NTFS File Encryption Question

  • Thread starter Thread starter Barry Watzman
  • Start date Start date
B

Barry Watzman

I have a USB removeable hard drive with two partitions, one FAT and one
NTFS. Being very concerned about the security of the files stored on
this device, I turned on file encrytpion for many files and folders, and
those files and folders are now shown as "green" entries, which I've
never used before.

And I can read those files just fine on the computer on which I made them.

Now, however, I wanted to be able to read those with my laptop, so I
thought I would export the encryption keys to a ".pfx" file, which I did
and put on the FAT partition, protected with a password.

Now I put the USB drive on my notebook, and I click on the .pfx
certificate file, and I "import" the certificate, telling it that I want
a password to be required every time the certificate is used, and
everything seems to go well.

But when I try to open up an encrypted document on this drive on my
notebook, I am still denied access.

What do I need to do to be able to access these files on my laptop?
 
I have a USB removeable hard drive with two partitions, one FAT and one
NTFS. Being very concerned about the security of the files stored on
this device, I turned on file encrytpion for many files and folders, and
those files and folders are now shown as "green" entries, which I've
never used before.

And I can read those files just fine on the computer on which I made them.

Now, however, I wanted to be able to read those with my laptop, so I
thought I would export the encryption keys to a ".pfx" file, which I did
and put on the FAT partition, protected with a password.

Now I put the USB drive on my notebook, and I click on the .pfx
certificate file, and I "import" the certificate, telling it that I want
a password to be required every time the certificate is used, and
everything seems to go well.

But when I try to open up an encrypted document on this drive on my
notebook, I am still denied access.

What do I need to do to be able to access these files on my laptop?
Click to expand...

Try taking ownership of the files from your laptop computer while the
USB drive is attached.
 
Try taking ownership of the files from your laptop computer while the
USB drive is attached.
Click to expand...



And what happens when he moves the disk back to the original system ?
 
I just tried taking ownership, and it makes no difference. I clearly
don't understand what is necessary to read an EFS encrytpted file on a
USB external drive on a machine other than the one on which it was created.
 
I wondered that also, but in any case, taking ownership didn't enable
reading of the files. However, since ownership could presumably be
"reclaimed", it's not my #1 concern.

The USB hard drive is actually a backup that will probably never be read
on any system, unless the hard drive on the "source" system dies. But
it has personal data on it, and being highly portable, I want it secure
until and unless it's needed.
 
I am certainly no expert on EFS and the XP implementation, but I do
know it is tied to the SID of the user account in question. I
strongly suspect that when you move the USB drive to the notebook,
then import the certificates, it won't decrypt them because the SIDs
on the two accounts don't match. They can't and never will.
 
I hate it when I'm asking how to do something and then have to quarrel
with someone who is trying to help, but there is a way to move EFS
encrtypted files from one machine to another machine and still be able
to read them. There are entire papers (which I've read) on how to
recover encrypted files from backups of a destroyed computer or from
backups of the computer of an employee who leaves the company.
Unfortunately, they are not written in "novice english", but it's
supposed to be possible to import the certificate and key and then be
able to decrypt the file on another computer. And I'm sure that it is
possible, but I'm clearly not doing it right.

[FWIW, I'm no computer novice, in fact in most regards I'm an "expert",
but I've just never used encryption, keys and certificates before at the
level required for this question.]

For anyone just joining: The question is, I have a USB 200 gig external
hard drive on my desktop, I have EFS encrypted folders in an NTFS
partiton on that drive. I need to be able to move that USB drive to my
laptop and be able to access the EFS encrypted files on the laptop.
Both machines are running XP Pro SP2. This is a residential
environment, there is no domain. There is only one account (mine,
administrator) on each machine. There is no explicitly designated
"recovery agent". I have attempted to export the certificate and keys
from the desktop and import them onto the laptop. It's this last step
that I believe is what enables access, and which apparently I am doing
incorrectly.

This is not a data loss / data recovery situation, I have full access to
everything on the desktop. I'm merely trying to learn how to have files
that are both encrypted and transportable to other machines because I
want to put some files onto a very portable (almost too portable, if you
get my drift) USB hard drive, and some of those files have very
sensitive financial information in them.
 
