EFS: What am I doing wrong?

[EFS-wannabe]

OK, here is what I want to do: I want to encrypt some files I have on my
notebook so that if someone steals it from me, he would not be able to
read the files. At the same time I want to backup the encrypted files on
a disc so that if I lose the notebook I would be able to restore the
encrypted files on my main desktop computer. Both the notebook and
desktop have Windows XP Pro installed. The system key is enabled on
both, but currently is stored in the registry. I plan to change this to
the second syskey option and make it load from a floppy at startup,
after I make the EFS work.

Here is what I did to test the things:

1. On the notebook, I created a separate folder named EFS on the C:
drive, formatted with NTFS. On the advanced properties page of the EFS
folder I checked the 'Encrypt contents to secure data' checkbox to
enable EFS.

2. With Notepad, I created a text file test.txt with the text "test"
inside, in the EFS folder. Both the EFS folder and the test.txt files
are now displayed in the green color, indicating they are encrypted. I
can open test.txt and see the "test" string inside, no problem. So far
so good.

3. Then I've exported my encryption certificate to a file on a diskette.
To do that, I right-clicked on the encrypted file test.txt, selected
Properties from the shortcut menu, clicked on Advanced, then on Details,
then on Add..., and I saw the list of certificates (actually, there was
just one certificate listed, with my login name). So I clicked on View
Certificate, and then, on the Details page, clicked on Copy to file...
to open the Certificate Export Wizard. I used the wizard to export the
certificate into a file on a floppy, and I did select the "Yes, export
the private key" and "Enable strong encryption" options. That created a
..pfx file on the floppy, so far so good.

4. Now I used the built-in Microsoft backup program to backup the
encrypted test.txt file into a .bkf file, located on another floppy.

As far as the notebook is concerned, I've done all what was required: I
backed up the encrypted file, as well as my certificate with the private
key.

Now I want to restore the encrypted file on the desktop computer:

5. On the desktop computer, I've created its own EFS folder (to enable
EFS) and created a test file in it, to make XP create the EFS key, etc.
Then I've imported the certificate from the .pfx file from the floppy.
Now when I view the certificates through the Control panel, I see two
certificates, both are marked "for EFS", one of them has the same
thumbprint as the one on the notebook, so I guess it has been imported
correctly.

6. Using the same Microsoft Backup program on the desktop computer, I've
restored the test.txt file from the .bkf file on floppy into its own
folder on the C: drive of the desktop computer (formatted with NTFS, of
course). The restored file is now displayed in green color.

All seems to be working well, except that when I open the test.txt file
restored on the desktop computer, I don't see the original text "test".
Instead, it contains some garbage, something like "t¯èk", the same
length, but wrong characters. When I look into the advanced properties
of the restored test.txt file, it lists my user account on the desktop
as the account in the section "Users who can transparently access this
file". When I click on "Add", I see only one certificate listed, the
original one, not the imported one. My guess is that when I was
restoring the file, the backup program decrypted the file with the
imported certificate, and then re-encrypted it with the local
certificate, that existed on the desktop computer before I imported the
certificate from the floppy.

My question is, what did I do wrong? Why the file got corrupted during
the backup/restore process? What should I have done differently?

Thanks for your advice in advance.

EFS-wannabe

 

[Roger Abell [MVP]]

That you do see garbage for the test file on the desktop
shows that you have done the EFS cert/key parts correctly,
although perhaps a little round-about at points (and you have
not mentioned configuring a common data recovery agent).

Are the two machines both XP Pro at the same service level ?
Have you adjusted the encryption algorithms specified to be
used by either system ?

 

[EFS-wannabe]

That you do see garbage for the test file on the desktop
shows that you have done the EFS cert/key parts correctly,
although perhaps a little round-about at points (and you have
not mentioned configuring a common data recovery agent).

Are the two machines both XP Pro at the same service level ?
Have you adjusted the encryption algorithms specified to be
used by either system ?

Thank you for looking into my problem. There is no recovery agent
configured on any of the computers. I did not make any adjustments to
the encryption algorithms, just used whatever XP has by default. The
desktop computer is running XP Pro SP1, the notebook has XP Pro original
(no SP1 applied yet). Also, I've tried to restore the encrypted file
from the backup back to the notebook (where the file was originally
encrypted), into a new folder, and it restored correctly: I could open
the file and see the original text in it, no corruption. Restoring the
files on the other computer did produce a corrupted file.

Do you think the reason could be the difference in handling the
encrypted files between XP original and XP with SP1? If yes, it would be
a bit scary. Suppose I backup the encrypted files now, and ten years
from now would need them. Would I have to go through installing XP Pro
on a spare computer, and then going through the service packs,
installing each one and testing the decryption after each service pack
installation, until I hit on the correct one? (Assuming I can find the
installation discs for the XP Pro and all the service packs ten years
from now ) What if I encrypt some files without applying SP1, then
later some more files with SP1, then some more when the next service
pack arrives, would I need to go back and forth between different
service packs trying to restore my files? I hope not. I would expect
whatever version of Windows would be in use ten years from now to be
able to read the backup file, import the certificate created by the
original XP, and decrypt files without a problem. Or are my expectations
unreasonable? What do you think?

Thanks for your time!

 

[EFS-wannabe]

An update: I've installed SP1 on the computer with the original XP Pro,
so that now both computers have XP Pro SP1, and that fixed the problem:
a file encrypted on one of them can now be decrypted on the other,
without corruption. That's the good news.

The bad news, I'm not sure now that I want to use EFS at all. What if I
install SP2 when it gets released and that will make my encrypted files
unreadable? Or, in that ten years from now scenario, will I be able to
access the files I back up and encrypt now? Somehow I'm not so sure...
OK, as a temporary solution EFS may be of use, I would just need to
remember to decrypt all files before installing a new service pack, and
then re-encrypt them back.

Any other suggestions in this regard?

Thanks!

 

[Andrew DeFaria]

Your discussion on the "scary" issues resulting from the change of
algorithms with the service pack 1 release are worth noting. Perhaps
someone will. I only carry the message that the algorithm was changed
with SP 1 and so there is this interop issue - unless and SP 1 system
is forced to use the old algorithm via reg setting - and this impacts
EFS encrypted file transportability to W2k also.

Seems to me that whenever the algorithm for EFS changes then the version
number of EFS should correspondingly change. Additionally EFS encrypted
files should care with them the version of EFS that encrypted them. Then
when Windows XP SP 12 with fancy new EFS version 47 tries to decrypt a
file that came from Windows XP original with EFS version 3 (say - I
don't know the EFT version numbers if any) then it would use the EFS
version 3 algorithm to decrypt...