Re: How can I share encripted files between two user accounts?

From: Drew Cooper [MSFT] (dcoop_at_online.microsoft.com)
Date: 03/09/04 

Date: Mon, 8 Mar 2004 15:21:04 -0800

There's no way to do a bulk add-user operation without writing your own app.

Strong protection on keys doesn't work with EFS. And you don't need to do
anything with runas.

You could use the certificate and key from "cipher /x", but you're better
off using the recovery keypair.***

On your Server 2003 installation, log on as administrator. Open the
Certificates MMC snapin. Find the EFS recovery cert in the Personal store
and export it (with its private key). That will create a .pfx file. Export
it again, but choose not to export the private key. That will create a .cer
file.
On your XP installation, run the .pfx file - that will start an import
wizard - go with the defaults it offers. Now open the Group Policy MMC
snapin and add the .cer file to the recovery policy. Here's a doc that will
walk you through it:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/encrypt_to_change_policy.mspx

On the XP installation, run "cipher /u". That will update the recovery
agent info on all of the files you've encrypted on XP.
Everything at this point should just work. When you're satisfied that
everything works correctly, you should probably delete the .pfx - any
attacker could import it and gain access to those files otherwise.

WARNING: Make sure you're running at least Service Pack 1 on the XP
installation. Server 2003 uses the AES algorithm by default. XP doesn't
understand AES until SP1 is applied. If you encrypt on Server and decrypt
on XP RTM, you'll lose that data permanently.

*** When we can't use a user's EFS key for some reason, we automatically
generate a new one. It's possible to have several key pairs usable by EFS.
We just pick one of them to encrypt a file - there's no guarantee which one
we pick.
A recovery keypair is always going to be the same.
Using the method I explained above, the files will show different users
having encrypted them depending on which OS you were using. Your users in
both OSes will be able to open/modify/decrypt all of the files, though. 

-- 
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"George Valkov" <null@somewhere.com> wrote in message
news:eFYYjDVBEHA.2628@TK2MSFTNGP11.phx.gbl...
> Yes, it is a dual booting envinronment.
> I was actually looking for a way to transfer the access rights from one
> system to another, or one user to another.
> Currently the only thing that works on my system is:
> In the properties dialog of a file click Advanced button, Details and then
> Add another user.
>
> Unfortunately this applies to the current file only and is not available
to
> all files in a folder and its subfolders :(
>
> I tried with cipher /x.
> The export command completed successfully.
> I imported the file into another account, but I still cannot read files
from
> there.
> Should I make changes to local security Policies?
> Currently in the security options there is a sitting:
> System cryptography. Force strong key protection for user keys stored on
> this computer = User must enter a password each time they use a key.
>
> Maby I'll continue using the Run as... command :)
>
>
> George Valkov
>
>
>
> "George Valkov" <null@somewhere.com> wrote in message
> news:#pPqkygAEHA.220@TK2MSFTNGP09.phx.gbl...
> > I need to access the My documents folder from two operating systems:
> > XP pro
> > Server 2k3
> >
> > The folder is encrypted.
> >
> > How can I setup the two user accounts to use same keys for encrypting
and
> > restoring data?
> > I also need to export the keys to a secure place, in case of a failure.
> >
> >
> > Thank You for any support!
> > George Valkov
> >
> >
>
>

Relevant Pages

  • Re: EFS help!?
    ... >> and backed up your EFS certs+keys to a PFX file. ... Backup your EFS certs+keys to ... >>> I have the need to encrypt the files on my laptop. ... >>> Does anyone have experience or know of good articles on recovery from ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Encrypted files do they work for backups?
    ... If the drive is formatted by FAT, all the file encrypt information will be ... System (EFS) private key? ... Please refer to the following KB article to check if you enabled recovery ... How to work with EFS in Windows Server 2003, visit the following Microsoft ...
    (microsoft.public.windows.server.sbs)
  • Re: CIPHER
    ... > I used cipher to encrypt 23 gb of important files on my ... recovery key was exported. ... > encrypts without an easy to use password recovery system? ... The intended use of EFS is to secure data. ...
    (microsoft.public.win2000.security)
  • Cannot get EFS recovery agent function to work!
    ... The certificate that Win2k used to ... encrypt them is enabled for "All Purposes" including Encrypted File ... System, and File Recovery. ... Does EFS recovery agent's certificate thumbprint have to match the ...
    (microsoft.public.win2000.security)
  • Re: Have key(s) for EFS files, still denied
    ... Hopefully the data recovery company can get the key. ... EFS files from your description. ... In the fall of 2004 we bought a new Dell laptop and I moved/copied EFS ... In October 2005 I reformatted our Gateway C partition and re-installed XP. ...
    (microsoft.public.windowsxp.security_admin)