XP Pro Encryption

I just enabled EFS encryption on a few folders on my computer and have now
made the .pfx backup file. Now that I have a "local certificate", will my
private key ever change? I'm wondering if I need to bother backing up the
certificates if I change my logon password or anything. I would assume not.

thanks...

Best Practices for the Encrypting File System
http://support.microsoft.com/defaul...kb;en-us;223316

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

-------------------------------------------------------------------------------------------

"Steve P" <pearcejk@nospamearthlink.net> wrote in message:
news:e2tdCKT3DHA.3216@TK2MSFTNGP11.phx.gbl...

| I just enabled EFS encryption on a few folders on my computer and have now
| made the .pfx backup file. Now that I have a "local certificate", will my
| private key ever change? I'm wondering if I need to bother backing up the
| certificates if I change my logon password or anything. I would assume not.
|
| thanks...

Steve;
Unless you fully understand EFS, quit using it until you fully
understand the documents referenced on this link:
http://www3.telus.net/dandemar/Encrypt.htm
Otherwise you greatly increase the chances of permanently losing data.
Experiment with EFS using non important data until you are proficient.

--
Jupiter Jones [MVP]
An easier way to read newsgroup messages:
http://www.microsoft.com/windowsxp/...roups/setup.asp
http://www3.telus.net/dandemar/


"Steve P" <pearcejk@nospamearthlink.net> wrote in message
news:e2tdCKT3DHA.3216@TK2MSFTNGP11.phx.gbl...
> I just enabled EFS encryption on a few folders on my computer and
have now
> made the .pfx backup file. Now that I have a "local certificate",
will my
> private key ever change? I'm wondering if I need to bother backing
up the
> certificates if I change my logon password or anything. I would
assume not.
>
> thanks...
>
>

Steve,

You have made a pfx. Great. Keep it safe, off of your machine,
on media that will not degrade, and do not forget the password.

If you delete the current EFS cert from your personal certificates,
then when you first use EFS after that a new EFS cert/key will be
generated. So, you could end up with some files encrypted by
different certs needing different keys to decrypt.

Before you use EFS in earnest, I would suggest that you first:
1. decrypt anything important, or at least have another copy
that is in the clear.
2. define a DRA, export its pfx, and perhaps have its key removed
from the system when you are done with experimenting and
define the final DRA for real use
Use an account as the DRA that you do not normally ever use
in order to reduce chances that it may get its profile corrupted.
3. experiment !!
With no files in jeopardy of complete loss, try encrypting some
files, removing your key, trying to access the files and failing,
importing your key, retrying and succeeding.
Import the pfx into a second file and try accessing the files.
Do the above with the DRA.
4. Check out the effect of administratively resetting the password
of the encrypting (or DRA) account. If the password is changed
using the interface that requires entry of the old password, there
is no interruption in access. If the administrative reset password
interface is used however, access is intentionally disrupted.
Make and use password disks feature available in User Accounts
control panel applet. (After an administrative reset, use the same
method to reset it back to what it was to regain EFS access.)

After you have a sense of the ways to handle EFS pfx files, etc.
then EFS is a very convenient and safe thing to use. This is
especially so if you read over the docs that have been referenced.

Remember, access to your EFS protected files is only as good
as your protection over unauthorized people being able to use
the encrypting account, or the DRA if the key is loaded in it.

Roger

"Steve P" <pearcejk@nospamearthlink.net> wrote in message
news:e2tdCKT3DHA.3216@TK2MSFTNGP11.phx.gbl...
> I just enabled EFS encryption on a few folders on my computer and have now
> made the .pfx backup file. Now that I have a "local certificate", will my
> private key ever change? I'm wondering if I need to bother backing up the
> certificates if I change my logon password or anything. I would assume
not.
>
> thanks...
>
>

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:%23Uty69T3DHA.2680@tk2msftngp13.phx.gbl...
> Steve,
>
> You have made a pfx. Great. Keep it safe, off of your machine,
> on media that will not degrade, and do not forget the password.
>
> If you delete the current EFS cert from your personal certificates,
> then when you first use EFS after that a new EFS cert/key will be
> generated. So, you could end up with some files encrypted by
> different certs needing different keys to decrypt.
>
> Before you use EFS in earnest, I would suggest that you first:
> 1. decrypt anything important, or at least have another copy
> that is in the clear.
> 2. define a DRA, export its pfx, and perhaps have its key removed
> from the system when you are done with experimenting and
> define the final DRA for real use
> Use an account as the DRA that you do not normally ever use
> in order to reduce chances that it may get its profile corrupted.
> 3. experiment !!
> With no files in jeopardy of complete loss, try encrypting some
> files, removing your key, trying to access the files and failing,
> importing your key, retrying and succeeding.
> Import the pfx into a second file and try accessing the files.

that is, into a second account (not file) !!

