importing DRA certificate into local policy

[Jon]

I am trying to create a DRA for my standalone workgroup pc (XP Pro on my
home pc). I have created the DRA in the administrator account using the
cipher /r: command. The next step (following along the "Data Protection and
Recovery in Windows XP" article from the MS KB) is apparently to import the
certificate into the local policy. I think this is where I am getting lost.
Could someone please explain the steps to do this?

By way of background, I have encrypted a test folder and exported my
personal certificate. When I attempt to access these files (via a second
install of XP on a different hard drive, but same box) I cannot, but I can
if I import the personal certificate. This is as I would expect. As I
understand it, this will only work while the original user profile is
present, and will not work if, for example, I have to do a data restore into
a new machine. Is this correct?

Do I have to have the DRA all set up before encrypting files from the user
account? I'm guessing that this somehow links with the user certificate when
the file is encrypted, although am a bit confused as the instructions say to
delete the DRA certificates as soon as you have exported them?

Any help would be much appreciated, as the knowledgebase articles on the
microsoft site, and the online help seem incomplete and totally confusing!

 

[Roger Abell [MVP]]

Hi Jon,
I am inlining some clarifications.
Let me know whether they fix you up.
Roger

I am trying to create a DRA for my standalone workgroup pc (XP Pro on my
excellent

home pc). I have created the DRA in the administrator account using the
cipher /r: command.

cipher /r only created a cert/key pair for use to define the DRA
There are then two step to define the DRA

The next step (following along the "Data Protection and
Recovery in Windows XP" article from the MS KB) is apparently to import the
certificate into the local policy. I think this is where I am getting lost.
Could someone please explain the steps to do this?

Here you run Local Security Policy
go to Public Key Policies / Encrypting File System
click on this and then right click on it and select to Add a DRA
You will then be guided to let it read in the cert
Note that is enables the DRA info to get stuffed into EFS encrypted
files that are "touch" thereafter.
The DRA will not be able to decrypt anything unless/until you log
in with with DRA account and import the key into its personal
certificates store (using the interface you used to export the EFS
cert/key pair from your own account).

By way of background, I have encrypted a test folder and exported my
personal certificate. When I attempt to access these files (via a second
install of XP on a different hard drive, but same box) I cannot, but I can
if I import the personal certificate. This is as I would expect. As I

Good. It is also as it should be.

understand it, this will only work while the original user profile is
present, and will not work if, for example, I have to do a data restore into
a new machine. Is this correct?

No. This is incorrect. Once it has been imported into an account that
account will be able to use it, until it is exported and removed, or, until
that account's profile is not corrupted, or until that account has its
password reset (administratively reset, this is a normal change where
old and new passwords have to be provided - which does not cause
breakage of EFS access).

If you have the cert/key and know the password of the pfx you will
be able to make and account capable of accessing the EFS encrypted
files - whether original account it totally toasted or not, whether install
of OS is fresh or not (note: there are some issues relative to use of the
same language version and service pack version).

Do I have to have the DRA all set up before encrypting files from the user
account? I'm guessing that this somehow links with the user certificate

when
answer already implied. Once in policy you have defined the DRA all EFS
files created or touched after that time are DRA accessible (only
potentially
if the DRA personal cert store does not have the key imported).
Touched means accessed, or touched with the cipher utility.

the file is encrypted, although am a bit confused as the instructions say to
delete the DRA certificates as soon as you have exported them?

You do not want to leave the pfx files laying around.
Anyone that gets a hold on them is on the way to accessing all of
the EFS encrypted data the key in that pfx can decrypt. Yes, they
would need to deal with the password on the pfx, but they are on
the way . . .

 

[Jon]

Hi Roger,

Thanks for these clues - I will play further tonight. Just on the point
below - if I have a copy of the personal certificate I exported from my main
account and by your statement this can be used to access the files even if
my profile goes belly-up, machine is stolen etc, then do I need to bother
with the whole DRA business?

Jon

 

[Roger Abell]

I believe DRA is a good idea, but if you want to bet on
the exported cert/key (note you only said exported cert)
as being enough, that would work.
DRA really comes into its own
1. if multiple accounts are using EFS
2. if you want a quick way to get at EFS encrypted data
in case your account's profile gets zapped and you do
not have time to run home and get the CD with the pfx
in order to get to the presentation data on your laptop
in time for your meeting with the bosses in an hour, etc.

Also, keep in mind that there are version dependencies,
between W2k and Xp/W2k3 and also between XP gold
and XP Sp1 and later.

 

[Roger Abell]

Also - with a DRA you get two chances to not forget what
the bleeding password on the pfx is, once your own and
once the DRA's

 

[Jon]

Hi Roger,

Thanks for your continuing advice on this. OK then, I will continue trying
with the DRA concept - if nothing else it gives me a second shot in case the
personal certificate gets corrupted somehow (although I intend copying it to
multiple CDs stored offsite securely).

It seems I have missed something else, as previously I exported only the
personal certificate, and reading your reply it sounds as if I need a key as
well. One more thing to check up.

I tried adding the DRA into the local security policy as you outlined (I do
this on the user login, right?) and it imported successfully. But again,
when I tried to decrypt files using the administrator account (with the DRA
cert imported) on a different machine it wouldn't let me, but again would
let me if I imported the user certificate.

This is not for the faint-hearted, but I'd rather be ironing out the
problems now, not after it is too late!

cheers

Jon

 

[Drew Cooper [MSFT]]

Sorry I didn't see these posts earlier.

No private key means no decryption. And you can't add a DRA once you can't
decrypt any longer. If the original private key isn't (and some DPAPI keys
aren't) present, the data is gone.

Encryption was controlled by the US government as a munition until recently.
It can be dangerous stuff if you're not *completely* sure of what you're
doing.

Here's some info about EFS on Windows XP:
http://www.microsoft.com/technet/tr...prodtechnol/winxppro/reskit/prnb_efs_awzg.asp