Re: DRA is Decrypting Files when it shouldn't be!!!
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 19 Jan 2006 15:02:23 -0600
So what did you exactly do? Create a user, encrypt some files, remove the
user' EFS certificate private key, create an RA, and not be able to decrypt
files as RA or did you use your current configuration where the RA could
decrypt user's files, remove user's EFS certificate private key, and RA can
no longer decrypt files?? Did you look to see if RA had more then one RA
certificate?? --- Steve
"DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C7D62C3E-C1AA-46A1-93E1-D66DE97010B5@xxxxxxxxxxxxxxxx
> Steve, I did what you said (below) and "exported" & "deleted" the user's
> private key and now it's acting correctly. Why is this?
>
> I don't understand, please explain.
>
> Thanks, DJ
>
> "Steven L Umbach" wrote:
>
>> Hmm. Have you tried that first exporting/deleting the user's private key
>> before creating the RA to see what happens or rebooting the computer
>> before
>> you created the RA with cipher /R with the user's private key still on
>> the
>> computer? XP is supposed to flush EFS cache at logoff. Did you remove
>> any
>> old RA from the RA user certificate store via mmc snapin for certificates
>> and then logoff as the RA? You can use efsinfo to see what RAs are
>> included
>> in a user's EFS file and examine the certificate thumbprint to see
>> exactly
>> what RA certificate is being used if there are more than one available.
>> You
>> might also want to post in the Microsoft.public.security.crypto
>> wsgroup. --- Steve
>>
>>
>> "DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:583E06D2-2DEA-4BCE-AE5A-6B2590CD52A6@xxxxxxxxxxxxxxxx
>> >I setup a brand new XP install. Setup a new local user named Joe and
>> >logged
>> > in as Joe . Created a new directory and encrypted 200 files in this
>> > directory.
>> >
>> > Logged off and and logged in as Administrator. Created a DRA (ex:
>> > Cipher
>> > /r:Filename, imported certificate and private key into the local
>> > certificate
>> > store, Ran gpedit.msc and added DRA.). After this, I tried to unencrypt
>> > the
>> > directory while logged in as Administrator and it let me!!! Why is
>> > this?
>> > It
>> > shouldn't allow me to decrypt 200 files that were encrypted before a
>> > DRA
>> > was
>> > created.
>> >
>> > I don't get this crap. Many articles state that you have to create the
>> > DRA
>> > before encrypting the files so that the DRA can decrypt them. If you
>> > don't
>> > then, you need to run cipher /u to update the encrypted files so that
>> > the
>> > newly created DRA will work with older encrypted files.
>> >
>> > In my case, I created the DRA after the files were already encrypted
>> > and
>> > "never" ran a cipher /u. Does anybody know what could cause this?
>> >
>> > Thanks, DJ
>>
>>
>>
.
- Follow-Ups:
- References:
- Re: DRA is Decrypting Files when it shouldn't be!!!
- From: Steven L Umbach
- Re: DRA is Decrypting Files when it shouldn't be!!!
- Prev by Date: Re: Internet Search Redirect
- Next by Date: Re: Using laptop at work (on a domain) and at home (as a local user)
- Previous by thread: Re: DRA is Decrypting Files when it shouldn't be!!!
- Next by thread: Re: DRA is Decrypting Files when it shouldn't be!!!
- Index(es):
Relevant Pages
|