> Do the above with the DRA.
> 4. Check out the effect of administratively resetting the password
> of the encrypting (or DRA) account. If the password is changed
> using the interface that requires entry of the old password, there
> is no interruption in access. If the administrative reset password
> interface is used however, access is intentionally disrupted.
> Make and use password disks feature available in User Accounts
> control panel applet. (After an administrative reset, use the same
> method to reset it back to what it was to regain EFS access.)
>
> After you have a sense of the ways to handle EFS pfx files, etc.
> then EFS is a very convenient and safe thing to use. This is
> especially so if you read over the docs that have been referenced.
>
> Remember, access to your EFS protected files is only as good
> as your protection over unauthorized people being able to use
> the encrypting account, or the DRA if the key is loaded in it.
>
> Roger
>
> "Steve P" <pearcejk@nospamearthlink.net> wrote in message
> news:e2tdCKT3DHA.3216@TK2MSFTNGP11.phx.gbl...
> > I just enabled EFS encryption on a few folders on my computer and have
now
> > made the .pfx backup file. Now that I have a "local certificate", will
my
> > private key ever change? I'm wondering if I need to bother backing up
the
> > certificates if I change my logon password or anything. I would assume
> not.
> >
> > thanks...
> >
> >
>
>

That's great advice!

Note that the "will my private key ever change?" problem is also mitigated
by the use of a DRA - even if something happened to corrupt the old key and
a new keypair was issued, the DRA could decrypt the files.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.


"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:urqtWFV3DHA.484@TK2MSFTNGP10.phx.gbl...
>
> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> news:%23Uty69T3DHA.2680@tk2msftngp13.phx.gbl...
> > Steve,
> >
> > You have made a pfx. Great. Keep it safe, off of your machine,
> > on media that will not degrade, and do not forget the password.
> >
> > If you delete the current EFS cert from your personal certificates,
> > then when you first use EFS after that a new EFS cert/key will be
> > generated. So, you could end up with some files encrypted by
> > different certs needing different keys to decrypt.
> >
> > Before you use EFS in earnest, I would suggest that you first:
> > 1. decrypt anything important, or at least have another copy
> > that is in the clear.
> > 2. define a DRA, export its pfx, and perhaps have its key removed
> > from the system when you are done with experimenting and
> > define the final DRA for real use
> > Use an account as the DRA that you do not normally ever use
> > in order to reduce chances that it may get its profile corrupted.
> > 3. experiment !!
> > With no files in jeopardy of complete loss, try encrypting some
> > files, removing your key, trying to access the files and failing,
> > importing your key, retrying and succeeding.
> > Import the pfx into a second file and try accessing the files.
>
> that is, into a second account (not file) !!
>
> > Do the above with the DRA.
> > 4. Check out the effect of administratively resetting the password
> > of the encrypting (or DRA) account. If the password is changed
> > using the interface that requires entry of the old password, there
> > is no interruption in access. If the administrative reset password
> > interface is used however, access is intentionally disrupted.
> > Make and use password disks feature available in User Accounts
> > control panel applet. (After an administrative reset, use the same
> > method to reset it back to what it was to regain EFS access.)
> >
> > After you have a sense of the ways to handle EFS pfx files, etc.
> > then EFS is a very convenient and safe thing to use. This is
> > especially so if you read over the docs that have been referenced.
> >
> > Remember, access to your EFS protected files is only as good
> > as your protection over unauthorized people being able to use
> > the encrypting account, or the DRA if the key is loaded in it.
> >
> > Roger
> >
> > "Steve P" <pearcejk@nospamearthlink.net> wrote in message
> > news:e2tdCKT3DHA.3216@TK2MSFTNGP11.phx.gbl...
> > > I just enabled EFS encryption on a few folders on my computer and have
> now
> > > made the .pfx backup file. Now that I have a "local certificate",
will
> my
> > > private key ever change? I'm wondering if I need to bother backing up
> the
> > > certificates if I change my logon password or anything. I would
assume
> > not.
> > >
> > > thanks...
> > >
> > >
> >
> >
>
>