encrypted files (NTFS EFS) on external USB drive

[Barry Watzman]

I need to put NTFS EFS files on a USB external drive and then be able to
read and use those files (with a password, of course) when that USB
drive is plugged into another computer.

I've created the drive and EFS encrypted files, and they work -- on the
computer on which they were created.

I exported the certificate (.pfx file) from the computer on which the
files were made, and imported it into the "target" computer, thinking
that this would give me access to the files on the target. However, it
did not (or quite possibly I did it wrong).

Can someone tell me how to do this? No data has been lost or anything,
I just want to understand how to create encrypted files on an external
USB drive and then access those files "normally" when that drive is
plugged into another computer.

Thanks

 

[Som]

EFS works only on NTFS.
Som

 

[Barry Watzman]

yes, I know that, this was on an NTFS partition, as was stated in the
original question. EFS is working just fine; the question is, how to
read the encrypted files when the drive (a USB external drive with an
NTFS partition) is moved to another computer (also running XP Pro).

EFS works only on NTFS.
Som

Original post:

I need to put NTFS EFS files on a USB external drive and then be able to
read and use those files (with a password, of course) when that USB
drive is plugged into another computer.

I've created the drive and EFS encrypted files, and they work -- on the
computer on which they were created.

I exported the certificate (.pfx file) from the computer on which the
files were made, and imported it into the "target" computer, thinking
that this would give me access to the files on the target. However, it
did not (or quite possibly I did it wrong).

Can someone tell me how to do this? No data has been lost or anything,
I just want to understand how to create encrypted files on an external
USB drive and then access those files "normally" when that drive is
plugged into another computer.

Thanks

 

[Barry Watzman]

yes, I know that, this was on an NTFS partition, as was stated in the
original question. EFS is working just fine; the question is, how to
read the encrypted files when the drive (a USB external drive with an
NTFS partition) is moved to another computer (also running XP Pro).

EFS works only on NTFS.
Som

Original post:

I need to put NTFS EFS files on a USB external drive and then be able to
read and use those files (with a password, of course) when that USB
drive is plugged into another computer.

I've created the drive and EFS encrypted files, and they work -- on the
computer on which they were created.

I exported the certificate (.pfx file) from the computer on which the
files were made, and imported it into the "target" computer, thinking
that this would give me access to the files on the target. However, it
did not (or quite possibly I did it wrong).

Can someone tell me how to do this? No data has been lost or anything,
I just want to understand how to create encrypted files on an external
USB drive and then access those files "normally" when that drive is
plugged into another computer.

Thanks

 

[Som]

Oh, somehow I had a thought it was USB flash drive, not hard disk on
USB.

Files are encrypted for current recovery agents - if new certificate is
added later, you have to re-encrypt files (either "touch" it with
cipher.exe or de-encrypt again) to include new recovery agent.

cipher /U
"...Tries to touch all the encrypted files on local drives. This will
update user's file encryption key or recovery agent's key to the current
ones if they are changed. This option does not work with other options
except /N..."


Som

 

[Barry Watzman]

Ok, this is a "home" system, not part of a domain, I am the only user,
there is no "recover agent" unless, being the only user, I am also a
default recovery agent. The OS is XP Pro SP2.

Can you tell me what to I need to do so that when I take this USB 200
gig NTFS hard drive to another computer (e.g. my laptop, also running XP
Pro), I can access the files?

I thought that I had exported the certificate (as a .pfx file) on the
desktop and imported it on the laptop. But whatever I did (possibly
incorrectly), it still didn't work.

 

[Barry Watzman]

Ok, this is a "home" system, not part of a domain, I am the only user,
there is no "recover agent" unless, being the only user, I am also a
default recovery agent. The OS is XP Pro SP2.

Can you tell me what to I need to do so that when I take this USB 200
gig NTFS hard drive to another computer (e.g. my laptop, also running XP
Pro), I can access the files?

I thought that I had exported the certificate (as a .pfx file) on the
desktop and imported it on the laptop. But whatever I did (possibly
incorrectly), it still didn't work.

 

[Barry Watzman]

The second machine is also running XP Pro SP2 (the machines in question
are my desktop and my laptop, both running XP Pro SP2, in my residence,
not on a domain). There is no explicitly designated recovery agent, but
I am the only user on both machines.

It's not clear if I have the necessary "permission" on the laptop or
not, but I have tried taking ownership on the laptop (apparently
successfully) and it still won't let me open the encrypted files. The
message just says that you don't have the necessary rights and that the
file may be encrypted. It's a bit ambiguous as to why I can't open it,
however I believe it's because of encryption.

No, I'm not SURE that I imported the EFS private key and not just the
certificate. I'd appreciate instructions on both the export and the
import of whatever is needed. I did some reading and research and
followed what seemed to be instructions as well as possible, but all of
this was a bit unclear. I did what you said; "yes, export private key"
was active (not grayed out) and was checked, and the operation seemed to
complete successfully. On the laptop, I double clicked on it and it
seemed to import properly.

 

[Galen]

In Barry Watzman <[email protected]> had this to say:

My reply is at the bottom of your sent message:

The second machine is also running XP Pro SP2 (the machines in
question are my desktop and my laptop, both running XP Pro SP2, in my
residence, not on a domain). There is no explicitly designated
recovery agent, but I am the only user on both machines.

It's not clear if I have the necessary "permission" on the laptop or
not, but I have tried taking ownership on the laptop (apparently
successfully) and it still won't let me open the encrypted files. The
message just says that you don't have the necessary rights and that
the file may be encrypted. It's a bit ambiguous as to why I can't
open it, however I believe it's because of encryption.

No, I'm not SURE that I imported the EFS private key and not just the
certificate. I'd appreciate instructions on both the export and the
import of whatever is needed. I did some reading and research and
followed what seemed to be instructions as well as possible, but all
of this was a bit unclear. I did what you said; "yes, export private
key" was active (not grayed out) and was checked, and the operation
seemed to complete successfully. On the laptop, I double clicked on
it and it seemed to import properly.

I don't want to hijack this thread but I see this problem so often that I'd
flagged it so that I can hopefully get a definitive answer. In this
particular case you can double check your steps. Here's a handy dandy Google
link that *should* give you about all you're interested in and help you
troubleshoot this as I too haven't ever tried this:

http://www.google.com/search?num=10...=export+efs+key+windows+xp+site:microsoft.com

I've found the most accurate answers for this troubling EFS stuff to be on
the Microsoft site so I've limited the search to just microsoft.com for you.
The first link looks pretty interesting and might be what you're looking
for. Basically, I'd just use that to double check the steps you've already
taken (it sounds like you're going in the right direction but might be
missing a step.)

To know if you've taken ownership of a file:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q308421

Galen

 

[Som]

Generally:


- encrypt file c:\A on PC1
- encrypt file c:\B on PC2
- cipher.exe /R on PC1
- cipher.exe /R on PC2
- exchange certificate files
- import cert file from PC1 to PC2 (double click)
- import cert file from PC2 to PC1 (double click)
- encrypt file C on USB drive on PC1
- you should be able to decrypt it on PC2

Som