Regain access to EFS encrypted files

[Darkhster]

Hi
I recently moved from a single drive PC to a RAID 1 array with new
drives.
I removed the old drive and did a clean install of XP Pro on the RAID
array.

I used the File and Settings Transfer wizard but only opted to move the
files.
A few of the files were EFS encrypted. They were obviously inaccessible
on the new system.
So how do I regain access to them?

I can still login to my old system if I put the old drive in a new PC.
Sadly the files were deleted after the move. I can undelete one or two
and can see the data fine. But how can I see the whole folder of data
on the new system? I've exported the personal certificate from the old
system, that does not work. Even one of these EFS decryption programs
can't decrypt the data, even though I have the private key.

I've tried copying the files to the old system, I get access denied or
disk full. I restored them via NTBackup to the old system, I can't see
the data or disable encryption. That one really mystifies me.
How can I still have my original private key and have the data , and be
unable to see it???

 

[Doug Knox MS-MVP]

You don't. If you didn't backup the encryption certificates, you will probably never be able to access those files without paying a professional recovery service, if they can even decrypt them.

 

[Darkhster]

Okay, I could understand and accept that if I had reformatted my
original drive, that my certificates would be firmly in the bit bucket.

But I have full, original access to my old system. So my certificates
SHOULD still be there. Like I said, if I undelete one of the files, I
can view it properly. So that means that the original certificate must
be there, allowing me to decrypt the data. The same data that I
transferred to my new system.

So if I have the original cert. and I have the data, why aren't the two
working together?

 

[Doug Knox MS-MVP]

See http://www.beginningtoseethelight.org/efsrecovery/ and scroll down to "the error and keys". Are you using the same username and password on both installations?

 

[Kerry Brown]

Hi
I recently moved from a single drive PC to a RAID 1 array with new
drives.
I removed the old drive and did a clean install of XP Pro on the RAID
array.

I used the File and Settings Transfer wizard but only opted to move
the files.
A few of the files were EFS encrypted. They were obviously
inaccessible on the new system.
So how do I regain access to them?

I can still login to my old system if I put the old drive in a new PC.
Sadly the files were deleted after the move. I can undelete one or two
and can see the data fine. But how can I see the whole folder of data
on the new system? I've exported the personal certificate from the old
system, that does not work. Even one of these EFS decryption programs
can't decrypt the data, even though I have the private key.

I've tried copying the files to the old system, I get access denied or
disk full. I restored them via NTBackup to the old system, I can't see
the data or disable encryption. That one really mystifies me.
How can I still have my original private key and have the data , and
be unable to see it???

How did you export the certificates? Here is a couple of ways to do it:

http://www.microsoft.com/smallbusiness/support/articles/protect_data_EFS.mspx#E6OAC

http://www.microsoft.com/technet/windowsvista/library/a8b21b9b-d102-4045-9f36-e4b3430d2f38.mspx

The key is to export the certificate as .pfx. Contrary to the above links do
not delete the private key in this case. You want to leave it on the old
hard drive in case the export/import goes wrong and you need to try again.

 

[Darkhster]

First, to Doug: Yes, I stuck with the same uname/pwd. combination for
the new install, to make the change over a bit easier. I checked out
the link and section you recommended and yup, the errors indicate a
'decryption mismatch' according to that site. Obviously my private key
on the new system is not valid.
But apparently even the private key I exported from my old system is
either not being used for decryption or it too is also not valid, which
would be disconcerting.
BTW, I have all the directories that site talks about, but I am leery
of going thru all those registry edits. I will do that as a last
resort!

To Kerry, I did a cert. export from IE, the Personal Store which
indicates EFS as the purpose. I opted to export the private key as
well, and had to enter a password for the cert. I did NOT opt to delete
the private key after export. Deleting ANYTHING around now is not
something I am keen on doing. It imports properly (ie no reported
errors) but I cannot do anything with the encrypted files.

One question: Could I have double encrypted the data? Encrypted the
data I ported from the old system, which was already encrypted?

 

[Kerry Brown]

First, to Doug: Yes, I stuck with the same uname/pwd. combination for
the new install, to make the change over a bit easier. I checked out
the link and section you recommended and yup, the errors indicate a
'decryption mismatch' according to that site. Obviously my private key
on the new system is not valid.
But apparently even the private key I exported from my old system is
either not being used for decryption or it too is also not valid,
which would be disconcerting.
BTW, I have all the directories that site talks about, but I am leery
of going thru all those registry edits. I will do that as a last
resort!

