Re: Difficult Encryption Problem

From: Mike Brannigan [MS] (mikebran@online.microsoft.com)
Date: 10/08/02 

From: "Mike Brannigan [MS]" <mikebran@online.microsoft.com>
Date: Tue, 8 Oct 2002 13:01:16 +0100

Comments inline 

--
Regards,
Mike
--
Mike Brannigan [MS]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions.
Please use these newsgroups
"slysi" <slysi@totalise.co.uk> wrote in message
news:e3ehoAsbCHA.2384@tkmsftngp08...
> I have a very difficult problem to solve...
> The Scenario: I had my sensitive documents redirected to and encrypted
on my
> data partition. A while back my XP system partition crashed
irrepairably,
> forcing me to re-install XP on my system partition. Unfortunately,
being new
> to EFS and encryption I did not backup of my original Certificate and
Key.
> So the problem is now that I have all my encrypted data but I cannot
decrypt
> it.
>
> The Questions:
> 1. Does EFS encrypt your data using the public key, or using the
private
> key? (I suspect its the public). If it used the public key then I need
to
> recover my original private key. If it used the private key, then all
I need
> to recover is the original Certificate containing my public key.
Without going into too much detail (I have not had the chance to check
what we have made public and what is still confidential)
We encrypt your plain text data with various keys - these keys are then
bundled and then encrypted using your public key.
If you have a recovery agent we also then encrypt the key ring with its
public key,  These 3 blobs of data are now you encrypted file (the
encrypted file, and the 2 decryption key rings)
> 2. Is there a way in which I can reproduce the original key pair and
> certificate? In other words, does the key generation algorithm use
personal
> details as a seed or is the key generation purely random.
No.
> 3. The only backups I have are the "System State" (boot files and
registry
> stuff) backups prior to the rebuild. Can I use this system state to
restore
> my old user account, certificate and keys? If this were possible I
could use
> the restored keys to decrypt my data.
I believe so - if you have a full system state then the certs and keys
are in there and can be exported and used to decrypt the files.
>
> 4. Finally, why are there no default "Data Recovery Agents" in my XP
Pro
> installation and why can I not configure any data recovery agents?
>
For additional security - due to the nature of users occasionally not
setting passwords on the local Administrator account it is too risky to
set this account as the default key recovery agent.  It is more secure
to let the user create their own account for their purpose and set it up
as the key recovery agent.
You can set up a recovery agent - it is documented in the online help.
> Any help on this would be extremely appreciated as my important
financial
> data is all unreadable.
>
> Thanks
> slysi
>
>
>