importing DRA certificate into local policy

From: Jon (jon_at_hotmail.com)
Date: 01/27/04

• Next message: Curtis Koenig [MSFT]: "RE: Downloading EXE files."
• Previous message: Jean: "Re: Hijacked email. Help please."
• Next in thread: Roger Abell [MVP]: "Re: importing DRA certificate into local policy"
• Reply: Roger Abell [MVP]: "Re: importing DRA certificate into local policy"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 28 Jan 2004 09:44:44 +1100

I am trying to create a DRA for my standalone workgroup pc (XP Pro on my
home pc). I have created the DRA in the administrator account using the
cipher /r: command. The next step (following along the "Data Protection and
Recovery in Windows XP" article from the MS KB) is apparently to import the
certificate into the local policy. I think this is where I am getting lost.
Could someone please explain the steps to do this?

By way of background, I have encrypted a test folder and exported my
personal certificate. When I attempt to access these files (via a second
install of XP on a different hard drive, but same box) I cannot, but I can
if I import the personal certificate. This is as I would expect. As I
understand it, this will only work while the original user profile is
present, and will not work if, for example, I have to do a data restore into
a new machine. Is this correct?

Do I have to have the DRA all set up before encrypting files from the user
account? I'm guessing that this somehow links with the user certificate when
the file is encrypted, although am a bit confused as the instructions say to
delete the DRA certificates as soon as you have exported them?

Any help would be much appreciated, as the knowledgebase articles on the
microsoft site, and the online help seem incomplete and totally confusing!

---

• Next message: Curtis Koenig [MSFT]: "RE: Downloading EXE files."
• Previous message: Jean: "Re: Hijacked email. Help please."
• Next in thread: Roger Abell [MVP]: "Re: importing DRA certificate into local policy"
• Reply: Roger Abell [MVP]: "Re: importing DRA certificate into local policy"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: DRA is Decrypting Files when it shouldnt be!!! ... Have you tried that first exporting/deleting the user's private key ... in a user's EFS file and examine the certificate thumbprint to see exactly ... Created a DRA (ex: Cipher ... > before encrypting the files so that the DRA can decrypt them. ... (microsoft.public.windowsxp.security_admin) RE: Anyone out there actually using the DRA (Data Recovery Agent) ... is in place, admin becomes DRA for all files, but when he ... >To Create the Data Recovery Agent: ... >certificate in them. ... Once the keys have been generated ... (microsoft.public.windowsxp.security_admin) Re: DRA and EFS ... The validity period is determined when the certificate is issued. ... You will be able to decrypt but not encrypt when the DRA cert expires. ... (microsoft.public.windowsxp.security_admin) RE: DRA cannont open EFS files ... Confirm the DRA certificate applied to the file. ... and note the certificate thumbprint of the data recovery ... must have at least WRITE permission. ... (microsoft.public.windowsxp.security_admin) Re: XP Pro Encryption ... the DRA could decrypt the files. ... >> If you delete the current EFS cert from your personal certificates, ... >> Use an account as the DRA that you do not normally ever use ... >> of the encrypting account. ... (microsoft.public.windowsxp.security_admin)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windowsxp.security_admin  > 2004-01