Sonali said:
Thank you all for your wonderful help. Looks like a genuine problem that XP
has but my small ranting of microsoft for by really BIG problem made you all
call one of microsoft's customer nitwit, idiot etc.
Anywyas on more techinical and serious note. After doing some serious search
and working with Sony & Microsoft paid support here is what we found out
1) Password change was asked by XP login after 42 days
2) XP never warned of anything about the 'transparet' encryption button
3) I can still export the certificate and I do have the password which is
required while importing the certificate
4) Chaging back the password, system restore etc. could not help
5) Official response from Sony and Microsoft -- they can't do anything but
won't tell me what did I do wrong or what is the problem.
Looks like the certificates are lost or something -- a guess by all.
Think about it -- "I" could be your non-technical parent, spouse or sibling
who happens to a doc, teacher or police or firefighter (I am techie and do
understand stuff, but not at certificates, recovery etc. level). There is no
way non-techies are going to back up certificates when the little button says
"encrypt" data and is highly recommended.
The encrypted folder worked just fine for 1-2 months and the whole thing
just stopped working because XP login asked me to change password. Now, if I
am the owner and chaging my password, why shouldn't an elegant design change
password on anything that was suppose to be working "transparently"? XP is
asking me to change login password because of security reason but that simple
act can cause major permanent headaches! I was concerned for lack of coherent
design. I wonder what would a poor small business owner would do he his
crucial data is lost for something simple as this.
BUT looks like luck was on this 'dumb' user's side.
1) I had backed up all my data using Maxtor III -- but it backed up encryped
version. I could NOT recover the files.
2) I had backed ONCE with a plain copy "My Documents" to an external hard
drive which was backed automatically by Maxtor III
3) Maxtor III could then recover my data from #2 above
Lessons learnt from this almost catastrophic event
1) Don't use encryption. If you do, read everything about encryption as if
you are going to design encryption/decryption systems.
2) Backup using plain copy as only decrypted data gets copied! But why do u
want to encrypt in the first place?
3) If you use automatic incremental backup, tough luck!
4) Don't modify ANY password at login prompt. It won't warn you. But ain't
that security hole to keep same password?
5) Any feature that says "transparently" or "Advanced" -- just don't bother
using unless you've read everything about it and have done some basic unit
testing.
6) Don't ask too many questions on Microsoft hosted site ;-)
First of all, things like minimum/maximum password age, password
complexity, and password history are all user-configurable through the
Security Configuration Manager. As the OP discovered, MS sets the
default max password age at 42 days.
Second, the OP is correct -- Windows EFS is much too powerful -- and has
far too dire consequences if used carelessly -- to be used by the casual
user. WinXP hides all sorts of things from the user (such as system
files), prevents you from deleting critical system files, but too easily
lets you irrecoverably encrypt data without forcing proper precautions.
And, MS has recognized that the situation that has befallen the OP is
a bug to be fixed. See KB890591 below. So, yes, the OP was justified
in criticizing MS.
Here are a few links that may -- or may not, at this point -- help the
OP (probably not, because the solution to this Microsoft-recognized
problem is to change the password back to what it was at the time the
files were encrypted; how many of the sarcastic responders to this post
remember their last n passwords?).
These KB articles should be read before anyone decides that using WinXP
file encryption is something that they want to do.
"Best practices for the Encrypting File System"
http://support.microsoft.com/kb/223316/en-us
"You cannot access EFS files after you change the user password to a new
password on a Windows XP Service Pack 2-based computer"
http://support.microsoft.com/kb/890951/en-us
"EFS, Credentials, and Private Keys from Certificates Are Unavailable
After a Password Is Reset"
http://support.microsoft.com/kb/290260/en-us
"User cannot gain access to certificate functionality after password
change or when using a roaming profile"
http://support.microsoft.com/kb/331333/en-us