EFS Basics (I don't get it)



I need some help understanding how to use EFS. Maybe I'm just stupid
but I've not been able to grasp how this works and especially to simply
get it to work as I want.

I've read over and over again that I can encrypt files on one PC and use
them on another one, as long as I "import" the "key".. BTW, I'm lost
on this public/private/key/certificate stuff.. I have read the help
files and numerous other material and the more I read the more confused
I get.

Ultimately I want to encrypt files on my Vista Ultimate laptop and back
them up then have the capability to restore them to another PC (XP Pro
or Vista ULT) and get access to them if necessary. I would like to
protect my data from prying eyes in case the PC is stolen. (BitLocker
isn't an option since my PC has no TPM chip and I'm not willing to
keep up with a thumbdrive just to get into my PC and especially don't
want to depend on myself not losing that thumbrive.)

I'm a home user. I have no Active Directory Domain nor do I want one.
I'm also not at all interested in reading some in-depth multi-chapter
whitepaper that's tailored to the corporate security chief.

What I need are straight-up answers to simple questions that I can't
find ANYWHERE on any Microsoft document that I've been able to locate.

I want to be able to ensure I can open my encrypted files on another PC
in case my laptop is stolen and I need to restore these encrypted files
from a backup to another computer. Yes I am fully aware that Vista's
file backup doesn't even attempt to backup encrypted files so I'm
testing with some backup programs that do. (Thanks alot Microsoft!)

As a test I've tried this:

I create a folder on a thumbdrive and copy a few files to it and then
encrypt the folder and contents. Fine.. works good.

I export my certificate/key/whatever to a file. (Is it a key or a
certificate - I see the terms used interchangably and THAT makes this
whole thing unnecessarily hard to understand)

I go to another PC and import this thing that I've exported.

I pull the thumbdrive from PC1 and insert into PC2 and try to read the
encrypted files.. "Access denied" ..

I try to remove the encryption and get " you will need to provide
administrator permission to change these attributes". I am an
administrator so how do I do this?

I've even created a recovery agent and exported that certificate and
imported it onto PC2.. no luck.

No matter what I try I am unable to open or decrypt any files on PC2
that were encrypted on PC1. This is supposed to be possible from what
I've read yet no one can demonstrate how it works.

What am I doing wrong or what am I missing? Is this even possible?
This really needs to be easier, or rather better documented.

Any help would be much appreciated



Kerry Brown

EFS works but it is not really designed to do what you want. It can be made
to do this but as you have found out it is better suited to a domain
environment. I recommend you look for a 3rd party application to do what you


Thanks Kerry for the response. I was afraid that would be the answer.
I'm not opposed to using a 3rd party solution but I know of none.

What I can't understand is why this doesn't work as it's documented.
Why can't I open or decrypt these files EVEN AFTER importing the key
that was used to encrypt them? I've followed instructions step-by-step
from Microsoft and other sources with the same results. The
documentation states it can be done and I would like to know how. At the
very least the Recovery Agent should be able to do this.. But it can't.

I'm not illiterate with regard to IT Adminstration, Active Directory,
etc. I manage IT infrastructures for 3 small businesses and have 10
years experience with supporting corporate IT environments so as you can
imagine this is particuarly frustrating for me to not be able to get to
work. The documentation says it can be done and yet I've not seen a
single example of how to restore encrypted files to an alternate PC, Is
it even possible?

What's missing from my test? Can you enlighten me a bit more so I can
learn this stuff and why it isn't working, instead of just saying that
it's not suitable for me?

Can you list 2-3 3rd party products that I can research?


Kerry Brown

I have done it with XP to XP. It was very cumbersome to set up and I was
afraid that sooner or later data would be lost. I decided I didn't really
need encryption. With Vista you have the added problem of making sure the
certificate gets into the right store. When importing the certificate you
have run certmgr.msc using Run as administrator and make sure the
certificate gets into the right physical location.

Make sure you are logged in as the user who will need to decrypt the files.
They will need to be in the local administrators group at this point.
In Start Search type "certmgr.msc"
Right click on it at the top of the list and pick Run as administrator.
From the View menu pick Options
Put a Check beside Physical certificate stores.

I'm guessing which store to put it in. This next part could be wrong.

Expand Personal => Registry => Certificates
Right click on Certificates and pick Import.
Browse to the certificate and import it.

That user should now be able to decrypt the files. If that doesn't work then
I've got the store location wrong.

You should be able to remove the user from the local administrators group
now if you want to. The reason they need to be there when importing is so
certmgr.msc runs in the right context. If they are a standard user and you
pick Run as administrator the cert will get imported into the user profile
that you specify at the UAC prompt. Let me know if this works as I haven't
tested it.



Chemical X

Jake & Kerry Brown:
I have also done it with XP to XP, creating a Data Recovery Agent (with
administrative privileges) on a stand-alone PC, and importing the certificate
+ key. It required so much new learning (MMC use, certificate exportation,
importation, & stores, and DRA creation) that it can hardly be recommended to
most end users. However, I felt challenged by it, for better or worse, and
persisted. I have two suggestions. First, the DRA needs to take ownership
of the file to be decrypted. Second, if during the exportation process the
security of the certificate + key was set too high, the DRA will silently
fail to access the key. This occurs without an error message and despite
previous notification that importation of the certificate + key was
successful. In my case, I set the certificate + key to "Prompt for password"
but the DRA never prompted. That was fixed by deleting that certificate and
importing a new one with the lowest level of security.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question