Re: How can I share encripted files between two user accounts?
From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: Mon, 8 Mar 2004 15:21:04 -0800
There's no way to do a bulk add-user operation without writing your own app.
Strong protection on keys doesn't work with EFS. And you don't need to do
anything with runas.
You could use the certificate and key from "cipher /x", but you're better
off using the recovery keypair.***
On your Server 2003 installation, log on as administrator. Open the
Certificates MMC snapin. Find the EFS recovery cert in the Personal store
and export it (with its private key). That will create a .pfx file. Export
it again, but choose not to export the private key. That will create a .cer
On your XP installation, run the .pfx file - that will start an import
wizard - go with the defaults it offers. Now open the Group Policy MMC
snapin and add the .cer file to the recovery policy. Here's a doc that will
walk you through it:
On the XP installation, run "cipher /u". That will update the recovery
agent info on all of the files you've encrypted on XP.
Everything at this point should just work. When you're satisfied that
everything works correctly, you should probably delete the .pfx - any
attacker could import it and gain access to those files otherwise.
WARNING: Make sure you're running at least Service Pack 1 on the XP
installation. Server 2003 uses the AES algorithm by default. XP doesn't
understand AES until SP1 is applied. If you encrypt on Server and decrypt
on XP RTM, you'll lose that data permanently.
*** When we can't use a user's EFS key for some reason, we automatically
generate a new one. It's possible to have several key pairs usable by EFS.
We just pick one of them to encrypt a file - there's no guarantee which one
A recovery keypair is always going to be the same.
Using the method I explained above, the files will show different users
having encrypted them depending on which OS you were using. Your users in
both OSes will be able to open/modify/decrypt all of the files, though.
-- Drew Cooper [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. "George Valkov" <firstname.lastname@example.org> wrote in message news:eFYYjDVBEHA.2628@TK2MSFTNGP11.phx.gbl... > Yes, it is a dual booting envinronment. > I was actually looking for a way to transfer the access rights from one > system to another, or one user to another. > Currently the only thing that works on my system is: > In the properties dialog of a file click Advanced button, Details and then > Add another user. > > Unfortunately this applies to the current file only and is not available to > all files in a folder and its subfolders :( > > I tried with cipher /x. > The export command completed successfully. > I imported the file into another account, but I still cannot read files from > there. > Should I make changes to local security Policies? > Currently in the security options there is a sitting: > System cryptography. Force strong key protection for user keys stored on > this computer = User must enter a password each time they use a key. > > Maby I'll continue using the Run as... command :) > > > George Valkov > > > > "George Valkov" <email@example.com> wrote in message > news:#pPqkygAEHA.220@TK2MSFTNGP09.phx.gbl... > > I need to access the My documents folder from two operating systems: > > XP pro > > Server 2k3 > > > > The folder is encrypted. > > > > How can I setup the two user accounts to use same keys for encrypting and > > restoring data? > > I also need to export the keys to a secure place, in case of a failure. > > > > > > Thank You for any support! > > George Valkov > > > > > >