** Encryption problem **

[Jethic]

Greetings all,

On my PC I have 2 partition, one for my documents and one for my O/S and
programs. I had to reinstall WinXP last week and I forgot that some of my
files on my other partition were encrypted with the windows encryption
system. Now I cannot open them anymore because the security key was for my
older administrative password. It says I do not have the right to access
them. I cannot take out the encryption either, neither move them in a FAT32
partition(where I though it might take out all NTFS permission), cannot burn
them, cannot convert this partition to FAT32 since there's some encrypted
file in it. But I REALLY NEED THESE FILES!!

Is there a way I can recover them? Or a way to take out the encryption out
of them?

thx

 

[Malke]

Greetings all,

On my PC I have 2 partition, one for my documents and one for my O/S
and programs. I had to reinstall WinXP last week and I forgot that
some of my files on my other partition were encrypted with the windows
encryption system. Now I cannot open them anymore because the security
key was for my older administrative password. It says I do not have
the right to access them. I cannot take out the encryption either,
neither move them in a FAT32 partition(where I though it might take
out all NTFS permission), cannot burn them, cannot convert this
partition to FAT32 since there's some encrypted file in it. But I
REALLY NEED THESE FILES!!

Is there a way I can recover them? Or a way to take out the encryption
out of them?

I'm so sorry to tell you this, but unless you backed up your keys the
files are lost forever. There is nothing you can do to get them back.
There is no way you or anyone else (except possibly someone at the NSA)
can break the encryption. Just delete them and move on. Restore the
files from backups.

Malke

 

[Jupiter Jones [MVP]]

There is a myth that states EFS is no good once the data is moved to
FAT32.
The truth is if that were true, EFS would not be secure.

Your data, however important, is most likely forever gone.

See this link for ways to prevent this in the future
http://www3.telus.net/dandemar/encrypt.htm

 

[*Vanguard*]

Malke said in

... Just delete them and move on. Restore
the files from backups.

Only if the backups were made BEFORE the user applied EFS to the folders and files. If EFS was already applied then the backups will also have the encrypted copies. You can probably restore the files but they will still be encrypted. I once lost about 300MB of files due to EFS for a fresh reinstall when I forgot to export the EFS certificate to a floppy, and restoring them from backups didn't help. They were still encrypted, I still had no copy of the EFS certificate, so the files were still unusable.

You also have to be careful when making disk images and using EFS. If the image program does a logical image by reading the files through the file system then you won't be able to restore those files. Why? Because the image restore will also go through the file system to write the files but you won't have the EFS certificate yet in place. Norton's Ghost, by default, does logical images because it reads the contents of the files. You have to use its /IA command-line switch to force it to read sectors instead (so you never use the file system to get anything from that partition). DriveImage does sector reading (I don't think it could even read through the file system if you wanted it to).

So there are some hazards when using EFS. However, NTFS permissions are something of a bad security joke for regulating who can read files. All you have to do is move the hard drive to a different system or do a parallel install of Windows. The SIDs used under the old instance of Windows won't be defined under the other instance of Windows so they don't get obeyed regarding permissions. How do you enforce a permission for an account that isn't defined within that instance of Windows? Permissions are only enforced under the instance of Windows in which they were defined. So you have to use EFS to protect your sensitive data to prevent someone from simply using a different instance of Windows to get at your files. But be damn sure to export your EFS certificate so you can do a restore later. Not only do I export it to a floppy but I upload it to online storage. In case the floppy gets lost or damaged, I still have the online copy.

 

[Jupiter Jones [MVP]]

I wouldn't call NTFS permissions a "bad security joke".
That is more than adequate for most situations.
You will not be able to use the stunt you suggest on my computer so
NTFS permissions is adequate and works very well.
You need to control access to the computer.
If you lose access to the computer you have violated one of The Ten
Immutable Laws of Security.
This is nothing new, I knew of this almost 30 years ago when I first
really worked with computers.
If more security than NTFS permissions is needed, you should be using
EFS.
Different strengths of security for different jobs.
Both work very well for their intended purpose and neither is a "bad
security joke".

Lastly your own EFS plan seems to have a major weakness.

--
Jupiter Jones [MVP]
http://www3.telus.net/dandemar/


Malke said in

... Just delete them and move on. Restore
the files from backups.

