Re: DRA is Decrypting Files when it shouldn't be!!!

Let's go over this again...

OS setup:

Installed a fresh copy of XP. Forget about extra RA's. There is only one RA
with this setup. I dedicated the Administrator's account as the RA.

Problem:

EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE an RA
was actually created on the XP OS. My question is Why?

I was told by "many people" that you have to setup the RA BEFORE enabling
encryption to get the RA to decrypt encrypted files.

Steps I took:

I created a user, encrypted 200 files. Logged off and logged on as
Administrator and created a RA. Rebooted and logged in as Administrator and
decrypted the 200 files.

In this case here, I created the RA after the files were already encrypted,
so why am I ABLE to decrypt the 200 files?

Anyway, to resolve the problem, you asked me to do an experiment and told me
to "export" & "delete" the user's private key, before creating the RA. I did
this, and now the RA cannot delete the 200 files (which is the way it suppose
to work)

My question is, why did you suggest to "export" & "delete" the user's
private key, then create the RA? And also why does this work and what did I
do wrong?

Thanks, Dave

---------------------------------------------------

> So what did you exactly do? Create a user, encrypt some files, remove the
> user' EFS certificate private key, create an RA, and not be able to decrypt
> files as RA or did you use your current configuration where the RA could
> decrypt user's files, remove user's EFS certificate private key, and RA can
> no longer decrypt files?? Did you look to see if RA had more then one RA
> certificate?? --- Steve
>
>
> "DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:C7D62C3E-C1AA-46A1-93E1-D66DE97010B5@xxxxxxxxxxxxxxxx
> > Steve, I did what you said (below) and "exported" & "deleted" the user's
> > private key and now it's acting correctly. Why is this?
> >
> > I don't understand, please explain.
> >
> > Thanks, DJ
> >
> > "Steven L Umbach" wrote:
> >
> >> Hmm. Have you tried that first exporting/deleting the user's private key
> >> before creating the RA to see what happens or rebooting the computer
> >> before
> >> you created the RA with cipher /R with the user's private key still on
> >> the
> >> computer? XP is supposed to flush EFS cache at logoff. Did you remove
> >> any
> >> old RA from the RA user certificate store via mmc snapin for certificates
> >> and then logoff as the RA? You can use efsinfo to see what RAs are
> >> included
> >> in a user's EFS file and examine the certificate thumbprint to see
> >> exactly
> >> what RA certificate is being used if there are more than one available.
> >> You
> >> might also want to post in the Microsoft.public.security.crypto
> >> wsgroup. --- Steve
> >>
> >>
> >> "DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:583E06D2-2DEA-4BCE-AE5A-6B2590CD52A6@xxxxxxxxxxxxxxxx
> >> >I setup a brand new XP install. Setup a new local user named Joe and
> >> >logged
> >> > in as Joe . Created a new directory and encrypted 200 files in this
> >> > directory.
> >> >
> >> > Logged off and and logged in as Administrator. Created a DRA (ex:
> >> > Cipher
> >> > /r:Filename, imported certificate and private key into the local
> >> > certificate
> >> > store, Ran gpedit.msc and added DRA.). After this, I tried to unencrypt
> >> > the
> >> > directory while logged in as Administrator and it let me!!! Why is
> >> > this?
> >> > It
> >> > shouldn't allow me to decrypt 200 files that were encrypted before a
> >> > DRA
> >> > was
> >> > created.
> >> >
> >> > I don't get this crap. Many articles state that you have to create the
> >> > DRA
> >> > before encrypting the files so that the DRA can decrypt them. If you
> >> > don't
> >> > then, you need to run cipher /u to update the encrypted files so that
> >> > the
> >> > newly created DRA will work with older encrypted files.
> >> >
> >> > In my case, I created the DRA after the files were already encrypted
> >> > and
> >> > "never" ran a cipher /u. Does anybody know what could cause this?
> >> >
> >> > Thanks, DJ
> >>
> >>
> >>
>
>
>
.

Relevant Pages

  • Re: DRA is Decrypting Files when it shouldnt be!!!
    ... > EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE an RA ... > encryption to get the RA to decrypt encrypted files. ... the default RA certificate was used. ... certificate and private key only when needed). ...
    (microsoft.public.windowsxp.security_admin)
  • Re: DRA is Decrypting Files when it shouldnt be!!!
    ... an administrator had taken the effort to create one and import it into Local ... >> encryption to get the RA to decrypt encrypted files. ... > When you encrypted the files, the default RA certificate was used. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS: Access Denied...but why?
    ... >I'm unable to decrypt it with either the explorer ... one for encryption and one for recovery...both are ... If so you should have backed up the recovery certificate & private key as ...
    (microsoft.public.win2000.security)
  • Re: WSE 3 - How to decrypt a soap message using an x509?
    ... the certificate, so that the server can find that certificate in the ... certificate manager to decrypt the message. ... > Thanks for your response Russ, ... > encryption in the output filter.... ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • How do I Use DPAPI to Encrypt and Decrypt Data (C#/VB.NET)?
    ... Use DPAPI to Encrypt and Decrypt Data ... The code below demonstrates how to call Data Protection API (DPAPI) ... In addition to encryption and decryption, ... public static string Encrypt ...
    (microsoft.public.dotnet.framework.aspnet.security)