Re: EFS Certificates and Keys when Changing Password
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 03/23/04
- Next message: Randy: "Clear Screen Saver?"
- Previous message: Roger Abell: "Re: EFS Certificates and Keys when Changing Password"
- In reply to: Rowner: "Re: EFS Certificates and Keys when Changing Password"
- Next in thread: Rowner: "Re: EFS Certificates and Keys when Changing Password"
- Reply: Rowner: "Re: EFS Certificates and Keys when Changing Password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 23 Mar 2004 00:13:50 -0700
What that meant is that changing the password of the account only
changes the info needed to get the account's key out of the storage
that is secured with DPapi.
For your specific question, let us assume that when you have said
"change" the password you do not mean administratively reset the
password, but rather changing it by providing the old and new.
For this type of change, DPapi uses the old to make it so that the new
can be used to get at the stored key in the future. The key is not changed.
If the password is however reset, then access fails, and it is possible in
this case that the system will upon an encryption attempt generate a new
cert/key pair for the account. The user of the account should notice that
they have lost access to earlier EFS encrypted data, but that they are now
encrypting and decrypting files (they just cannot access the older ones).
If one always changes the password, even if an admin account when the
reset option is available, and if the user of the account keeps and up to
date
password recovery disk there should not be an issue. If Windows XP does
need to be reinstalled, once it is at the same service level as the prior
system,
the cert/key from the pfx can be imported and the EFS encrypted files should
be accessible. One word of caution however is effects from how the files
have been moved around, as some third-party tools will not handle EFS files
correctly. NTbackup.exe is a recommended way to manage the movement of
EFS encrypted files, such as when you are getting ready for the new install.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Rowner" <anonymous@discussions.microsoft.com> wrote in message news:8A0D9652-D309-4D92-9703-1FCAAD62DF63@microsoft.com... > >This only changes >how/whether you can get your certificate/key out of the form of storage used to keep it secured. > > Excuse my ignorance, but I'm not sure what the above statement means. > > Here's what I want to know for sure. Let's say I encrypted a bunch of data files. Then I exported the certificate/key pfx file to a floppy disk. Then I changed my password. Then I encrypted more data files. Then my Windows XP installation became unusable. Could I then reinstall a fresh copy of Windows XP, import the original certificate/key pfx file from the floppy, and be able to decrypt ALL the data files, or just the ones created before the password change, or none of the data files? If the answer is "some" or "none" of the data files, then should I do another save of the the certificate/key pfx file to a floppy disk after I make the password change? And, if so, would this new copy of the pfx file decrypt only the post-password-change data files (in which case I would keep both the old and new pfx files on a floppy) or would it decrypt all of the data files (in which case I'd keep only the newer pfx file on a floppy)? > > Thanks again.
- Next message: Randy: "Clear Screen Saver?"
- Previous message: Roger Abell: "Re: EFS Certificates and Keys when Changing Password"
- In reply to: Rowner: "Re: EFS Certificates and Keys when Changing Password"
- Next in thread: Rowner: "Re: EFS Certificates and Keys when Changing Password"
- Reply: Rowner: "Re: EFS Certificates and Keys when Changing Password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
