Re: DRA is Decrypting Files when it shouldn't be!!!
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 19 Jan 2006 17:58:39 -0600
I just reproduced what you did and was not able to access the files as the
RA though I rebooted the computer after encrypting the files and before
logging on as the built in administrator account to create the RA. ---
Steve
"DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C715850F-53CC-43A8-8EED-87F77BF49319@xxxxxxxxxxxxxxxx
> Let's go over this again...
>
> OS setup:
>
> Installed a fresh copy of XP. Forget about extra RA's. There is only one
> RA
> with this setup. I dedicated the Administrator's account as the RA.
>
> Problem:
>
> EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE an
> RA
> was actually created on the XP OS. My question is Why?
>
> I was told by "many people" that you have to setup the RA BEFORE enabling
> encryption to get the RA to decrypt encrypted files.
>
> Steps I took:
>
> I created a user, encrypted 200 files. Logged off and logged on as
> Administrator and created a RA. Rebooted and logged in as Administrator
> and
> decrypted the 200 files.
>
> In this case here, I created the RA after the files were already
> encrypted,
> so why am I ABLE to decrypt the 200 files?
>
> Anyway, to resolve the problem, you asked me to do an experiment and told
> me
> to "export" & "delete" the user's private key, before creating the RA. I
> did
> this, and now the RA cannot delete the 200 files (which is the way it
> suppose
> to work)
>
> My question is, why did you suggest to "export" & "delete" the user's
> private key, then create the RA? And also why does this work and what did
> I
> do wrong?
>
> Thanks, Dave
>
> ---------------------------------------------------
>
>> So what did you exactly do? Create a user, encrypt some files, remove
>> the
>> user' EFS certificate private key, create an RA, and not be able to
>> decrypt
>> files as RA or did you use your current configuration where the RA could
>> decrypt user's files, remove user's EFS certificate private key, and RA
>> can
>> no longer decrypt files?? Did you look to see if RA had more then one RA
>> certificate?? --- Steve
>>
>>
>> "DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:C7D62C3E-C1AA-46A1-93E1-D66DE97010B5@xxxxxxxxxxxxxxxx
>> > Steve, I did what you said (below) and "exported" & "deleted" the
>> > user's
>> > private key and now it's acting correctly. Why is this?
>> >
>> > I don't understand, please explain.
>> >
>> > Thanks, DJ
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> Hmm. Have you tried that first exporting/deleting the user's private
>> >> key
>> >> before creating the RA to see what happens or rebooting the computer
>> >> before
>> >> you created the RA with cipher /R with the user's private key still
>> >> on
>> >> the
>> >> computer? XP is supposed to flush EFS cache at logoff. Did you remove
>> >> any
>> >> old RA from the RA user certificate store via mmc snapin for
>> >> certificates
>> >> and then logoff as the RA? You can use efsinfo to see what RAs are
>> >> included
>> >> in a user's EFS file and examine the certificate thumbprint to see
>> >> exactly
>> >> what RA certificate is being used if there are more than one
>> >> available.
>> >> You
>> >> might also want to post in the Microsoft.public.security.crypto
>> >> wsgroup. --- Steve
>> >>
>> >>
>> >> "DJ" <DJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:583E06D2-2DEA-4BCE-AE5A-6B2590CD52A6@xxxxxxxxxxxxxxxx
>> >> >I setup a brand new XP install. Setup a new local user named Joe and
>> >> >logged
>> >> > in as Joe . Created a new directory and encrypted 200 files in this
>> >> > directory.
>> >> >
>> >> > Logged off and and logged in as Administrator. Created a DRA (ex:
>> >> > Cipher
>> >> > /r:Filename, imported certificate and private key into the local
>> >> > certificate
>> >> > store, Ran gpedit.msc and added DRA.). After this, I tried to
>> >> > unencrypt
>> >> > the
>> >> > directory while logged in as Administrator and it let me!!! Why is
>> >> > this?
>> >> > It
>> >> > shouldn't allow me to decrypt 200 files that were encrypted before a
>> >> > DRA
>> >> > was
>> >> > created.
>> >> >
>> >> > I don't get this crap. Many articles state that you have to create
>> >> > the
>> >> > DRA
>> >> > before encrypting the files so that the DRA can decrypt them. If you
>> >> > don't
>> >> > then, you need to run cipher /u to update the encrypted files so
>> >> > that
>> >> > the
>> >> > newly created DRA will work with older encrypted files.
>> >> >
>> >> > In my case, I created the DRA after the files were already encrypted
>> >> > and
>> >> > "never" ran a cipher /u. Does anybody know what could cause this?
>> >> >
>> >> > Thanks, DJ
>> >>
>> >>
>> >>
>>
>>
>>
.
- Follow-Ups:
- References:
- Re: DRA is Decrypting Files when it shouldn't be!!!
- From: Steven L Umbach
- Re: DRA is Decrypting Files when it shouldn't be!!!
- From: Steven L Umbach
- Re: DRA is Decrypting Files when it shouldn't be!!!
- From: DJ
- Re: DRA is Decrypting Files when it shouldn't be!!!
- Prev by Date: Re: DRA is Decrypting Files when it shouldn't be!!!
- Next by Date: Re: DRA is Decrypting Files when it shouldn't be!!!
- Previous by thread: Re: DRA is Decrypting Files when it shouldn't be!!!
- Next by thread: Re: DRA is Decrypting Files when it shouldn't be!!!
- Index(es):
Relevant Pages
|
