Re: Self-Signed EFS and AD

From: Shreeniwas Kelkar [MSFT] (skelkar_at_online.microsoft.com)
Date: 01/19/05 

Date: Wed, 19 Jan 2005 14:08:08 -0800

EFS needs your private key available locally to work. Hence migrating certs
alone is not enough. The private keys are protected by DPAPI on the local
machine. Certs are public infomation and hence published to AD. Private keys
usually are not.

If you want to use the same cert+key for EFS across multiple machines, you
need to make sure that the private key along with the certificate is
available on each machine. Some ways to achieve this:
1) Turn on roaming profiles and your cert and key will automatically roam to
all machines. This however has performance implications.
2) If the number of machines involved is small. You can export your EFS
cert+key from previous machine to a PFX and import it on the new machine
before attempting EFS.
3) If the machines are part of a domain and there is a file server with
Trusted For Delegation privileges available in the domain, you can do remote
EFS by storing your documents on this server. The keys in this case are
maintained on the server so you can easily access your documents from
various clients. 

-- 
Shreeniwas Kelkar [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"MJ" <MJ@discussions.microsoft.com> wrote in message 
news:CBF57444-CD80-4565-B34A-66A40F3912F0@microsoft.com...
> Is there any way to enforce the usage of Active Directory published EFS
> Certificate instead of creating a new one every time I change a PC  ?
>
> Here is why:
>
> The first time I use EFS on a PC, it locally generates an EFS Certificate
> (i.e. self-signed). I can publish this Certificate in Active Directory so
> that other users can enable me to read their encrypted documents - All is
> fine.
>
> However, if i change the PC (or work from some other location), the first
> time I try to encrypt the file another/new/different local (self-signed) 
> EFS
> Certificate will be created for me.
> Now, I thought that  PCs (i.e. Windows XP) are smart enough to check the
> Active Directory whether there is already a published Certificate and use 
> the
> same one instead of creating a new one (local, self-signed).
> Or perhaps I should have asked: since there can be only one private key 
> for
> each public key (i.e. certificate), is it possible to store (and use as
> needed) the private key in Active Directory along with the corresponding
> Certificate ?

Relevant Pages

  • Re: Certificates, Keys, Mobile Users, Intended Usage
    ... Option that you think about uses self signed EFS certificates. ... Better then exporting user's private key as backup is to setup DRA (Data ... there is no EFS certificate and it will generate a new one. ... Mobile computer users benefit from encrypting sensitive ...
    (microsoft.public.win2000.security)
  • Re: XP Encryption Fudge-up. Trying to help my father-in-law
    ... He needs the original certificate and private key ... He should have exported his EFS certificate and ...
    (microsoft.public.security)
  • Re: EFS encrypt files: Changed PW now cant access... :-(
    ... Assuming the EFS certificate AND private key are in the user's profile you ... need to change the user account password back to what it was before they ...
    (microsoft.public.windowsxp.security_admin)
  • Re: efs and "encryption" overall... help?
    ... What I referred to was that the only way to make totally sure that the EFS ... encrypted files are safe is to export/delete the certificate and private key ... require the user to enter the password used to protect the private key. ... >> uses much stronger encryption to encrypt EFS files, ...
    (microsoft.public.windows.server.networking)
  • Re: Replace Domain Controller
    ... Depending on your EFS recovery you may also want to backup your EFS private ... Export your Private Key from Recovery Agent ... private key so that you can recover encrypted data in the event that you ...
    (microsoft.public.windows.server.active_directory)