Problem restoring EFS key

  • Thread starter Thread starter Aaron Solomon
  • Start date Start date
A

Aaron Solomon

Subject: Difficulty with EFS & importing PFX file
Newsgroups:
Gigawin2000.file_system,microsoft.public.win2000.filesystem,microsoft.public
..win2000.security,microsoft.public.windows.file_system,microsoft.public.
windows.server.security,microsoft.public.windows.vista.file_management,m
icrosoft.public.windows.vista.security
Followup-To:
msn.computingcentral.safecomputing.encryption,microsoft.public.win2000.f
ile_system

Hi,

I'm having a hellish problem with EFS. I apologize for the long post
but if anyone can help me, you will truly be doing a kind deed.

I have two computers: a laptop running Vista Ultimate and a home server
running 2000 Server.

Some time ago, I encrypted some files on my laptop using EFS (I was
concerned the files would be accessible if my laptop was lost or
stolen). I also exported a password-protected encryption key to a
".pfx" file using the certificate export wizard in Vista. I believe,
but I am not absolutely certain, that I included the private key. (My
understanding is that the password is to protect the private key.) I
then emailed this file to a friend for safekeeping.

I ran daily mirror backups of these encrypted files up from my Vista
laptop to my Windows 2000 Server at home, using robocopy (not an
incremental backup program). These files remained encrypted when copied
to the server. When I'm physically logged into the server, the files
can be viewed in Windows Explorer, but of course can't be opened,
copied, or otherwise accessed because they were encrypted on another
machine (the Vista laptop). However, I could previously open these
files on my Vista laptop by accessing them over the network, before my
laptop's hard drive failed (see below).

A couple of days ago, my laptop's hard drive catastrophically failed.
The failure is mechanical, not just a corrupt boot record or the like.
I say this because I ran the Vista installer to try to repair the drive,
and it did not even recognize that the drive existed. So, my assumption
is that the drive is truly gone.

I bought a new hard drive and reinstalled Vista on my laptop. All of
the files that were encrypted using the previous Vista installation are
still on backup drives on my Windows 2000 server, but they are
inaccessible from either the server or the laptop because they are
encrypted.

Here's the issue: Recall that I exported a PFX file from my previous
Vista installation and stored it in a safe location. In order to access
the encrypted files, I imported this PFX file using the certificate
import wizard (per MS instructions) into the "Personal" certificate
store, but I still cannot access these files. While importing the file,
I was prompted to give a password, which I correctly gave. From my
understanding, I should now be able to open/decrypt these files, but I
can't. These files are all of my wife's and my critical household
records, so I am desperate to recover them if at all possible.

Additional info: While troubleshooting, I downloaded the Elcomsoft
"Advanced EFS Data Recovery" tool. At first, I was able to decrypt a
single small file (an RTF) successfully. I then tried to decrypt some
larger files (Outlook PST and Money MNY files) using the tool. It
appeared to work but the resulting files, though no longer encrypted,
were corrupt and couldn't be opened in their respective applications
without causing errors. As of now, I can no longer get the Elcomsoft
tool to recognize any "decryptable" files-it says they are all
unrecoverable-and so I'm again stuck. But, because I was able to
decrypt a single small file, I have a glimmer of hope that my problem is
procedural and not that I'm missing the encryption key info I need.

Also: I tried attaching the server hard drive that contains the
encrypted files directly to my laptop (it's an external USB drive), with
no luck.

The main question in my mind is whether my PFX file is somehow lacking
the necessary information to recover my encrypted files, or are my
problems caused by some configuration issue that can be overcome with
more knowledge.

Questions:

a) Does the prompt to store/enter a password when creating/importing
my pfx file indicate that the private key was stored in the file as well
as the public key? If so, doesn't this mean I should theoretically be
able to decrypt files that were accessible when I created the file?

b) Other than just importing the PFX with a wizard and then opening
the file in Windows Explorer, is there some tool or process I could use
to conclusively validate that the PFX file is/isn't capable of
decrypting a given encrypted file?

c) Assuming my PFX file has the requisite information, is there some
configuration issue that is preventing me from decrypting these files?
Is the fact that they are stored on a Windows 2000 computer and I am
trying to access them from a Vista computer somehow preventing me from
decrypting them?

d) Any other suggestions?

Thanks so much for any expertise or advice you can lend. It's my first
foray into this complicated field and I feel like I've done due
diligence by exporting and storing a PFX, but as I say it's not working
and my ignorance has me stuck and frustrated. Does my description ring
any bells about things I might be doing wrong?

Cheers, Aaron
 
Hi Aaron,
While I am in no way an expert on this, I'll try and offer my limited
knowledge as it sounds like you are in dire straits. I've not used vista yet
so this my knowledge extends only to XP and Server 2000/ 2003, Hopefully
this can be applied to vista. I'm in a bit of a rush so post back any
questions/ results.

First off, did you configure a recovery agent?
If so, then use this to recover the files not your user pfx file (the pfx
file is the private key I think)

Second, do you have a domain? You mention you have vista and server 2000 so
hopefully you do have...
If you do, then the administrator account should have been assigned a
Recovery Agent certicificate when first logged on.

You can use this to try and recover data.

I would check this first and then go from there. Log in as admin onto your
vista and check the personal store for a recovery certificate. Have alook at
the links below, some contain links to other docs.

Read up about using Cipher
Maybe try using Scanpst on the recovered pst file after running the Elcim
tool?

http://technet.microsoft.com/en-us/library/bb457065.aspx
http://technet.microsoft.com/en-us/library/bb457116.aspx#EIAA
http://www.brienposey.com/kb/recovering_encrypted_data.asp


good luck and i'll try and monitor this post.
 
Back
Top