Recovery of Encrypted files. help!

[Guest]

Hi

I backed up my entire c disk (without my sygwin files ...), including some
encrypted files. It is restore time. I managed to restore the non-encrypted
docs on another machine. But I cant open the encrypted files.

(1) Can I restore my them on another machine?
(2) Can I restore them on the origimal machine if I reformat the disk and
re=install windows?
(3) Are there any key-files which I can use to see the files?

Thanks

 

[Carey Frisch [MVP]]

Before encrypting anything important, you should back up your
personal encryption certificate (with its associated private key)
and the recovery agent certificate to a floppy disk and store it in
a secure location. If you ever lose your original certificate
(because of a hard disk failure, for example), you can restore
the backup copy and regain access to your files. If you lose all
copies of your certificate (and no recovery agent certificates exist),
you won't be able to use your encrypted files. No back door exists,
nor is there any practical way to hack these files.
(If there were, it wouldn't be very good encryption.)

HOW TO: Remove File Encryption in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308993

Without a backup of the original Encryption Certificate Key, encrypted files
are unrecoverable as they will stay encrypted forever. There is no recovery
method since the encryption algorithm is now completely different with a
reinstall of Windows XP.

See if the following articles help in any way:

HOW TO: Take Ownership of a File or Folder in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308421

Best Practices for the Encrypting File System
http://support.microsoft.com/default.aspx?scid=kb;en-us;223316

Encrypting File System in Windows XP
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

EFS Files Appear Corrupted When You Open Them
http://support.microsoft.com/default.aspx?scid=kb;en-us;329741

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Get Windows XP Service Pack 2 with Advanced Security Technologies:
http://www.microsoft.com/athome/security/protect/windowsxp/choose.mspx

-------------------------------------------------------------------------------------------

:

| Hi
|
| I backed up my entire c disk (without my sygwin files ...), including some
| encrypted files. It is restore time. I managed to restore the non-encrypted
| docs on another machine. But I cant open the encrypted files.
|
| (1) Can I restore my them on another machine?
| (2) Can I restore them on the origimal machine if I reformat the disk and
| re=install windows?
| (3) Are there any key-files which I can use to see the files?
|
| Thanks

 

[Guest]

Thanks !!

Since I backed up my entire harddisk I presume that also the personal
encryption certificate (with its associated private key) and the recovery
agent certificate were backed up. Where can I find them?

If I would restore the the hardisk using MS backup/restore tool will it work?

 

[Guest]

By the way. I cant read any of the links except

Encrypting File System in Windows XP
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx

Thanks, Koby

 

[Rock]

koby wrote:

Answers inline:

Hi

I backed up my entire c disk (without my sygwin files ...), including some
encrypted files. It is restore time. I managed to restore the non-encrypted
docs on another machine. But I cant open the encrypted files.

(1) Can I restore my them on another machine?

Only if you saved the encryption certificate and key.

(2) Can I restore them on the origimal machine if I reformat the disk and
re=install windows?

Same answer as #1. A reinstall creates a new user account with a
different SID, even if the account name is the same. The encryption was
based on the original account's SID. Without the backup copies of the
encryption certificate, it won't work.

 

[Rock]

Thanks !!

Since I backed up my entire harddisk I presume that also the personal
encryption certificate (with its associated private key) and the recovery
agent certificate were backed up. Where can I find them?

If I would restore the the hardisk using MS backup/restore tool will it work?

I'm not sure about this. The only way possible is if the backup you
made was done using the ASR wizard which saves the system state and
everything on the C: drive. However to restore using ASR, one boots
with the Windows CD, then at one point chooses the ASR option. It then
installs a fresh copy of XP, then restores the data from the ASR backup.
If the ASR restore does not overwrite the newly created SID with the
old one, then you're out of luck. I have never tried this but it might
work to allow access to the encrypted files. The bottom line is XP's
EFS is data loss waiting to happen.

