Re: EFS experiment - need help

From: Earl Lewis (brassono_spam@mybizz.net)
Date: 09/26/02 

From: Earl Lewis <brassono_spam@mybizz.net>
Date: Thu, 26 Sep 2002 00:43:22 GMT

On Wed, 25 Sep 2002 10:31:32 -0700, "Robert Gu [MS]"
<robertg@online.microsoft.com> wrote:
>You can test exporting and importing your EFS cert with two user accounts
>and one machine, absolutely.
>
>1. Logon as user A. Encrypt a file. Use EFSINFO /u /c FILENAME to see the
>cert used for the file.
>2. In MMC cert page, find the cert and export it to a PFX file. (PFX will
>have private key in it and CER only has public key in it. Cert+keys means
>PFX).
>3. Now login as user B. Try to open the file. You will get access denied.
>Then import the PFX file. (Do not choose strong protection. EFS does not
>support strong protection, which means CSP will pop up every time you use
>the private key.) After you imported the file, user B should be able to open
>the file encrypted by user A.
>
>This proves you can open the EFS file encrypted with that cert in the PFX
>file in any XP+ OS with any account. This also works with Win2K.

That is what I had in mind when I attempted to 'introduce'
CIPHADMI.PFX into Earl. BUT... I did not Export CIPHADMI.PFX. Neither
did I go into the MMC to Import it into Earl. I simply logged on as
Earl, rclicked on CIPHADMI.PFX and chose Install (as I remember it).
The Import Wizard DID come up and I chose Personal. Earl still
couldn't decrypt Administrator's EFS files at that point. Also, I
couldn't see CIPHADMI.PFX in Earl's Personal Certificate store in MMC.
I think I probably tried cipher /u, but no help.

If there was a choice, as to strong protection, I probably took the
default.

Actually I'm kinda happy with the 2 recovery agents, I think I'll run
that way for a couple of weeks, see if I can mess the EFS files up
again. Then I'll remove Earl as recovery agent and see if I can
successfully Import that certificate and see if Earl can decrypt.
Many thanks for the lessons. I'll probably be back here again with
more questions though.
Earl

Remove no_spam to reply email

Relevant Pages

  • Re: EFS data recovery - handholding needed
    ... > export your current EFS cert. ... find the cert and export it to a PFX file. ... I'm not merely opening another a/c to recover, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS Certificate Issue
    ... It's most useful for EFS certs when users have roaming profiles. ... user's Personal cert store, ... >> Keys are stored in a user's profile. ... >> generate) another keypair when encrypting a file. ...
    (microsoft.public.win2000.security)
  • Re: Encryted Data recovered from failed hard drive
    ... Your keys and certs are in the profile dir. ... Once you have your backed up cert+keys, you can open all your EFS ... files encrypted with the cert as long as the files are not damaged. ... Start->Help should have the info to guide you through how to backup your EFS ...
    (microsoft.public.win2000.security)
  • Re: EFS experiment - need help
    ... multiple users' EFS files. ... You can test exporting and importing your EFS cert with two user accounts ... find the cert and export it to a PFX file. ... (Do not choose strong protection. ...
    (microsoft.public.windowsxp.security_admin)