Only if the backups were made BEFORE the user applied EFS to the
folders and files. If EFS was already applied then the backups will
also have the encrypted copies. You can probably restore the files
but they will still be encrypted. I once lost about 300MB of files
due to EFS for a fresh reinstall when I forgot to export the EFS
certificate to a floppy, and restoring them from backups didn't help.
They were still encrypted, I still had no copy of the EFS certificate,
so the files were still unusable.

You also have to be careful when making disk images and using EFS. If
the image program does a logical image by reading the files through
the file system then you won't be able to restore those files. Why?
Because the image restore will also go through the file system to
write the files but you won't have the EFS certificate yet in place.
Norton's Ghost, by default, does logical images because it reads the
contents of the files. You have to use its /IA command-line switch to
force it to read sectors instead (so you never use the file system to
get anything from that partition). DriveImage does sector reading (I
don't think it could even read through the file system if you wanted
it to).

So there are some hazards when using EFS. However, NTFS permissions
are something of a bad security joke for regulating who can read
files. All you have to do is move the hard drive to a different
system or do a parallel install of Windows. The SIDs used under the
old instance of Windows won't be defined under the other instance of
Windows so they don't get obeyed regarding permissions. How do you
enforce a permission for an account that isn't defined within that
instance of Windows? Permissions are only enforced under the instance
of Windows in which they were defined. So you have to use EFS to
protect your sensitive data to prevent someone from simply using a
different instance of Windows to get at your files. But be damn sure
to export your EFS certificate so you can do a restore later. Not
only do I export it to a floppy but I upload it to online storage. In
case the floppy gets lost or damaged, I still have the online copy.

 

[DILIP]

Unless you backed up your private key certificate, the files are just
garbage. EFS uses the certificate associated with the user account and
safely guards these keys, using them whilst decrypting encrypted files.

It is important to understand how EFS works before just using it as a
feature. Open Help and Support and type EFS.

 

[Bruce Chambers]

Greetings --

If the your encryption certificates and keys were not backed up
before the user deletion/creation, and the workstation isn't part of a
domain, those files are gone, for all practical purposes. Encryption
works well and there is no "back door" or hack to access the files.
(Wouldn't be much point to EFS if it were vulnerable.)


Bruce Chambers
--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. - RAH

 

[NobodyMan]

Greetings all,

On my PC I have 2 partition, one for my documents and one for my O/S and
programs. I had to reinstall WinXP last week and I forgot that some of my
files on my other partition were encrypted with the windows encryption
system. Now I cannot open them anymore because the security key was for my
older administrative password. It says I do not have the right to access
them. I cannot take out the encryption either, neither move them in a FAT32
partition(where I though it might take out all NTFS permission), cannot burn
them, cannot convert this partition to FAT32 since there's some encrypted
file in it. But I REALLY NEED THESE FILES!!

Is there a way I can recover them? Or a way to take out the encryption out
of them?

thx

I have a question: did you actually encrypt the files, or are they
just not accessible because they are under a user account that is now
invalid due to a new SID? Your description is really vague and
misleading. Removing NTFS permissions won't help you decrypt files;
for that you need the correct encryption keys.

This is the danger with lay-people using ecncryption. Why did you
need it in the first place? What "state secrets" were you storing on
your computer?

The average home user has no need (I'm tempted to say no business) to
use encryption.

 

[Alexander Grigoriev]

NO file system is protected against physical breach (unless encryption is
used).

Any known FS that stores plaintext, in any known OS, can be read if put to
another computer.


Malke said in
So there are some hazards when using EFS. However, NTFS permissions are
something of a bad security joke for regulating who can read files. All you
have to do is move the hard drive to a different system or do a parallel
install of Windows. The SIDs used under the old instance of Windows won't
be defined under the other instance of Windows so they don't get obeyed
regarding permissions. How do you enforce a permission for an account that
isn't defined within that instance of Windows? Permissions are only
enforced under the instance of Windows in which they were defined. So you
have to use EFS to protect your sensitive data to prevent someone from
simply using a different instance of Windows to get at your files. But be
damn sure to export your EFS certificate so you can do a restore later. Not
only do I export it to a floppy but I upload it to online storage. In case
the floppy gets lost or damaged, I still have the online copy.