Re: DRA is Decrypting Files when it shouldn't be!!!

---

• From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 18 Jan 2006 21:38:28 -0600

---

Hmm. Have you tried that first exporting/deleting the user's private key
before creating the RA to see what happens or rebooting the computer before
you created the RA with cipher /R with the user's private key still on the
computer? XP is supposed to flush EFS cache at logoff. Did you remove any
old RA from the RA user certificate store via mmc snapin for certificates
and then logoff as the RA? You can use efsinfo to see what RAs are included
in a user's EFS file and examine the certificate thumbprint to see exactly
what RA certificate is being used if there are more than one available. You
might also want to post in the Microsoft.public.security.crypto
wsgroup. --- Steve


"DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:583E06D2-2DEA-4BCE-AE5A-6B2590CD52A6@xxxxxxxxxxxxxxxx
>I setup a brand new XP install. Setup a new local user named Joe and logged
> in as Joe . Created a new directory and encrypted 200 files in this
> directory.
>
> Logged off and and logged in as Administrator. Created a DRA (ex: Cipher
> /r:Filename, imported certificate and private key into the local
> certificate
> store, Ran gpedit.msc and added DRA.). After this, I tried to unencrypt
> the
> directory while logged in as Administrator and it let me!!! Why is this?
> It
> shouldn't allow me to decrypt 200 files that were encrypted before a DRA
> was
> created.
>
> I don't get this crap. Many articles state that you have to create the DRA
> before encrypting the files so that the DRA can decrypt them. If you don't
> then, you need to run cipher /u to update the encrypted files so that the
> newly created DRA will work with older encrypted files.
>
> In my case, I created the DRA after the files were already encrypted and
> "never" ran a cipher /u. Does anybody know what could cause this?
>
> Thanks, DJ


.

---

• Prev by Date: Re: disabling all internet access
• Next by Date: Re: Using laptop at work (on a domain) and at home (as a local user)
• Previous by thread: Re: Scheduling internet access for teen (also chat)
• Next by thread: Re: DRA is Decrypting Files when it shouldn't be!!!
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Using cipher.exe to Create a DRA Certificate ... > in how to create a DRA Certificate. ... This command will generate filename.PFX (for data recovery) and filename.CER ... Back Up Your Encrypting File System Private Key in Windows 2000 ... (microsoft.public.windowsxp.security_admin) Re: Certificates, Keys, Mobile Users, Intended Usage ... Option that you think about uses self signed EFS certificates. ... Better then exporting user's private key as backup is to setup DRA (Data ... there is no EFS certificate and it will generate a new one. ... Mobile computer users benefit from encrypting sensitive ... (microsoft.public.win2000.security) Re: EFS | Encryption | import private key ... My 300 laptops are in my domain but they are not connect to it. ... So if the private key of a user "crash", we want to be able to recover the ... certificate of 1 DRA on all the laptops (I said private key on my last post ... but I think it's the certificate, ... (microsoft.public.security) importing DRA certificate into local policy ... I am trying to create a DRA for my standalone workgroup pc (XP Pro on my ... I have created the DRA in the administrator account using the ... certificate into the local policy. ... Do I have to have the DRA all set up before encrypting files from the user ... (microsoft.public.windowsxp.security_admin) Re: EFS Recovery ... If you will have private key of DRA you will always be able to restore all ... >have created a few test file shares for encrypting purposes. ... (microsoft.public.windows.server.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)