Re: Recovery Agent fails to recover Encrypted Data

From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 01/09/04 

Date: Thu, 8 Jan 2004 17:30:34 -0800

And the private key was generated on whichever machine the user enrolled for
the certificate.

I replied to this in greater length on another newsgroup. 

-- 
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Brian Komar" <bkomar@komarconsulting.com.nospam> wrote in message
news:MPG.1a6706c4b3ab120198969d@msnews.microsoft.com...
> In article <066001c3d5a1$7a8abef0$a601280a@phx.gbl>,
> anonymous@discussions.microsoft.com says...
> > Hello Sir,
> >
> > i installed CA on My domain controller. then i publish a
> > EFS Recovery Certificate for a user, then i go to Domain
> > security Policy and then Public Key Policy and then
> > Encrypted Data Recovery Agents and added that user as a
> > Recovery Agent (that user is also in domain admins group).
> > then i loged on with a administrator account and encrypt a
> > file. also encrypt a file with ordinary user, then i loged
> > on with Recovery Agent Account and tryed to decrypt those
> > files but Error "Access Denied"
> >
> > where i m doing wrong. I think Recovery Agent should
> > Decrypt encryted files which are encryted after his
> > addition in Recovery Agent.
> > Please Help me
> >
> > Thanks in Advance
> >
> > Muhammad Sajid.
> > Lahore, Pakistan.
> >
> Hi Muhammad,
>
> To verify who can open the encrypted file, use the EFSINFO.EXE command
> from the WIndows 2000 Resource Kit.  The EFSINFO /R /U /C command will
> show you the thumbprints for both the User and Recovery Agent
> certificates that can access the EFS encrypted file.
>
> Ensure that you are performing the recovery attempt from the same
> computer where you enrolled the EFS Recovery Certificate. The Private
> key associated with the certificate only exists in that profile of the
> administrator account. It is *not* the account that is the recovery
> agent, it is the holder of the *private key* that can open the file as
> the recovery agent.
>
> You may have to import the private key onto a different computer to open
> the file.
>
> Please see the EFS whitepaper for more information:
>
> http://www.microsoft.com/WindowsXP/pro/techinfo/administration/recovery/
> default.asp
>
> http://www.msdn.microsoft.com/library/default.asp?url=/library/en-
> us/dnsecure/html/WinNETSrvr-EncryptedFileSystem.asp

Relevant Pages

  • Re: Entourage mail and PGP/GPG?
    ... > You can digitally sign messages and encrypt them using CA. ... > using a certificate for each recipient. ... > recipient uses this certificate to verify which private key was ...
    (microsoft.public.mac.office.entourage)
  • Re: Encrypting Messages
    ... and private key situation, ... You encrypt a messages using SOMEONE ELSE's public key. ... > person that can decrypt that message is the one that has the matching ... > Use the public key from your certificate. ...
    (microsoft.public.outlook)
  • Re: Data Recovery Agent
    ... > Well you need a recovery agent. ... > If you want it to be administrator logon as administrator. ... > administrator has a certificate that will enable him EFS function. ... > administrator (e.g. create an empty text file and encrypt it; ...
    (microsoft.public.windowsxp.security_admin)
  • Re: CryptAcquireContext returns NTE_BAD_KEY_STATE?
    ... There is also a routine to check whether there is a certificate in the ... > The Microsoft software CSPs encrypt the private keys using DPAPI ... >> that is supposed to create a new server certificate with a private key). ...
    (microsoft.public.platformsdk.security)
  • Re: Need some information about certificates
    ... receiver uses your public key to verify the signature but for encryption you ... use an entities public key to encrypt the data and then the recipient uses ... their private key to decrypt the data. ... certificate installed on the server running my application. ...
    (microsoft.public.windows.server.security)