XP Pro Encryption [Private Key Export]

[Mikal Rabanus]

I have sucesfully encypted a file with XP Pro. What I'd
like to do however, is to export the certificate / private
key to a floppy so NO users (inlcuding the user who
encrypted the file) can access it. When I need access to
the file, I'd then import the certicate / private key. Is
this possible? If so, I do I accomplish this?

 

[Roger Abell]

In the Certificates mmc console while logged in as
the account that encrypts, you would export the EFS
cert/key and select to have the key removed from the
system as part of the export.
You leave the cert installed so that things may still
be encrypted. Also, if it also is removed then a new
pair will be generated on the next encryption attempt.
Test what you are trying to do _before_ you entrust
anything important to being encrypted this way.

 

[Drew Cooper [MSFT]]

You won't be able to encrypt with that cert if the private key isn't
present. We check for that.

It may appear that it works the way you describe because we cache a handle
to the private key. Once the profile is unloaded and reloaded (log off and
log on will do that) the handle will become invalid and we won't be able to
pick up the private key again.

An additional (minor) threat is that even when the key is deleted it still
remains on the HD. Even though the file's MFT entry is gone, the data can
be found by anyone who can read the volume directly. This isn't a likely
attack and it would only help someone who knew the user's password, too. To
mitigate against that attack one may run some disk-scrubbing software
("cipher /w") after the profile is unloaded.