EFS Certificates and Keys when Changing Password

[Guest]

What happens to my encryption certificate/key when I change my password in XP SP1? (Assume that I am changing it by typing in my old password and entering a new one so as to preserve EFS access to previously encrypted files. Also assume that I am on a workstation that is NOT part of a domain.

For instance, is a second encryption certificate/key created for future encryption/decryption of files in addition to the original certificate/key that was created to encrypt/decrypt my files before my password change? If this is the case, wouldn't I be best off just unencrypting all my files BEFORE I change my password and exporting a copy of only my new certificate/key for disaster recovery (thereby allowing me to forget about--and even delete--the original certificate/key)

Or, after changing my password do I still end up with one certificate/key, with the original encryption certificate updated somehow to allow it to deal with old and new encryptions/decryptions? If this is the case, after changing my password must I re-export a copy of the certificate/key in order to be able to recover from a disaster? And, if this is the case, is there any reason to keep a copy of the original certificate/key

Thanks.

 

[Fritz]

Changing your password does NOT affect the encrypted files.

 

[Roger Abell]

Changing your password (or resetting it without old password)
does not affect the EFS certificate and/or key.
This only changes how/whether you can get your certificate/key
out of the form of storage used to keep it secured.
The certificate/key remains unchanged, and so thus do encrypted
files.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

What happens to my encryption certificate/key when I change my password in

XP SP1? (Assume that I am changing it by typing in my old password and
entering a new one so as to preserve EFS access to previously encrypted
files. Also assume that I am on a workstation that is NOT part of a domain.)

For instance, is a second encryption certificate/key created for future

encryption/decryption of files in addition to the original certificate/key
that was created to encrypt/decrypt my files before my password change? If
this is the case, wouldn't I be best off just unencrypting all my files
BEFORE I change my password and exporting a copy of only my new
certificate/key for disaster recovery (thereby allowing me to forget
about--and even delete--the original certificate/key)?

Or, after changing my password do I still end up with one certificate/key,

with the original encryption certificate updated somehow to allow it to deal
with old and new encryptions/decryptions? If this is the case, after
changing my password must I re-export a copy of the certificate/key in order
to be able to recover from a disaster? And, if this is the case, is there
any reason to keep a copy of the original certificate/key?

 

[Drew Cooper [MSFT]]

Just want to add this in case anyone is interested . . .

DPAPI is the mechanism that protects EFS private keys when they are in a
user's profile (not exported into a .pfx). It's DPAPI that has problems
with password resets. It doesn't have any trouble with password change,
though. Here's a link to the DPAPI whitepaper:
http://msdn.microsoft.com/library/d...-us/dnsecure/html/windataprotection-dpapi.asp

 

[Guest]

This only changes >how/whether you can get your certificate/key out of the form of storage used to keep it secured

Excuse my ignorance, but I'm not sure what the above statement means

Here's what I want to know for sure. Let's say I encrypted a bunch of data files. Then I exported the certificate/key pfx file to a floppy disk. Then I changed my password. Then I encrypted more data files. Then my Windows XP installation became unusable. Could I then reinstall a fresh copy of Windows XP, import the original certificate/key pfx file from the floppy, and be able to decrypt ALL the data files, or just the ones created before the password change, or none of the data files? If the answer is "some" or "none" of the data files, then should I do another save of the the certificate/key pfx file to a floppy disk after I make the password change? And, if so, would this new copy of the pfx file decrypt only the post-password-change data files (in which case I would keep both the old and new pfx files on a floppy) or would it decrypt all of the data files (in which case I'd keep only the newer pfx file on a floppy)

Thanks again.

 

[Roger Abell]

Thanks for adding the DPapi ref Drew, and, I might add that
I for one am glad that, by design, DPapi "has problems with
password resets"

--
Roger

Just want to add this in case anyone is interested . . .

DPAPI is the mechanism that protects EFS private keys when they are in a
user's profile (not exported into a .pfx). It's DPAPI that has problems
with password resets. It doesn't have any trouble with password change,
though. Here's a link to the DPAPI whitepaper:
http://msdn.microsoft.com/library/d...-us/dnsecure/html/windataprotection-dpapi.asp
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Changing your password (or resetting it without old password)
does not affect the EFS certificate and/or key.
This only changes how/whether you can get your certificate/key
out of the form of storage used to keep it secured.
The certificate/key remains unchanged, and so thus do encrypted
files.

password

in
XP SP1? (Assume that I am changing it by typing in my old password and
entering a new one so as to preserve EFS access to previously encrypted
files. Also assume that I am on a workstation that is NOT part of a domain.) future
encryption/decryption of files in addition to the original certificate/key
that was created to encrypt/decrypt my files before my password change? If
this is the case, wouldn't I be best off just unencrypting all my files
BEFORE I change my password and exporting a copy of only my new
certificate/key for disaster recovery (thereby allowing me to forget
about--and even delete--the original certificate/key)? certificate/key,
with the original encryption certificate updated somehow to allow it to deal
with old and new encryptions/decryptions? If this is the case, after
changing my password must I re-export a copy of the certificate/key in order
to be able to recover from a disaster? And, if this is the case, is there
any reason to keep a copy of the original certificate/key?

 

[Roger Abell]

What that meant is that changing the password of the account only
changes the info needed to get the account's key out of the storage
that is secured with DPapi.