I am certainly no expert on EFS and the XP implementation, but I do
know it is tied to the SID of the user account in question. I
strongly suspect that when you move the USB drive to the notebook,
then import the certificates, it won't decrypt them because the SIDs
on the two accounts don't match. They can't and never will.
Click to expand...

That doesn't sound right. If you export the keys to a floppy as a
disaster contingency plan the next machine you use the key on will
never have the same SID.
 
Al said:
That doesn't sound right. If you export the keys to a floppy as a
disaster contingency plan the next machine you use the key on will
never have the same SID.
Click to expand...


Correct.

Read up on encryption here:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316

NTFS file encryption is not for the faint of heart. You take a risk when you
encrypt. There is NO back door to get your files back if you find yourself
in a situation where you can't access them. You must have a valid private
key and certificate, and best to have a designated recovery agent.

Remember, encryption is only as good as the password you have assigned to
your account. It runs transparent. If someone wants at your files, and can
figure out your password, then it does no good...

It can be easy to have files ecrypted, and without thinking you do a
reformat, or find yourself in a disaster situation and have to reformat,
only to find you can no longer access those important files you have
encrypted. Or you find yourself in a situation where suddenly your user
profile has become corrupt...

I keep my private key and certificate seperate, on both a floppy and a cdr,
and put away in a safe place.
I really probably don't need to use encryption, but I am paranoid and if my
system should get stolen, or someone get access to it without my knowledge,
I do not want them to easily be able to get to important personal
information, like my financial files. But I realize, even with the
precautions I take, I still run a risk of loss if I screw up, which can
happen!

So if you really believe you need encryption, and accept the risk, I
strongly suggest to do a lot of reading on it, then ecrypt some non
important files, and test them, before ecrypting your important files that
you can't do without.

Don Burnette
 
Correct.

Read up on encryption here:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316

NTFS file encryption is not for the faint of heart. You take a risk when you
encrypt. There is NO back door to get your files back if you find yourself
in a situation where you can't access them. You must have a valid private
key and certificate, and best to have a designated recovery agent.

Remember, encryption is only as good as the password you have assigned to
your account. It runs transparent. If someone wants at your files, and can
figure out your password, then it does no good...

It can be easy to have files ecrypted, and without thinking you do a
reformat, or find yourself in a disaster situation and have to reformat,
only to find you can no longer access those important files you have
encrypted. Or you find yourself in a situation where suddenly your user
profile has become corrupt...

I keep my private key and certificate seperate, on both a floppy and a cdr,
and put away in a safe place.
I really probably don't need to use encryption, but I am paranoid and if my
system should get stolen, or someone get access to it without my knowledge,
I do not want them to easily be able to get to important personal
information, like my financial files. But I realize, even with the
precautions I take, I still run a risk of loss if I screw up, which can
happen!

So if you really believe you need encryption, and accept the risk, I
strongly suggest to do a lot of reading on it, then ecrypt some non
important files, and test them, before ecrypting your important files that
you can't do without.

Don Burnette
Click to expand...

Well, as I said at the outset, I'm no expert in EFS. I've never used
it and never will, at least not in the personal computer setting. I
don't deal with state secrets needing this level of security, and
further, the XP implementation of it is too transparent as it is tied
to user accounts that are, for the most part (at least in home
computers) not protected by a password.

Not only that, but nobody in my military organization uses EFS at
work, for the very reason of what the EFS is tied to. It is just too
easy to crack a user account. Any secure computing is done on
standalone systems with extremely strict access rules and rights.
 
Ok, but can you answer my original question:

I need to put NTFS EFS files on a USB external drive and then be able to
read and use those files (with a password, of course) when that USB
drive is plugged into another computer.

I've created the drive and EFS encrypted files, and they work -- on the
computer on which they were created.

I exported the certificate (.pfx file) from the computer on which the
files were made, and imported it into the "target" computer, thinking
that this would give me access to the files on the target. However, it
did not (or quite possibly I did it wrong).

Can someone tell me how to do this? No data has been lost or anything,
I just want to understand how to create encrypted files on an external
USB drive and then access those files "normally" when that drive is
plugged into another computer. Importing the pfx file doesn't do it;
taking ownership doesn't do it. I've been trying things for two weeks,
and so far no luck. This is a workgroup situation (no domain present),
only one user on each PC, and no "recovery agent".

Thanks
 
Back
Top