Re: Cannot decrypt about 5% of encrypted files
- From: Brian Komar [MVP] <bkomar@xxxxxxxxxxxxxxxxx>
- Date: Fri, 30 Mar 2007 07:33:32 -0500
In article <1175191070.257937.313590
@o5g2000hsb.googlegroups.com>, ttripp@xxxxxxxxxxxxxxxxx
says...
On Mar 29, 10:22 am, "ttr...@xxxxxxxxxxxxxxxxx"It worked exactly as designed (sorry).
<ttr...@xxxxxxxxxxxxxxxxx> wrote:
Here's my problem. I very recently (three weeks ago) started moving
my user "My Documents" folders to a server using a GPO. This GPO also
set automatic encryption on the folders. Bunches of problems cropped
up, and I'm trying to move the folders back to the local desktops.
However, about 5% of the files (that's a guesstimate) just won't move
back. The copy says the user doesn't have rights to the suspect
files, even though the NTFS permissions say otherwise. Every one of
the suspect files is encrypted (as are the one that aren't causing any
problems). But when I try to decrypt them, it says I don't have
permissions to do that.
It doesn't matter how I log into the server; as the domain admin, the
local admin, or with the user account. I get the same error. The
other 95% of the files, which were copied over at the same time, under
the same user accounts, and (one presumes) the same encryption keys,
decrypt just fine.
I am completely at a loss to understand this behavior. Before I
started moving user data, I tested this all with a small group of
users, and I was able (as the domain admin), to encrypt and decrypt
files at will. Does anyone have any step-by-step procedures I could
try to recover these files. I'm not a noobie, but right this moment
I'd prefer some detailed, hand-holding instructions on this.
I've answered by own question. The documents in question were being
copied to a cluster server that had a file share resource. For
reasons we don't understand, most of the documents were being
encrypted by the "B" server, but a handful were being encrypted by the
"A" server. This makes no sense, because it shouldn't matter which
server in the cluster was active, encryption should have been the same
(looking at the file details, they show the same users and
certificates, regardless of which server was active). The only way to
undo all this is to decrypt as many as possible on one server, then
switch to the other server and decrypt the remaining files
individually. Extremely tedious work.
Obviously, I won't try encrypting files on a cluster server again,
until I know why this happened in the first place.
When you encrypt on a server, the server will
impersonate the user, generate a user profile, and then
use EFS encryption keys from that profile to encrypt the
files.
Because you have set up a cluster, you now have the
additional fun of which server controls the specific
file.
Three possibile solutions:
1) Use WebDAV rather than CIFS. When you use WebDAV to
connect to the share, the file is encrypted at the
client, and then sent as a blob to the file server,
rather than being encrypted at the server, by the server
impersonating the user as described earlier.
2) Do not encrypt on clusters!!! for that matter, try
not to encrypt on servers
3) Wait for Longhorn. A Vista client connecting to a
Longhorn server, will encrypt locally and send the
encrypted blob (no need for WebDAV)
Brian
.
- Follow-Ups:
- Re: Cannot decrypt about 5% of encrypted files
- From: ttripp@xxxxxxxxxxxxxxxxx
- Re: Cannot decrypt about 5% of encrypted files
- References:
- Cannot decrypt about 5% of encrypted files
- From: ttripp@xxxxxxxxxxxxxxxxx
- Re: Cannot decrypt about 5% of encrypted files
- From: ttripp@xxxxxxxxxxxxxxxxx
- Cannot decrypt about 5% of encrypted files
- Prev by Date: Re: Secure & Unsecure items
- Next by Date: Md5 vs. Sha1 Performance - Upgrade Cryptographic Provider?
- Previous by thread: Re: Cannot decrypt about 5% of encrypted files
- Next by thread: Re: Cannot decrypt about 5% of encrypted files
- Index(es):
Relevant Pages
|