To Kerry, I did a cert. export from IE, the Personal Store which
indicates EFS as the purpose. I opted to export the private key as
well, and had to enter a password for the cert. I did NOT opt to
delete the private key after export. Deleting ANYTHING around now is
not something I am keen on doing. It imports properly (ie no reported
errors) but I cannot do anything with the encrypted files.

Did the exported certificate have a .pfx extension? It will not work unless
the certificate is exported as a PKCS #12 (.PFX) file. I find the procedure
with the cipher /x command usually works best. Use the cipher /x command
both with and without a filename specified. e.g. "cipher
/x:encryptedfilename cert1" and then "cipher/x cert2" The first one will
export the cert that is for a particular file. The second one will export
the current efs cert. Note do not put an extension on the cert file name.
Pfx will be used by default. For more info see cipher in Help and Support.

 

[Darkhster]

I used the IE certificate management tool... I saw a guide on the net
about exporting the private key and they suggested that option.
It *seems* to work fine, once I select my certificate under the
Personal tab and ensured its purpose was for EFS. And once I opt to
export my private key data, it automatically exports it as PFX.

I also tried adding 'Users who can Transparently access this file' via
the Details button by the Encryption option on a file, but while I can
change ownership of the file, and even grant Everyone full control, I
get an EFSADU error, "Error in adding new user(s). Error code 5"
This is so near, yet so far!

 

[Kerry Brown]

I used the IE certificate management tool... I saw a guide on the net
about exporting the private key and they suggested that option.
It *seems* to work fine, once I select my certificate under the
Personal tab and ensured its purpose was for EFS. And once I opt to
export my private key data, it automatically exports it as PFX.

I also tried adding 'Users who can Transparently access this file' via
the Details button by the Encryption option on a file, but while I can
change ownership of the file, and even grant Everyone full control, I
get an EFSADU error, "Error in adding new user(s). Error code 5"
This is so near, yet so far!

Try again with the cipher command using both methods. The key used to
encrypt the files may have changed at some point.

 

[Steven L Umbach]

Check the properties of the certificate under the details page to check the
thumbprint and compare that to what is shown for an EFS file you can not
decrypt in it's properties -advanced-details. The thumbprints must match.
Also if you had SP1 or SP2 on your old install make sure you have updated
your service pack on the new install to make sure that it is AES algorithm
capable for EFS and the user attempting the decryption of files should have
full control NTFS permissions to the folder/files of the EFS files.--- Steve

 

[Darkhster]

Lost cause.
The thumbprint gave it away...

I checked the files for the cert. thumbprint and it does not match
thumbprints for newly encrypted files on *either* system.
A little checking revealed that the old account HAS been deleted by
someone else. I was told only the data had been trashed.
When it was realized that I was trying to restore the data, a new
account was created with the original uname/pwd. So I was under the
impression that I had everything was still in place on the old system.
They even restored desktop settings
Too many people with admin. access....

Thanks to all for your input none the less.

 

[Steven L Umbach]

Bummer. What I would still try depending on how bad the data is wanted is to
use a file recovery program like Handy Recovery [free 30 day trial] to
search the hard drives for the deleted user profile used to encrypt the
files in which case you may still be able to recover the EFS private key or
the whole user profile. Since you indicate that the user account was deleted
if you are able to recover the profile you will not be able to use the
private key via normal means but may be able to access the data with
Elcomsoft's EFS recovery program of which the free trial version will at
least let you know if the private key is present and if you can access it by
using the correct user/password. The certificate/private key for a user are
in the user/application data/Microsoft/crypto folder.

Even if that is not possible I would still use a file recovery program to
look for possible clear text copies of the EFS files even if they may not be
the most current version. Especially look for files that begin with ~ that
could be temporary files created by the application or for files with names
like EFS0.tmp, EFS1.tmp, and so on that are created when an individual file
is encrypted via EFS rather than the file is created in a folder with the
EFS encryption attribute is enabled per best practice. A note on file
recovery programs is that when using such file names may not appear to make
sense when shown in the folder used by the recycle bin as the name of the
file is usually replaced with by recycle bin though it could be a file you
are looking for. For example using Handy Recovery the recycler folder shows
files with names such as Dd.23.url, Dd24.url, and so on. --- Steve

http://www.softlogica.com/ --- Handy Recovery