Best practices for the Encrypting File System
http://support.microsoft.com/?id=223316

How to back up the recovery agent Encrypting File System (EFS) private
key in Windows Server 2003, in Windows 2000, and in Windows XP
http://support.microsoft.com/?id=241201

How to add an EFS recovery agent in Windows XP Professional
http://support.microsoft.com/?id=887414

 

[Guest]

I used MS Windows XP backup/restore utility. What is ASR?

Also,

My problem is a currpotion of the MBR (Master boot record). Is there is a
way to boot the machine using cd/USB device (no floppy) and get what we want?

Thanks

 

[Guest]

Where the SID is saved? In Documents and Settings/<account>
or in another place?

Thanks

 

[Rock]

Where the SID is saved? In Documents and Settings/<account>
or in another place?

Thanks

:

The SID is in the registry, but you can't migrate it to a new install
and and then decrypt files encrypted under the original account.

 

[Rock]

I used MS Windows XP backup/restore utility. What is ASR?

Also,

My problem is a currpotion of the MBR (Master boot record). Is there is a
way to boot the machine using cd/USB device (no floppy) and get what we want?

Thanks


:

ASR stands for Automated System Recovery. It is one of the options in
Ntbackup. In addition to the backup data file ASR creates a floppy disk
that is needed during the ASR recovery. In my previous post I wrote
that an ASR recovery might allow you to view the encrypted files. What
I meant to say was it might not. And the only way you can even try that
is if you had made an ASR backup. Since you don't know what ASR means
this suggests to me you didn't use the ASR wizard in ntbackup.

Sounds like the only thing that is going to be able to recover your
files is if you can repair the MBR to make the disk bootable. You must
boot into XP from that disk and login to the account where the
encryption was applied to either decrypt the files or create a recovery
agent and export the certificate and key. The other option would be to
clone the disk onto another drive with a working mbr, and see if that
will boot.

You might want to talk with one of the drive data recovery specialty
groups such as www.ontrack.com or www.drivesavers.com.

 

[Guest]

ASR stands for Automated System Recovery. It is one of the options in
Ntbackup. In addition to the backup data file ASR creates a floppy disk
that is needed during the ASR recovery. In my previous post I wrote
that an ASR recovery might allow you to view the encrypted files. What
I meant to say was it might not. And the only way you can even try that
is if you had made an ASR backup. Since you don't know what ASR means
this suggests to me you didn't use the ASR wizard in ntbackup.

Sounds like the only thing that is going to be able to recover your
files is if you can repair the MBR to make the disk bootable.

How do I do this?

You must
boot into XP from that disk and login to the account where the
encryption was applied

How do I do that?

to either decrypt the files or create a recovery
agent and export the certificate and key. The other option would be to
clone the disk onto another drive with a working mbr, and see if that
will boot.

What is cloning? How do I do that?

You might want to talk with one of the drive data recovery specialty
groups such as www.ontrack.com or www.drivesavers.com.

Thanks !

 

[Guest]

The SID is in the registry, but you can't migrate it to a new install
and and then decrypt files encrypted under the original account.

So, it will not be a good idea to reformat the hard dist, install win xp and
then do a restore. I must use my current installation.

Koby

 

[Rock]

So, it will not be a good idea to reformat the hard dist, install win xp and
then do a restore. I must use my current installation.

Koby

If you do that you will loose access to the encrypted files. So if you
don't want to, then that would not be a good idea.

 

[Rock]

ASR stands for Automated System Recovery. It is one of the options in
Ntbackup. In addition to the backup data file ASR creates a floppy disk
that is needed during the ASR recovery. In my previous post I wrote
that an ASR recovery might allow you to view the encrypted files. What
I meant to say was it might not. And the only way you can even try that
is if you had made an ASR backup. Since you don't know what ASR means
this suggests to me you didn't use the ASR wizard in ntbackup.

Sounds like the only thing that is going to be able to recover your
files is if you can repair the MBR to make the disk bootable.

How do I do this?

