Re: can't recover encrypted files on efs

From: Roger Abell [MVP] (mvpNOSPAM@asu.edu)
Date: 06/22/02 

From: "Roger Abell [MVP]" <mvpNOSPAM@asu.edu>
Date: Sat, 22 Jun 2002 00:16:36 -0700

A recovery agent cannot decrypt an EFS file until
the .pfx which contains the decryption key has been
imported. It sounds like you did not import the .pfx
into foo's certificates (logged in as foo).

I have had no need for your step where you import
foo's .cer as a Trusted Root CA, and frankly, the
step does not make sense to me. 

--
Roger Abell
MS MVP (Windows Platform), MCSE, MCDBA
Associate Expert - Windows XP ExpertZone
http://www.microsoft.com/windowsxp/expertzone
"Brent" <brent_midwood@hotmail.com> wrote in message
news:1147201c2198b$7ae6f4a0$3aef2ecf@TKMSFTNGXA09...
> I am trying to learn about the recovery agent feature of
> EFS on XP Pro, but I can't seem to make it work.
>
> Here is the scenario.
>
> 1.  User "foo" is a limited user.  Logged in as "foo", I
> use "cipher /r" to create a .cer file.
> 2.  I log in as Admin and import foo's .cer to the Trusted
> Root Certification Authorities folder using the
> Certificate Snapin for the computer.
> 3.  Still logged in as Admin, I then use the "Add a
> Recovery Agent" wizard from the Local Security Policy app
> to import foo's .cer file and supposedly make foo a
> recovery agent.
> 4.  Still logged in as Admin, I then encrypt a file in a
> public directory and make sure that foo has NTFS
> permissions to fully control the encrypted file.
> 5.  I log in as "foo" and try to decrypt the file that was
> encrypted by "admin", but I can't...
>
> What did I do wrong?  I thought I had set up "foo" as a
> recovery agent correctly before having "admin" encrypt the
> file.  So shouldn't "foo" be able to decrypt the file?
>
> Any insight would be appreciated.
>
> Thanks.
> brent_midwood@hotmail.com
>

Relevant Pages

  • Re: Encrypting File System Recovery
    ... created a new recovery agent for the administrator account ... which doesn't have the ability to decrypt my files for the ... >> Admin but since I haven't logged on as an Admin due to ...
    (microsoft.public.win2000.security)
  • cant recover encrypted files on efs
    ... I log in as Admin and import foo's .cer to the Trusted ... Recovery Agent" wizard from the Local Security Policy app ... public directory and make sure that foo has NTFS ... recovery agent correctly before having "admin" encrypt the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Encrypting File System Recovery
    ... You actually had to log on as administrator during the ... possibly try the cipher command to decrypt. ... who is the recovery agent using the /r switch. ... > Admin but since I haven't logged on as an Admin due to ...
    (microsoft.public.win2000.security)
  • Re: Encrypting File System Recovery
    ... a workgroup or domain so that could be a problem as what I ... >> should hold a recovery agent that should be able to ... >> can't decrypt my files. ... >> Admin but since I haven't logged on as an Admin due to ...
    (microsoft.public.win2000.security)
  • Re: How to forbid others opening my backup *.bkf file? How to set a password for opening my backup *
    ... How to know if the admin is Recovery Agent? ... > If the admin is Recovery Agent, he can decrypt the file with the recovery ... > master encryption key and recovery key are stored on the domain controller ...
    (microsoft.public.windowsxp.security_admin)