Re: EFS experiment - need help

From: Robert Gu [MS] (robertg@online.microsoft.com)
Date: 09/24/02

Next message: peter: "Re: SP1"
Previous message: peter: "Re: To all you smart people.."
In reply to: Earl Lewis: "EFS experiment - need help"
Next in thread: Earl Lewis: "Re: EFS experiment - need help"
Reply: Earl Lewis: "Re: EFS experiment - need help"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Robert Gu [MS]" <robertg@online.microsoft.com>
Date: Mon, 23 Sep 2002 18:22:00 -0700

CIPHADMI.cer has no private key in it. CIPHADMI.pfx has the private key in
it. They are the same cert. You do not need the PFX file to set up the
recovery policy. You should never import the PFX file unless you want to do
the recovery.

You do not import the cer file to create the recovery policy. You need to
edit/create the recovery policy in group policy mmc (not cert page mmc). It
will ask your .cer file created by cipher /r.

In your case, you didn't even set up the recovery policy. Of course you
couldn't recovery it. The cert "3a 2b" has nothing to do with your PFX file.
It was created when you encrypt your first file.

Again, if you are the only people use the EFS on the standalone machines,
you don't need the recovery policy at all. Simple export your current EFS
cert + keys into the PFX file. Save it in the safe place. You can import it
to any new OS to read your old files. It is your "recovery" key in this
sense. It only make sense to use recovery policy if multiple users use EFS
on the machine and you want one person be able to decrypt all of them.

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Robert Gu [MS Security Developer]
"Earl Lewis" <brassono_spam@mybizz.net> wrote in message
news:pjcvoug2c4l35m0klj09tml4iljhhmpv4u@4ax.com...
> References:
>
http://www.microsoft.com/WINDOWSXP/pro/techinfo/administration/recovery/defa
ult.asp
> henceforth to be known as: 'the .doc'
>
>
http://groups.google.com/groups?q=efs+precautions&hl=en&lr=&ie=UTF-8&oe=UTF8&selm=e4ULNIDWCHA.1704%40tkmsftngp10&rnum=1
> htbka: 'per Roger G'
>
> My computer is a stand-alone (only a peer-to-peer network).
> 2 EFS test folders. One is _TestEncrypted, other is _TestUnencrypted.
> Duplicate files each folder, _TestUnencrypted is for restore when I
> make a mistake.
>
> Log on as Administrator
>
> [page 5 the .doc]
> cd \Documents and Settings\Administrator\Start
> Menu\Programs\Administrative Tools
> (wups, they must have forgot to put that in the .doc)
> CIPHER /R:CIPHADMI
> a .pfx and a .cer are created.
> Rclick on each file and Install them in Personal (wups, they forgot to
> put that in the .doc)
>
> Open CIPHADMI.CER, thumbprint is cb e9...
>
> [page 18 the .doc] - look at the certificates with mmc.
> follow instructions, see 2 certificates in Personal Certificates. In
> the Purpose column, one says File Recovery, the other Encryption File
> System.
> Rclick, Open File Recovery certificate, thumbprint is cb e9...
> Therefore this is the .CER
> Rclick, Open Encryption File System certificate, thumbprint is 3a 2b..
> this is the .PFX
>
> [per Roger G]
> efsinfo /y - yields a thumbprint of 3a 2b...
>
> encrypt _TestEncrypted folder and files successfully.
>
> [per Roger G]
> cipher /u
> efsinfo /u /r /c k:\_TestEncrypted
> yields a thumbprint of 3a 2b...
>
> [page 41 the .doc]
> Registry certificate hash is 3a 2b...
>
> Log off Administrator
> Log on as Earl
> Earl can't decript _TestEncrypt
>
> [page 41 the .doc]
> Registry certificate hash is 96 bb...
>
>
> [page 22 the .doc] - importing keys
> import CIPHADMI.CER to Earl's Personal Certificate - see it with mmc.
> import CIPHADMI.PFX to Earl's Personal Certificate - well not really.
>      The wizard says the import was successful but it doesn't show up
> when looking at it with mmc.
>
> My question: how do I import that Administrator PFX so that Earl can
> use it to crypt and decrypt? Or, what else am I doing wrong?
>
> Earl
>
> Remove no_spam to reply email

Next message: peter: "Re: SP1"
Previous message: peter: "Re: To all you smart people.."
In reply to: Earl Lewis: "EFS experiment - need help"
Next in thread: Earl Lewis: "Re: EFS experiment - need help"
Reply: Earl Lewis: "Re: EFS experiment - need help"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: SSL Certificate - [WP]
... On the first tab it should state what purposes the cert is good for, ... You can check the properties of the cert to see... ... From the exisiting FE I exported the certificate to a *.PFX file and on ...
(microsoft.public.exchange.admin)
Re: Certificate import via IIS or certificate mmc
... I'm having an issue with a self signed certificate. ... The certificate ends up in the same place in the cert store, ... the same .pfx file I'm using to import it using the two methods. ... It just works when I install the cert through IIS, ...
(microsoft.public.inetserver.iis.security)
Certificate import via IIS or certificate mmc
... I'm having an issue with a self signed certificate. ... The certificate ends up in the same place in the cert store, ... the same .pfx file I'm using to import it using the two methods. ... It just works when I install the cert through IIS, ...
(microsoft.public.inetserver.iis.security)
Re: Odd certificate issue with Companyweb
... Based on my research, CEICW does not support .pfx file, so let's manually ... In the Certificate snap-in window, ... Microsoft CSS Online Newsgroup Support ...
(microsoft.public.windows.server.sbs)
Re: Install SSL Cert - NO KEY Manger in IIS 5
... Select Local Computer on the next screen, ... Click next, browse to the PFX file, select Next ... Choose ASSIGN a certificate already on the server...... ... take this server offline and install the the *.KEY file on ...
(microsoft.public.inetserver.iis.security)