Encryption removal

[Richard]

I have an Excel file that I encrypted. I wish to remove the encryption.

After encrytion of this file, I was required by Dell to reload my OS
(Windows XP SP2) on my home computer due to a problem they could not
otherwise solve. Prior to the reload I had copied the Excel file to an
external drive. After bringing my computer back up, I find I cannot open the
Excel file because "The document may be read-only or encrypted". It's not
read-only, but it was/is encrypted. Since I can't access it, I attempted to
remove the encryption via "Properties, Attributes (Advanced)" and removing
the check mark from "Encrypt contents to secure data". I tried to apply this
but got "An error occurred applying attributes to the file ....... " and
nothing changed.

So in the "Advanced Attributes" dialog box I clicked on details and was
shown "Users Who Can Transparently Access This File" dialog box which
included the User Name "Dick ........" (which is me, the system
administrator). I high-lighted "Dick..." and clicked on "Add" and got the
"Certificate"
display - under the General tab it indicated "This CA Root certificate is
not to be trusted. To enable trust, install this certificate in the Trusted
Root Certificates Authorities store."

I'm wondering if this may not be the reason why I can't open or change the
encryption of the Excel file. I'm also at a loss as to how to "install this
certificate in the Trusted Root Certificates Authorities store". I've
searched the Microsoft knowledge base but have yet to discover if this might
be the problem or how to do this install.

Can someone help or point me to a place that might help ?

 

[Carey Frisch [MVP]]

If you don't have a backup copy of the original encryption key or a recovery certificate,
you won't be able to access your encrypted files. Reinstalling Windows XP won't work
either since the security ID will be different.

--
Carey Frisch
Microsoft MVP
Windows Desktop Experience -
Windows Vista Enthusiast

---------------------------------------------------------------

I have an Excel file that I encrypted. I wish to remove the encryption.

After encrytion of this file, I was required by Dell to reload my OS
(Windows XP SP2) on my home computer due to a problem they could not
otherwise solve. Prior to the reload I had copied the Excel file to an
external drive. After bringing my computer back up, I find I cannot open the
Excel file because "The document may be read-only or encrypted". It's not
read-only, but it was/is encrypted. Since I can't access it, I attempted to
remove the encryption via "Properties, Attributes (Advanced)" and removing
the check mark from "Encrypt contents to secure data". I tried to apply this
but got "An error occurred applying attributes to the file ....... " and
nothing changed.

So in the "Advanced Attributes" dialog box I clicked on details and was
shown "Users Who Can Transparently Access This File" dialog box which
included the User Name "Dick ........" (which is me, the system
administrator). I high-lighted "Dick..." and clicked on "Add" and got the
"Certificate"
display - under the General tab it indicated "This CA Root certificate is
not to be trusted. To enable trust, install this certificate in the Trusted
Root Certificates Authorities store."

I'm wondering if this may not be the reason why I can't open or change the
encryption of the Excel file. I'm also at a loss as to how to "install this
certificate in the Trusted Root Certificates Authorities store". I've
searched the Microsoft knowledge base but have yet to discover if this might
be the problem or how to do this install.

Can someone help or point me to a place that might help ?

 

[Gurney]

I have an Excel file that I encrypted. I wish to remove the encryption.

After encrytion of this file, I was required by Dell to reload my OS
(Windows XP SP2) on my home computer due to a problem they could not
otherwise solve. Prior to the reload I had copied the Excel file to an
external drive. After bringing my computer back up, I find I cannot open the
Excel file because "The document may be read-only or encrypted". It's not
read-only, but it was/is encrypted. Since I can't access it, I attempted to
remove the encryption via "Properties, Attributes (Advanced)" and removing
the check mark from "Encrypt contents to secure data". I tried to apply this
but got "An error occurred applying attributes to the file ....... " and
nothing changed.

So in the "Advanced Attributes" dialog box I clicked on details and was
shown "Users Who Can Transparently Access This File" dialog box which
included the User Name "Dick ........" (which is me, the system
administrator). I high-lighted "Dick..." and clicked on "Add" and got the
"Certificate"
display - under the General tab it indicated "This CA Root certificate is
not to be trusted. To enable trust, install this certificate in the Trusted
Root Certificates Authorities store."

I'm wondering if this may not be the reason why I can't open or change the
encryption of the Excel file. I'm also at a loss as to how to "install this
certificate in the Trusted Root Certificates Authorities store". I've
searched the Microsoft knowledge base but have yet to discover if this might
be the problem or how to do this install.

Can someone help or point me to a place that might help ?

Another example of why HOME users have no need of encryption. What
state leve secrets were you protecting? There are easier ways to hide
the location of your porn.

