Re: Tests show that I don't understand how it works.

From: Kerry Brown (kerry_at_kdbNOSPAMsystems.c*o*m)
Date: 03/19/05 

Date: Fri, 18 Mar 2005 23:07:16 -0800

"M. Jennings" <mjennings@-NOTthis-or-dashes-myrealbox.com> wrote in message
news:uDATUkELFHA.1916@TK2MSFTNGP12.phx.gbl...
> I decided I just don't have enough information to use EFS. In the
> newsgroups there are many stories of people losing their information.
> Microsoft makes it easy to encrypt, and difficult to know how to make your
> files safe. The explanation of how it works is just not there.
>
> I ran EFSInfo on my test directory. Even though I deleted my personal
> certificate, the files are automatically decrypted. This shows that I
> don't understand how it works.
>
> Also, I'm worried about not being on a domain. I tried what you suggested
> before, with stand alone computers, and was not able to make it work.
>
> I cannot copy the test encrypted folder without decrypting the contents.
> It is suggested to use NTBackup for this, but NTBackup does not work on
> the two computers I tried. (I have only four computers here.) That's
> another of those knotty problems that could take many hours to debug.
>
> I don't understand why they say "Recovery Certificate", when supposedly
> the Recovery Certificate does not include the private key. With no private
> key, it is impossible to decrypt files.
>

EFS is not Microsoft's finest moment. The encryption/decryption works as
advertised. As you have found out making sure you can always decrypt it can
be a problem. I quit using it myself a couple of years ago. None of my data
is that sensitive. I do have to support people who use it though so I made
sure I knew the ins and outs. So far I've not lost any data. Came close once
when I thought I had a copy of the certificate. Turned out I didn't and the
computer it was on was wiped clean and sold. Luckily I had good backups but
it took most of a day to recover the certificate from the backup tape.

Good luck, take a look at PGP it may do what you want.

Kerry

Relevant Pages

  • Re: EFS Recover Agents Unable to decrypt files
    ... Permissions were checked to make sure that the EFS RA had full ... The EFS RA imported it's EFS RA certificate from storage in a secure ... I tried to decrypt the file after only importing the ... a special recovery key is created with the encryption process. ...
    (microsoft.public.win2000.file_system)
  • Re: EFS Recover Agents Unable to decrypt files
    ... > should be able to decrypt the files as the DRA. ... I tried to decrypt the file after only importing ... >> EFS RA certificate but this failed. ...
    (microsoft.public.win2000.file_system)
  • Thanks for all the information. It has been very helpful.
    ... Next time you have a knotty problem, send me a message, and I will see if I ... >>before, with stand alone computers, and was not able to make it work. ... >>the Recovery Certificate does not include the private key. ... As you have found out making sure you can always decrypt it can ...
    (microsoft.public.windowsxp.security_admin)
  • Re: efs and "encryption" overall... help?
    ... To be absolutely sure that an attacker can not access EFS encrypted files ... stronger encryption to encrypt EFS files, not that it would be easy to crack ... Pro that more then one user may be able to decrypt the file if the original ... > first encryption a certificate is created that is used to decrypt those ...
    (microsoft.public.windows.server.networking)
  • Re: DRA is Decrypting Files when it shouldnt be!!!
    ... > EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE an RA ... > encryption to get the RA to decrypt encrypted files. ... the default RA certificate was used. ... certificate and private key only when needed). ...
    (microsoft.public.windowsxp.security_admin)