Encryption

[Richard]

Hi

I encrypted a folder and copied it to another computer. Then I exported the
cert/key to the other computer. On that computer, I imported the cert/key
into the personal and trusted store for certificates. I am not able to read
the file in the folder.

I check the serial # and thumbprint of the both the cert and it tallys.

How do I overcome this issue?

Many thanks in advance
Richard

 

[Roger Abell [MVP]]

What operating systems are involved?
How was the copy done?
When the EFS private key was imported into the account's
personal store, did you allow it to be used without prompting?

 

[Richard]

Hi Roger

Many thanks for taking time to reply.

How was the copy done?

using ntbackup.exe, xcopy could not be performed

When the EFS private key was imported into the account's
personal store, did you allow it to be used without prompting?

yes and no, I tried both ways. (not sure if I understood your question )

Richard

 

[Richard]

Sorry missed a question.

Both are using Win2000 pro. I copied the file over over vpn using
ntbackup.exe

Richard

 

[Roger Abell [MVP]]

copy via ntbackup is good; W2k to W2k is good (note that
XP and W2k do not share common algorithm unless you
take steps to degrade the XP).
The private key import for W2k I do not clearly recall at
this time. With XP one is presented with a choice to have
all accesses for use of the private key to need to prompt,
and that will not work - one has to import so that the key
can be used without user confirmation.
As you have transferred the files in valid fashion between
same OS machines, and assuming NTFS permissions are
not in the way (denial/failure message appears the same),
and you have examined the thumbprints such as with the
efsutil tool, things should be working if the private key
import was done correctly.

 

[Richard]

Hi Roger

I will try and import the key again and check the outcome.

Many thanks again
RIchard

 

[Richard]

Hi Roger

I tried all options when importing the key (without password) and still
can't open the folder.

What can be wrong?

Richard

 

[Roger Abell [MVP]]

Hi Roger

I tried all options when importing the key (without password) and still
can't open the folder.

You mean can't open the file, right?

What can be wrong?

Good question, and from here I do not know.
Are you picking up on any failures in the system or application logs?
(Long shot, but group policy can disable EFS use. I doubt that is
the case for your copied-to machine, but then that would break things.)

Roger

 

[Roger Abell [MVP]]

On the copied-to machine, can you encrypt and decrypt?
Can you move an encrypted file the other way, from the
copied-to to the copied-from of prior trial?

Roger

 

[Richard]

I can encrypt and decrypt on the copied-to machine. I will try the reverse
way and see what happens.

Richard

 

[Richard]

HI Roger

Would it make a difference if I can't even open the folder? Its the folder
that's encrypted and the file inside.

Richard

 

[Richard]

Hi Roger

If I encrypt a folder on the copied-to machine, it will use the user
(administrator) cert to encrypt and not the cert that was imported, right?
So, after I encrypt the folder, I backup the folder to copied-from machine
and export the key(administrator-copied-to machine) to copied-from machine
and try to open the folder?

Richard

 

[Richard]

Hi Roger

i encrypted a folder with a file in copied-to machine. Then I backup using
ntbackup to copied-from machine.

Then I restore the folder to copied-from machine and I am not allowed to
view the file even from the copied-to machine.

This is really making me scratch my head

Richard

 

[Roger Abell [MVP]]

Folders are not encrypted. Files are encrypted.
There is a setting on folders, but it really only says that
when new files are stored there they should be encrypted.
If you are having a problem with a folder, check its NTFS
permissions.

Roger

 

[Roger Abell [MVP]]

When you restore the backup, by default it will attempt to
set the permissions as they existed on the source folder.
If these are only grants to non-builtin groups, then none of
them would be recognized on the machine where restored.

We need to make sure NTFS permissions are not in the way,
as the access denied message from lack of NTFS grant is the
same as is used for failures to decrypt.
And, we need to shift to speaking for files, not folders, as
per other recent reply post.

Roger

 

[Roger Abell [MVP]]

Hi Roger

If I encrypt a folder on the copied-to machine, it will use the user
(administrator) cert to encrypt and not the cert that was imported, right?
So, after I encrypt the folder, I backup the folder to copied-from machine
and export the key(administrator-copied-to machine) to copied-from machine
and try to open the folder?

I was assuming you would do that test with the account which
had the cert/key imported, so the same EFS encryption would
be in play, just with reversed file movement.

 

[Richard]

The same account has two certs certified for encryption, one for the user
and one imported. Which will it use?

 

[Richard]

Roger

The file permission is set to everyone. I wasn't able to view the file at
first but after importing the key from the copied-to machine, I was able to
read it.

How come we can do it the this way, but not otherwise?

Scratching head..
Richard

 

[Roger Abell [MVP]]

The same account has two certs certified for encryption, one for the user
and one imported. Which will it use?

General rules of the universe would say "the wrong one"
I have never had good, predictable results with an account had
more than one in its private cert/key store.

 

[Brian Komar]

EFS will use the one referenced in the registry by its thumbrpint.
I am on the road this week and cannot look it up, but a registry entry
contains the thumbprint of the active certificate.
Typically, it is the one that was there first when you started encrypting

Brian