You must
boot into XP from that disk and login to the account where the
encryption was applied

How do I do that?

to either decrypt the files or create a recovery
agent and export the certificate and key. The other option would be to
clone the disk onto another drive with a working mbr, and see if that
will boot.

What is cloning? How do I do that?

You might want to talk with one of the drive data recovery specialty
groups such as www.ontrack.com or www.drivesavers.com.

Thanks !

Cloning is the process of making an exact copy of the data on the drive.
I don't know whether or how one can do it if the mbr is damaged, but
some specialty software might work. How you do the possible solutions I
suggested? Like I said, contact a group that specializes in drive and
data recovery like ontrack or drive savers.

 

[Kerry Brown]

Hi

I backed up my entire c disk (without my sygwin files ...), including some
encrypted files. It is restore time. I managed to restore the
non-encrypted
docs on another machine. But I cant open the encrypted files.

(1) Can I restore my them on another machine?
(2) Can I restore them on the origimal machine if I reformat the disk and
re=install windows?
(3) Are there any key-files which I can use to see the files?

Thanks

If you backed up the system state then you should be able to recover the
keys. It may be a good idea to try this on a different hard drive. Install a
different hard drive as the only drive. Install Windows XP. Restore your
backup making sure to overwrite all the files. Try to decrypt the files.
Depending on what you backed up this may or may not work. Good luck.

Kerry

 

[Torgeir Bakken \(MVP\)]

Hi

I backed up my entire c disk (without my sygwin files ...), including some
encrypted files. It is restore time. I managed to restore the non-encrypted
docs on another machine. But I cant open the encrypted files.

(1) Can I restore my them on another machine?
(2) Can I restore them on the origimal machine if I reformat the disk and
re=install windows?
(3) Are there any key-files which I can use to see the files?

Thanks

Hi,

If you are not able to get your old environment up and running by
restoring from your backup, take a look here:

http://www.beginningtoseethelight.org/efsrecovery/

 

[Guest]

I ran the backup utility and choose the entire drive c (except the directory
of cygwin). So?

 

[Kerry Brown]

I ran the backup utility and choose the entire drive c (except the
directory
of cygwin). So?

Did you also backup the System State?

Kerry

 

[frodo]

Since I backed up my entire harddisk I presume that also the personal
encryption certificate (with its associated private key) and the recovery
agent certificate were backed up.

No, not really. These "backups" are made via a separate operation that
you must perform manually. [While it's true that some of the info is
buried in the reg, and you did back that up, it is of no real use to you -
if it could be of use to you, or anyone else, then the encrypting file
system wouldn't be very secure, would it?]

You need to read the help files on File Encryption and find out what these
things are and how to perform these operations. Read and understand
everything in there before beginning to use encryption, or you will end up
being sorry some day.

Go into Help and Support and enter "storing data more securely" into the
search field; hit enter. Read this topic and ALL the linked topics (and
their linked topics, etc).

Unfortuantely, Help and Support does not really provide a very complete
overview of the whole issue - it can be complicated, and H&S's method of
using links-to-this and links-to-that make it very easy to miss something
that is important. You should read a full and complete tutorial on the
issue if you can; try googling around for somehthing comprehensive; start
w/ The Elder Geek, I'll bet he's got something pretty good (tho I haven't
checked).

I would HIGHLY recommend reading the chapter on file encryption in Ed
Bott's "Windows XP: Inside Out" book; it clearly explains the pitfalls of
using file encryption and all the precautions you need to take up-front in
order to deal with unforseen problems down the road.

[MS left FE out of XP Home for a good reason - it's not a simple topic,
and can cause major headaches for casual users that don't have experience
with "windows administrative/security" type issues, which are always
pretty tricky. Encryption Key management is one of those tricky issues.]

Good Luck.

 

[Guest]

Hi

After long work I can manage to get access to the hard disk using an OS on a
cd. I can't fix the MBR. Is there is a way to copy the required files
(private key/registrry/else) into another machine and then use it to decrypt
the files?

Thanks, Koby