 

[Anthony Buckland]

I have an Excel file that I encrypted. I wish to remove the encryption.

After encrytion of this file, I was required by Dell to reload my OS
(Windows XP SP2) on my home computer due to a problem they could not
otherwise solve. Prior to the reload I had copied the Excel file to an
external drive. After bringing my computer back up, I find I cannot open
the
Excel file because "The document may be read-only or encrypted". It's not
read-only, but it was/is encrypted. Since I can't access it, I attempted
to
remove the encryption via "Properties, Attributes (Advanced)" and removing
the check mark from "Encrypt contents to secure data". I tried to apply
this
but got "An error occurred applying attributes to the file ....... " and
nothing changed.
...

A little more is required than removing the "encrypted" property.
What _is_ required is actually decrypting the encrypted information.
Your approach is certainly original though. Think of how WWII could
have been shortened if only we could have taken encrypted Japanese
and German transmissions and have removed the property of being
encrypted from them.

1) Find the password.

2) Find the encryption method.

3) Run 2) in reverse using 1).

4) Lacking both 1) _and_ 2), go find a corner and weep in it.

 

[Richard]

Carey

I think what you're telling me is that I lost the original encryption key
when I reloaded the OS. Is that correct ?

Since I did a full backup of my Hard Drive to an External Drive prior to the
reload, is it possible I still have a copy the needed (original) encrytion
key on my external drive ?

Richard

 

[John Wunderlich]

Carey

I think what you're telling me is that I lost the original
encryption key when I reloaded the OS. Is that correct ?
Yes.


Since I did a full backup of my Hard Drive to an External Drive
prior to the reload, is it possible I still have a copy the needed
(original) encrytion key on my external drive ?

Richard

It depends on what a "full backup" is. If you can completely restore
your old operating system from this backup, then boot from it and login
using your old login and password, then maybe you can recover it.
Usually this is only possible with an "image"-style backup.

Good Luck,
John

 

[Richard]

I said "backup" but in reality I did a drop and drop copy of all the various
directories. I don't believe this is considered an image style backup but
please correct me if I'm wrong.

 

[Gurney]

I said "backup" but in reality I did a drop and drop copy of all the various
directories. I don't believe this is considered an image style backup but
please correct me if I'm wrong.

No it's not. Your hosed. See why encryption isn't a good idea to
protect your porn?

By the way, replies go down HERE.

 

[Anthony Buckland]

...
No it's not. Your hosed. See why encryption isn't a good idea to
protect your porn?

By the way, replies go down HERE.

Give Richard a break, it could have been the family investment
records. But in any case, encryption is a very useful but, in
careless hands, very dangerous tool for hiding things. I'd
recommend two steps: before encryption, make a backup
copy of the private data, and _hide_it_really_well_. The bottom
of the underwear drawer is not "really well". Protected with
nested wrappings and buried when no-one is
looking in a place not easily guessed at is pretty much
"really well". Tucked into an unlikely place in the
construction of a really trustworthy friend's house, likewise.
Step two, encrypt, and _do_not_lose_or_reveal_the_key_,
then do a true image backup as part of your regular backup
procedures. An image is an absolutely total copy of your
hard disk partition, and when you use it to restore, everything
without exception in the partition is restored to its state
when you did the backup, bit by damned bit, and all changes
since the backup, also without any exception, are lost.

 

[Patrick Keenan]

A little more is required than removing the "encrypted" property.
What _is_ required is actually decrypting the encrypted information.
Your approach is certainly original though. Think of how WWII could
have been shortened if only we could have taken encrypted Japanese
and German transmissions and have removed the property of being
encrypted from them.

1) Find the password.

2) Find the encryption method.

3) Run 2) in reverse using 1).

4) Lacking both 1) _and_ 2), go find a corner and weep in it.

Unfortunately the Windows EFS scheme does not rely on the password. You
have to have the user account in *original running condition*, or backed-up
credentials, or a pre-defined recovery agent to decrypt the files.
Having the password will get you nowhere.

Yes, it seems that the OP has permanently lost access to the encrypted
files.

MS did a really good job at making strong encryption easily available, but
nowhere near as good a job at making sure users had to protect themselves
from its consequences. It should be mandatory to back up the credentials,
at very least, but it isn't.

There's no happy ending to this story, once again.

-pk

 

[Patrick Keenan]

I said "backup" but in reality I did a drop and drop copy of all the
various
directories. I don't believe this is considered an image style backup but
please correct me if I'm wrong.

