Access denied to encrypted files after reinstalling XP Pro

[Guest]

Hi,

I need help. I could not access to my D drive (encrypted data) after
reinstalling XP Pro (in C drive). I did not touched D drive at all. I went
thru some of the posts here and tried the various method suggested i.e.
taking ownership, permission - but to no avail. Kept getting "access denied".
Now I'm sitting here helplessly, staring at all my files trying to figure out
how not to lose them. Can someone help me pls?

Thanks,

Kiko.

 

[Malke]

Hi,

I need help. I could not access to my D drive (encrypted data) after
reinstalling XP Pro (in C drive). I did not touched D drive at all. I went
thru some of the posts here and tried the various method suggested i.e.
taking ownership, permission - but to no avail. Kept getting "access denied".
Now I'm sitting here helplessly, staring at all my files trying to figure out
how not to lose them. Can someone help me pls?

If you really, really encrypted the data using EFS and neglected to back
up your keys, the data is lost. You might contact Elcomsoft to see if
their program can help but I'm not optimistic about it.

http://tinyurl.com/6l6xx - MS information about EFS (Encryption)
http://www.elcomsoft.com/aefsdr.html - Encrypted files retrieval application

http://www3.telus.net/dandemar/encrypt.htm - encryption info
http://www.beginningtoseethelight.org/efsrecovery/ - more encryption info


Malke

 

[Patrick Keenan]

Hi,

I need help. I could not access to my D drive (encrypted data) after
reinstalling XP Pro (in C drive). I did not touched D drive at all. I went
thru some of the posts here and tried the various method suggested i.e.
taking ownership, permission - but to no avail. Kept getting "access
denied".
Now I'm sitting here helplessly, staring at all my files trying to figure
out
how not to lose them. Can someone help me pls?

Thanks,

Kiko.

The encryption scheme in XP is tied to your account credentials, not to the
data or XP permissions. These credentials are more than the username and
password.

The last step of encryption, unfortunately neglected by many, is backing up
the account credentials.

Following a reinstall, or any of the events that damage or alter the account
credentials (such as changing the password from outside the account), the
credentials are simply re-imported, and then you can take ownership of the
files and decrypt them.

If you did not perform this last step, or cannot find the backup floppies,
or they have failed, there is no happy ending here. The data can be
considered permanently inaccessible.

Microsoft did a really good job at making strong encryption easily
accessible, but didn't do quite as good a job at making clear what the
implications of all the steps are.

-pk

 

[Guest]

I was able to decrypt the folder. Is this a good thing? Also if I have the
key how do I use it?

 

[Patrick Keenan]

I was able to decrypt the folder.

I'll note that gaining access through taking ownership is not the same as
decryption. You may have set the files to private, which is *not at all*
the same as encrypting them.

Is this a good thing?

If you needed the data, decrypting it or gaining access is definitely a good
thing. You're done.

Be sure that you do have tested backups of the account credentials if you
are using encryption. You may also wish to make safety copies of backups
without encryption, stored in a very secure location (for example a bank
safety deposit box).

A copy of the exported credentials should also be stored in a secure offsite
location. If they were exported to floppy, you might want to use one of
the floppy imaging programs available and burn that image to CD, to guard
against the degradation of floppies.

Also if I have the
key how do I use it?

The key is the exported account credentials, which you have obviously now
imported if you had actually invoked encryption; this means you know how to
use it.

It sounds like you may have set them to private rather than actually
encrypting them with EFS.

Again, setting the files to private *does not encrypt them*. The contents
of the files are available to anyone with a smattering of knowledge and
access to your PC for half an hour.

If you do really need the encryption, and there are indeed circumstances
where it is highly appropriate, be sure that you fully understand how the
encryption utilities work and how you can be sure that you can recover the
files should the system be damaged in any way.

"Best practices for the Encrypting File System"

http://support.microsoft.com/kb/223316/EN-US/



HTH
-pk

 

[Guest]

The key is the exported account credentials, which you have obviously now

imported if you had actually invoked encryption; this means you know how to
use it.

I was able to decrypt the folder but not the files in it. :-(
How do I use the key?

Which media is a better back up? USB thumb drive or CD?

If those data are really gone, I guess I will have to reinstall again. They
are taking too much space (50GB). What should I take note of if I want to
encrypt my data?

Thanks again for your help. =)

 

[Patrick Keenan]

I was able to decrypt the folder but not the files in it. :-(
How do I use the key?

You have to first have the key - which is the exported credentials (or
"certificates"). You can't get these after a reinstall; they died with the
original account. If you don't have it now, you can't get it back.

To import the certificates, go to start, run, type "certmgr.msc ". Go to
Action, All Tasks, Import.

Then you should be able to access the encrypted files.

Which media is a better back up? USB thumb drive or CD?

USB drives are known to fail suddenly (I have half a dozen failed ones in my
desk drawer). So, while they are very useful, they are for data transport
and not for storage of critical data.

Use CDs and DVDs for longer-term storage. Make more than one copy and don't
keep them all in the same place.

Many people use a set of five DVDs, marked with days of the week, and swap
them daily for daily backups.

Regularly make an extra copy and store them offsite. This is important to
account for recovery from things like fires.

If those data are really gone, I guess I will have to reinstall again.

Reinstalling will not change this in any way.

They
are taking too much space (50GB). What should I take note of if I want to
encrypt my data?

You must be sure that you fully understand and take all the steps so that
the data is both protected and recoverable. And *test* the backups on
another system or account to be sure that you can in fact regain access to
the encrypted data before relying on them, and until you are satisfied that
the data is recoverable, keep an unencrypted copy.

Again, to test, use an account or system that can't decrypt the data.
Import the certificates and verify that you can then decrypt the data.

Be sure to store a tested copy of the certificates at another secure site.

HTH
-pk

 

[Guest]

The last step of encryption, unfortunately neglected by many, is backing up

the account credentials.

Following a reinstall, or any of the events that damage or alter the account
credentials (such as changing the password from outside the account), the
credentials are simply re-imported, and then you can take ownership of the
files and decrypt them.

May I know how exactly do I do that?

 

[John Wunderlich]

May I know how exactly do I do that?

It's documented here, near the bottom:

"Best practices for the Encrypting File System"
<http://support.microsoft.com/kb/223316/en-us>

Importing is just the opposite of exporting.

HTH,
John

 

[Guest]

Thanks a lot, John.