For your specific question, let us assume that when you have said
"change" the password you do not mean administratively reset the
password, but rather changing it by providing the old and new.
For this type of change, DPapi uses the old to make it so that the new
can be used to get at the stored key in the future. The key is not changed.
If the password is however reset, then access fails, and it is possible in
this case that the system will upon an encryption attempt generate a new
cert/key pair for the account. The user of the account should notice that
they have lost access to earlier EFS encrypted data, but that they are now
encrypting and decrypting files (they just cannot access the older ones).

If one always changes the password, even if an admin account when the
reset option is available, and if the user of the account keeps and up to
date
password recovery disk there should not be an issue. If Windows XP does
need to be reinstalled, once it is at the same service level as the prior
system,
the cert/key from the pfx can be imported and the EFS encrypted files should
be accessible. One word of caution however is effects from how the files
have been moved around, as some third-party tools will not handle EFS files
correctly. NTbackup.exe is a recommended way to manage the movement of
EFS encrypted files, such as when you are getting ready for the new install.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
the form of storage used to keep it secured.

Excuse my ignorance, but I'm not sure what the above statement means.

Here's what I want to know for sure. Let's say I encrypted a bunch of data

files. Then I exported the certificate/key pfx file to a floppy disk. Then I
changed my password. Then I encrypted more data files. Then my Windows XP
installation became unusable. Could I then reinstall a fresh copy of Windows
XP, import the original certificate/key pfx file from the floppy, and be
able to decrypt ALL the data files, or just the ones created before the
password change, or none of the data files? If the answer is "some" or
"none" of the data files, then should I do another save of the the
certificate/key pfx file to a floppy disk after I make the password change?
And, if so, would this new copy of the pfx file decrypt only the
post-password-change data files (in which case I would keep both the old and
new pfx files on a floppy) or would it decrypt all of the data files (in
which case I'd keep only the newer pfx file on a floppy)?

 

[Guest]

Thanks for your patience with me, but I'm still not 100 percent clear on this, and I don't want to make changes until I'm 100 percent clear. If possible, a yes or no answer to my question below would hopefully get me clear

If the following occurs
I encrypt a bunch of data files. Then I export the certificate/key pfx file to a floppy disk. Then I change my password (by providing the old and new password, not with an admin reset). Then I encrypt more data files. Then my Windows XP installation becomes unusable. Then I reinstall a fresh copy of Windows XP

Assuming I never created a Password Recovery Disk, then
Can I decrypt ALL the data files I created (pre-password-change as well as post-password-change) by importing the original certificate/key pfx file from my floppy into the fresh installation of Windows XP?

 

[Drew Cooper [MSFT]]

Yes.
That's what we recommend and why we recommend it, in fact.

Sorry to blind you with all the gory details earlier.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks for your patience with me, but I'm still not 100 percent clear on

this, and I don't want to make changes until I'm 100 percent clear. If
possible, a yes or no answer to my question below would hopefully get me
clear.

If the following occurs:
I encrypt a bunch of data files. Then I export the certificate/key pfx

file to a floppy disk. Then I change my password (by providing the old and
new password, not with an admin reset). Then I encrypt more data files. Then
my Windows XP installation becomes unusable. Then I reinstall a fresh copy
of Windows XP.

Assuming I never created a Password Recovery Disk, then:
Can I decrypt ALL the data files I created (pre-password-change as well as

post-password-change) by importing the original certificate/key pfx file
from my floppy into the fresh installation of Windows XP?

 

[Drew Cooper [MSFT]]

Agreed! I don't want DPAPI to unlock old keys when a password has been
reset either.
--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks for adding the DPapi ref Drew, and, I might add that
I for one am glad that, by design, DPapi "has problems with
password resets"

--
Roger

Just want to add this in case anyone is interested . . .

DPAPI is the mechanism that protects EFS private keys when they are in a
user's profile (not exported into a .pfx). It's DPAPI that has problems
with password resets. It doesn't have any trouble with password change,
though. Here's a link to the DPAPI whitepaper:

http://msdn.microsoft.com/library/d...-us/dnsecure/html/windataprotection-dpapi.asp

--
Drew Cooper [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Changing your password (or resetting it without old password)
does not affect the EFS certificate and/or key.
This only changes how/whether you can get your certificate/key
out of the form of storage used to keep it secured.
The certificate/key remains unchanged, and so thus do encrypted
files.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
What happens to my encryption certificate/key when I change my

password

in
XP SP1? (Assume that I am changing it by typing in my old password and
entering a new one so as to preserve EFS access to previously encrypted
files. Also assume that I am on a workstation that is NOT part of a domain.)

For instance, is a second encryption certificate/key created for future
encryption/decryption of files in addition to the original certificate/key
that was created to encrypt/decrypt my files before my password

change?

If to
deal

 

[Roger Abell]

Yes, provided that the reinstalled XP system is brought to the
same service pack level as the old XP system

--
Roger

Thanks for your patience with me, but I'm still not 100 percent clear on

this, and I don't want to make changes until I'm 100 percent clear. If
possible, a yes or no answer to my question below would hopefully get me
clear.

If the following occurs:
I encrypt a bunch of data files. Then I export the certificate/key pfx

file to a floppy disk. Then I change my password (by providing the old and
new password, not with an admin reset). Then I encrypt more data files. Then
my Windows XP installation becomes unusable. Then I reinstall a fresh copy
of Windows XP.

Assuming I never created a Password Recovery Disk, then:
Can I decrypt ALL the data files I created (pre-password-change as well as

post-password-change) by importing the original certificate/key pfx file
from my floppy into the fresh installation of Windows XP?