You are not wrong, this is not an image, and will not help you recover the
files. They are permanently encrypted unless you have the account running
*in original condition*, or backed up the account credentials (this should
not be optional, but is, and is often neglected) and can import them, or if
you designated a recovery agent. Remarkably few people take the last two
steps, as they are optional. The password by itself will not help you.

In the same vein, resetting the password from outside the user account, as
is very often suggested in the case of a lost password, will have exactly
the same effect. Encrypted data will be permanently lost unless the
account credentials were backed up and can be imported, or a recovery agent
specified. You can not fix it by resetting the password to the original.

So, you have to be very careful with recommendations for using
password-reset disks; if the OS is XP Pro, there's always the possibility of
permanent data loss.

Support staff should realize that XP Pro reinstalls carry this risk, but
sometimes don't consider the implications of the reinstall. To help
close the gap for others, you might consider a careful letter to Dell
explaining that their support scripts lack a key question that can lead to
permanent data loss.

An image, such as is created with Acronis True Image, Ghost, Casper, etc.
would, if restored and running, allow you to regain access to the files.
Even if the image was a little out of date, you could restore the image to
another drive, export the credentials, and then use those exported
credentials on the new install to gain access to the most recent version of
the encrypted files.

It's too late for this, but in cases where there's the possibility of
encryption, it's a good idea to clone the drive, set the original aside,
then work with the clone to see what can be done. You can re-clone as many
times as you need to, and still have the original.

Unfortunately, when people post with questions about encyption, it's a story
without a happy ending.

Sorry there isn't better news.

-pk

 

[John Wunderlich]

I said "backup" but in reality I did a drop and drop copy of all
the various directories. I don't believe this is considered an
image style backup but please correct me if I'm wrong.

I'm afraid that's not good enough. You've most certainly lost your
data.

Moving forward, consider the freeware "Truecrypt". It creates a
container file that only depends on a passphrase to access the data
and in your situation, you'd have a happy ending.

<http://www.truecrypt.org>

If you wish to continue using EFS, make sure to backup your
certificate. Note that this could pose a threat, as anyone who gains
possession of your backup certificate has access to your data.

HTH,
John

 

[Gurney]

Give Richard a break, it could have been the family investment
records. But in any case, encryption is a very useful but, in
careless hands, very dangerous tool for hiding things. I'd
recommend two steps: before encryption, make a backup
copy of the private data, and _hide_it_really_well_. The bottom
of the underwear drawer is not "really well". Protected with
nested wrappings and buried when no-one is
looking in a place not easily guessed at is pretty much
"really well". Tucked into an unlikely place in the
construction of a really trustworthy friend's house, likewise.
Step two, encrypt, and _do_not_lose_or_reveal_the_key_,
then do a true image backup as part of your regular backup
procedures. An image is an absolutely total copy of your
hard disk partition, and when you use it to restore, everything
without exception in the partition is restored to its state
when you did the backup, bit by damned bit, and all changes
since the backup, also without any exception, are lost.

I say again: there is nothing on your home computer that could
normally warrant encryption for a couple of reasons:

1. It is too easy for the oridnary user to screw up and lose
everythingh encrypted, and

2. It's only as strong as the account containing it. Most folks
don't even bother with a password, and as encryption is transparent it
means I can walk up to their machine and access whatever I want.

Don't use it. It's a ticking time bomb.

 

[Anthony Buckland]

I say again: there is nothing on your home computer that could
normally warrant encryption for a couple of reasons:

1. It is too easy for the oridnary user to screw up and lose
everythingh encrypted, and

2. It's only as strong as the account containing it. Most folks
don't even bother with a password, and as encryption is transparent it
means I can walk up to their machine and access whatever I want.

Don't use it. It's a ticking time bomb.

I sort of agree, although I've found it useful for, e.g., sensitive
data carried in a manner vulnerable to theft.

A simple way to protect stuff you don't want seen, though, is
to keep it _only_ on removable media, with a backup copy,
and keep one copy with you and the other in a safety deposit
box to which you do not give anyone else a key. You do,
though, run into the theft vulnerability problem. Alternatively, keep
one copy hidden but handy, and the other in the box. "Hidden"
is a problem unless you can get private unobserved access
to a reasonably unlikely place.

Relationships, reputations, jobs, lives and sometimes battles
(e.g., Midway) have been lost over the issue of hiding data,
and if you can't avoid having secrets (well, that's all of us, if
you include ATM and debit card numbers) you have to give
some thought to the issue.

---------------------------------------------------------

Gurney's remark 2. about transparency is relevant only if
the encryption method is account-dependent. I wouldn't,
for more than one reason, touch such a method with a
three-metre pole.