Self-Signed EFS and AD

G

Guest

Is there any way to enforce the usage of Active Directory published EFS
Certificate instead of creating a new one every time I change a PC ?

Here is why:

The first time I use EFS on a PC, it locally generates an EFS Certificate
(i.e. self-signed). I can publish this Certificate in Active Directory so
that other users can enable me to read their encrypted documents - All is
fine.

However, if i change the PC (or work from some other location), the first
time I try to encrypt the file another/new/different local (self-signed) EFS
Certificate will be created for me.
Now, I thought that PCs (i.e. Windows XP) are smart enough to check the
Active Directory whether there is already a published Certificate and use the
same one instead of creating a new one (local, self-signed).
Or perhaps I should have asked: since there can be only one private key for
each public key (i.e. certificate), is it possible to store (and use as
needed) the private key in Active Directory along with the corresponding
Certificate ?
 
S

Shreeniwas Kelkar [MSFT]

EFS needs your private key available locally to work. Hence migrating certs
alone is not enough. The private keys are protected by DPAPI on the local
machine. Certs are public infomation and hence published to AD. Private keys
usually are not.

If you want to use the same cert+key for EFS across multiple machines, you
need to make sure that the private key along with the certificate is
available on each machine. Some ways to achieve this:
1) Turn on roaming profiles and your cert and key will automatically roam to
all machines. This however has performance implications.
2) If the number of machines involved is small. You can export your EFS
cert+key from previous machine to a PFX and import it on the new machine
before attempting EFS.
3) If the machines are part of a domain and there is a file server with
Trusted For Delegation privileges available in the domain, you can do remote
EFS by storing your documents on this server. The keys in this case are
maintained on the server so you can easily access your documents from
various clients.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to publish EFS Certificate in AD 2
New EFS tool available - EFS Certificate Configuration Updater 14
Help with EFS 1
EFS: How to disable self-signed certificate creation ? 1
Changing computers with EFS documents 1
EFS Trouble - External Drive 2
RSAKeyLength setting for EFS - XP or Vista only? 5
Need to recover lost EFS certificate from Active Directory 1

Top