forest. ... User1@domain1 has encrypted files on D: ... Issue the user a new EFS certificate and have them encryption a new file (establishing the ...
    (microsoft.public.security)
  • Re: EFS: Move User+WKS to other forest
    ... Want to move Workstation to another forest. ... Workstation contains EFS ... User1@domain1 has encrypted files on D: ... Issue the user a new EFS certificate and have them encryption a new file (establishing the ...
    (microsoft.public.security)
  • RE: How to get my encrypted files back.
    ... You pretty much just need your private key ... I thought EFS was a nice feature MS included in XP, ... How to get my encrypted files back. ... >> reinstall WinXP. ...
    (Focus-Microsoft)
  • Re: File Encryption
    ... There was an error before SP1 when one changed ... is not changed (as any account can do) but is reset ... > to access the encrypted files? ... >> has been encrypted with the new EFS certificate, ...
    (microsoft.public.windowsxp.security_admin)