Re: Hey Jupiter! Re: XP Pro - Export Encryption Key

From: Roger Abell [MVP] (mvpNOSPAM@asu.edu)
Date: 03/22/03

• Next message: Enough: "Spyare/Adware Overkill?"
• Previous message: Roger Abell [MVP]: "Re: Scripting / Changing permissions at the registry"
• In reply to: Jimshu1: "Hey Jupiter! Re: XP Pro - Export Encryption Key"
• Next in thread: Jimshu1: "Re: Hey Jupiter! Re: XP Pro - Export Encryption Key"
• Reply: Jimshu1: "Re: Hey Jupiter! Re: XP Pro - Export Encryption Key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Roger Abell [MVP]" <mvpNOSPAM@asu.edu>
Date: Fri, 21 Mar 2003 18:31:04 -0700

within

-- 
Roger Abell
MS MVP (Security, Windows), MCDBA,  MCSE both
Associate Expert - Windows XP ExpertZone
http://www.microsoft.com/windowsxp/expertzone
"Jimshu1" <NoWay@att.net> wrote in message news:OD078L87CHA.2296@TK2MSFTNGP10.phx.gbl...
> Well, I got to practice exporting AND IMPORTING my personal key.  Thought I
> was going to have to use a week old Ghost image!
> 
> I exported fine, but per the ref. document, I chose to "Delete the private
> key if the export is successful" option that the doc said was a best
> practice.  When I started up my system the next time, none of my encrypted
> files were accessible.  About had a stroke!
> 
;-) 
> I then imported the key I just had exported.  I can again access my files.
> 
> A couple of questions:
> 
> 1.  Is choosing "Delete the private key if the export is successful" option
> what I did wrong?
Depends on what you want.  If the key is not held then of course 
no decryption can happen.  This is a best practice to configure the 
recovery agent this way.  For a day to day account doing this makes 
EFS quite useless, or at least totally one-sided.
> 2. Am I OK now and do I still have just the one personal key?
It is best to have it stored very safely, likey in two separate 
physical locations, and to keep no copy on the machine.
> 3. Does my changing the computer name, user name (as long as it's still an
> administration account), or system password change the original encryption
> key I just exported and then re-imported?  I know that the password I used
> for the export has to stay with that key.
You are right about the pfx password being fixed at export time.
Changing the names should not matter.  In fact, the key can be 
imported into an entirely different account, on a different machine.
That is why the exported pfx must be kept safe.
Changing the password of an account must be done correctly in 
order to maintain access to imported keys.  Never reset a password 
administratively.  Alway change it as can be done by any account 
in the User Accounts control panel.  Also, maintain a password 
recovery diskette that is up-to-date.
> 4. If no to question 3, is the key I have good forever as long as I do not
> do a re-install of WinXP?
I believe there is a far in the future expiration - beyond the likelihood 
of your finding hardware that can run XP.
> 
> Thanks for your time and sorry for so many questions!
> 
No problem - it all is a bit involved, but then it is industrial strength.
Define a recovery agent, as an account that is not normally used, 
but only import its key to test it or when using it is needed.
 
> "Jimshu1" <NoWay@att.net> wrote in message
> news:OX0c#w77CHA.2196@TK2MSFTNGP12.phx.gbl...
> > Excellent document!  Figured it out in about 10-15 minutes.  Thank you!
> >
> >
> > "Jupiter Jones" <jones_jupiter@hotnomail.com> wrote in message
> > news:#B5g9l17CHA.2156@TK2MSFTNGP12.phx.gbl...
> > > You should read and understand this document before using Encrypting
> > > File System to keep from joining the ranks of those that have
> > > permanently lost all encrypted data.
> > > It will answer your question and much more:
> > >
> >
> http://www.microsoft.com/windowsxp/pro/techinfo/administration/recovery/defa
> > ult.asp
> >
> >
> 
> 

---

• Next message: Enough: "Spyare/Adware Overkill?"
• Previous message: Roger Abell [MVP]: "Re: Scripting / Changing permissions at the registry"
• In reply to: Jimshu1: "Hey Jupiter! Re: XP Pro - Export Encryption Key"
• Next in thread: Jimshu1: "Re: Hey Jupiter! Re: XP Pro - Export Encryption Key"
• Reply: Jimshu1: "Re: Hey Jupiter! Re: XP Pro - Export Encryption Key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Hey Jupiter! Re: XP Pro - Export Encryption Key ... I got to practice exporting AND IMPORTING my personal key. ... For a day to day account doing this makes ... (microsoft.public.windowsxp.security_admin) Re: Hey Jupiter! Re: XP Pro - Export Encryption Key ... > Roger Abell ... I got to practice exporting AND IMPORTING my personal key. ... For a day to day account doing this makes ... (microsoft.public.windowsxp.security_admin) Re: Hey Jupiter! Re: XP Pro - Export Encryption Key ... > Associate Expert - Windows XP ExpertZone ... I got to practice exporting AND IMPORTING my personal key. ... For a day to day account doing this makes ... (microsoft.public.windowsxp.security_admin) Re: Outlook 2k3: exporting contacts ... Importing and exporting just provides two opportunities for data loss or ... > By "account," I meant Windows logon profile. ... > move only the Contacts and not my e-mail to her Windows logon profile. ... (microsoft.public.outlook.contacts) Re: Error Message Outlook Express ... mail account, then try sending a message before you import any data from ... then the import was importing some bad ... How to Create and Use Identities in Outlook Express ... Empty Deleted Items folder daily. ... (microsoft.public.windows.inetexplorer.ie6_outlookexpress)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)